[sugabum]

I've already gotten rid of 9 Trojans and some other adware on my computer (or at least I think they are gone). However, I've had trouble getting rid of "look2me" and "command" adwares. All programs I've tried are unable to delete the files. Actually, I'm not even sure if "Command" is still on my computer because right now it is just finding the "look2me". My computer symptoms are that my internet browsers keep having pop-ups and I get some error messages sometimes and possible hijack attempts. Please help!! Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:46:15 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\q086lals1dq6.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe




Also, here is my log file from my scan using Ewido Anti-Malware:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:37:13 PM, 3/29/2006
+ Report-Checksum: 57CF1727

+ Scan result:

[704] C:\WINDOWS\system32\lvgif11n.dll -> Adware.Look2Me : Error during cleaning
[860] C:\WINDOWS\system32\lvgif11n.dll -> Adware.Look2Me : Error during cleaning
C:\WINDOWS\system32\BJnstDll.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\Igvu9_32.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\mhxex.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\n44s0eh7eh4.dll -> Adware.Look2Me : Cleaned with backup


::Report End

[Advertisements]

Hi sugabum and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


1. You are missing one important program on that computer: An antivirus.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
I suggest AVG - it's free!

AVG Free AntiVirus

Choose one, install it, and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.


2. It is important that you also use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install : Zone Alarm. It is the one I have on my system and works fine for me.
It is important to note that you should only have one firewall installed at a time.

3. Once you have both of these installed, please post back a fresh HJT log.


Regards,

Trevuren

Edited by Trevuren, 30 March 2006 - 01:04 AM.

[Trevuren]

Hi sugabum and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


1. You are missing one important program on that computer: An antivirus.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
I suggest AVG - it's free!

AVG Free AntiVirus

Choose one, install it, and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.


2. It is important that you also use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install : Zone Alarm. It is the one I have on my system and works fine for me.
It is important to note that you should only have one firewall installed at a time.

3. Once you have both of these installed, please post back a fresh HJT log.


Regards,

Trevuren

Edited by Trevuren, 30 March 2006 - 01:04 AM.

[sugabum]

I've run into a problem installing AVG Anti-Virus on my computer. I tried to installing it 3 times and downloading from two different websites. Here is the error information that showed up every time:

Local machine: installation failed
Installation:
Error: Action failed for file avg7rsw.sys: starting service....
The system cannot find the file specified. (2)

Then, I tried to install another AntiVirus program instead (Panda Titanium 2006), but it says that I can't install Panda until I delete AVG first. I cannot find AVG on my control panel to delete it since it never finished installing in the first place. It is also not in my start menu. Is there a way I can manually delete the AVG files or something?g

[sugabum]

When you said that i don't have an AntiVirus running, does Norton AntiVirus Corporate Edition count? Because I have it, but it just wasn't running at the moment. That is the program I used to get rid of all my trojans, but it is not finding the Look2me. In the meantime, I am still unable to uninstall AVG.

[sugabum]

I've gotten rid of Look2Me from downloading the Look2Me-Destroyer that I found on another thread. However, I still have the "command" adware on my computer. Here is (1) the log from my SpySweeper scan that couldn't delete "command" and (2) my updated HijackThis log:


12:31 AM: |··· Start of Session, Thursday, March 30, 2006 ···|
12:31 AM: Spy Sweeper 3.5.0 (Build 199) started
12:31 AM: Sweep initiated using definitions version 643
12:31 AM: Sweeping memory for threats.
12:37 AM: Memory sweep has completed. Elapsed time 00:05:08
12:37 AM: Registry sweep initiated.
12:37 AM: Found: 9 Command registry traces.
12:37 AM: Registry sweep completed. Elapsed time 00:05:37
12:37 AM: Full sweep on all local drives initiated.
12:37 AM: Now sweeping drive C:
12:48 AM: Found: 0 file traces.
12:48 AM: Full Sweep has completed. Elapsed time 00:16:53
43,632 files swept
9 item traces located
12:48 AM: Removal process initiated
12:48 AM: Quarantining: Command
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice||nextinstance
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||service
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||legacy
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||configflags
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||class
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||classguid
12:48 AM: Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000||devicedesc
12:48 AM: Cleaning Traces
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (service)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (service)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (legacy)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (legacy)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (devicedesc)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (devicedesc)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (configflags)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (configflags)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (classguid)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (classguid)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000|| (class)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000 (class)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice\0000
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice|| (nextinstance)
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice (nextinstance)
12:48 AM: Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice
12:48 AM: Failed to quarantine HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_cmdservice
12:48 AM: Removal process completed. Elapsed time 00:00:01
1 items (0 traces) quarantined.




C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\NETSCAPE\NETSCA~1\NETSCAPE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Trevuren]

Please disable Ewido Security Suite (EwidoGuard)

1. Launch Ewido
2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive.


Please download delcmdservice (by Marckie), and save it to your Desktop.

• Extract the content to your Desktop. It will create its own folderdelcmdservice)
• Double-click on the delcmdservice folder
• Double-click on delreg.bat to launch the tool
• When the tool has finished, please reboot your computer
• Once rebooted, please scan with HijackThis! and post the new log, (Both halves this time, please)

Thanks,

Trevuren

[sugabum]

Logfile of HijackThis v1.99.1
Scan saved at 12:11:07 AM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thank you so much for your efforts, Trevuren. I'm so greatful for your help! I hope this is the "both halves" that you were asking for, it's the entire log. Thank again!

[Trevuren]

1. Please update your Ewido definitions

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
• Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.


Regards,

Trevuren

[sugabum]

Hi Trevuren,

I tried to follow all your directions but I ran into some problems:
1. When I tried to update my ewido definitions, it said "Connection could not be established." I even tried to reinstall the program, but it still wouldn't update.
2. When I ran BFU and pressed the execute button, it didn't show a progress bar. It barely took a second for the "complete script execution" pop-up to come up. So I don't know if it worked or not.

Here are my logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:19:02 PM, 4/1/2006
+ Report-Checksum: 2056D6E3

+ Scan result:

:mozilla.16:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Steve\Application Data\Netscape\NSB\Profiles\oaimbzmf.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\[email protected][2].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\steve@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 3:35:24 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I hope everything worked! Thanks!

[Trevuren]

Please disable Ewido Security Suite (EwidoGuard)

1. Launch Ewido
2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive.


We must disable Spy Sweeper for it may interfere with our fix

To disable SpySweeper:

• Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup".
• Over to the left, click "shields" and uncheck all there.
• Uncheck "home page shield".
• Uncheck 'automaticly restore default without notifiction

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

• First we need to make all files and folders VISIBLE:
  
  • Go to start>control panel>folder options>view (tab)
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
  O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System in Safe Mode
  
  How to use the F8 method to Start Your Computer in Safe Mode
  
  
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
• Using Windows Explorer, locate the following file, and DELETE it (if still present):
  
  p2pnetworking.exe<==You will have to Search for this one
  
  
• Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

[sugabum]

Logfile of HijackThis v1.99.1
Scan saved at 6:07:14 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1143799711\ee\AOLSoftware.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Documents and Settings\Steve\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143799711\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Trevuren]

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.

Trevuren

[sugabum]

Okay, let's do it!
You're awesome!

[Trevuren]

It makes my job a lot easier when I can deal with people like yourself who follow instructions.

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:

• Click Start. Open My Computer.
• Select the Tools menu and click Folder Options. Select the View Tab.
  
• Under the Hidden files and folders heading deselect "Show hidden files and folders".
• Check the "Hide protected operating system files (recommended)" option.
• Click Yes to confirm. Click OK.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

• Right-click "My Computer", and then left click "Properties".
• Left click on "System Restore Tab"
• Check box beside "Turn Off System Restore"
• Left click on "Apply"

Reboot your System

TO ENABLE SYSTEM RESTORE

• Remove check mark from "Turn Off System Restore"
• Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

[sugabum]

Okay, all done!

THANKS SO MUCH, TREVUREN!!! YOU ARE THE BEST!!