[Rogerpop]

I see that others have had this same problem. From what I can tell other forum users may guide me through the process of rooting out this trojan.

This is what has happened so far.

1. I run Avast in Safe Mode every morning.
2. I come back in the afternoon and a trojan is found.
3. I keep track of the details:

Day 1: Win32:TratBHO
Files: A00559144.dll through A00559158.dll

Day 2: Win32:TratBHO
Files: C:\WIN\system32\pmnno.dll

From what I can tell every day it's a new infected file and Avast will never be able to root out the real problem. So where do I begin?

Thanks to whoever helps!

[Advertisements]

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Rorschach112]

Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[Rogerpop]

It gave me a warning that 1% of machines....well something bad will happen to them. I guess I should try to back up my data first, eh?

[Rogerpop]

ComboFix 08-02.05.3 - Administrator 2008-02-07 22:53:36.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.820 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\sean\Application Data\SSTEM~1
C:\Documents and Settings\sean\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\sean\My Documents\CROSOF~1
C:\Documents and Settings\sean\My Documents\CROSOF~1\w?nlogon.exe
C:\Documents and Settings\sean\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\sean\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\sean\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\sean\Start Menu\Programs\Outerinfo
C:\Documents and Settings\sean\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\sean\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\internet optimizer
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WIN\b122.exe
C:\WIN\system32\jjkmp.ini
C:\WIN\system32\jjkmp.ini2
C:\WIN\system32\wvustqo.dll
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 22:49 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 18:34 . 2008-02-04 18:42 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-04 18:34 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\SecTaskMan
2008-02-04 18:34 . 2008-02-04 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-02-02 21:49 . 2008-02-02 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-27 11:23 . 2008-01-31 18:21 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-27 11:19 . 2008-01-27 11:19 270,698 --a------ C:\WIN\system32\LD8F9.tmp
2008-01-27 11:19 . 2008-01-27 11:19 181,965 --a------ C:\WIN\system32\LCE6A.tmp
2008-01-25 20:17 . 2008-01-25 20:17 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\EPSON
2008-01-25 20:16 . 2008-01-25 20:16 <DIR> d-------- C:\EPSONREG
2008-01-25 20:16 . 2008-01-25 20:16 <DIR> d-------- C:\Documents and Settings\sean\Application Data\Leadertech
2008-01-25 20:14 . 2008-01-25 20:14 <DIR> d-------- C:\Program Files\ArcSoft
2008-01-25 20:14 . 1995-08-01 04:44 212,480 --a------ C:\WIN\PCDLIB32.DLL
2008-01-25 20:14 . 2005-02-23 14:58 11,776 --a------ C:\WIN\system32\drivers\afc.sys
2008-01-25 20:11 . 2008-01-25 20:11 <DIR> d-------- C:\Documents and Settings\sean\Application Data\InstallShield
2008-01-25 20:06 . 2008-01-25 20:15 <DIR> d-------- C:\Program Files\epson
2008-01-25 20:06 . 2006-08-10 01:02 75,264 --a------ C:\WIN\system32\E_FLBBVA.DLL
2008-01-25 20:06 . 2006-04-19 01:00 62,976 --a------ C:\WIN\system32\E_FD4BBVA.DLL
2008-01-25 20:06 . 2006-10-13 00:00 61,952 --a------ C:\WIN\system32\escwiad.dll
2008-01-25 20:05 . 2008-01-25 20:16 44 --a------ C:\WIN\EP_CX5000.ini
2008-01-10 23:20 . 2008-01-10 23:20 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\FLEXnet
2008-01-10 23:08 . 2008-01-10 23:08 <DIR> d-------- C:\Program Files\Bonjour
2008-01-10 22:56 . 2008-01-10 22:56 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 02:21 --------- d-----w C:\Program Files\QuickTime
2008-02-01 02:21 --------- d-----w C:\Program Files\iTunes
2008-02-01 02:21 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-26 04:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 21:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-14 00:11 --------- d-----w C:\Documents and Settings\sean\Application Data\Skype
2008-01-11 07:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 06:48 --------- d-----w C:\Program Files\Macromedia
2008-01-11 06:47 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-11 06:45 --------- d-----w C:\Program Files\eBay
2008-01-11 06:44 --------- d-----w C:\Documents and Settings\sean\Application Data\Walgreens
2006-06-03 19:18 17,288 ----a-w C:\Documents and Settings\mae\Application Data\GDIPFONTCACHEV1.DAT
2005-11-27 23:50 95,744 ----a-w C:\Program Files\metapad.exe
2005-09-26 19:41 17,288 ----a-w C:\Documents and Settings\sean\Application Data\GDIPFONTCACHEV1.DAT
2005-08-28 19:43 119 ----a-w C:\Documents and Settings\Owner\PageSuckerRegistration.dat
2005-03-27 00:53 56,712 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BlazeServoTool"="C:\Program Files\BlazeVideo\BlazeDVD 4 Professional\MediaDetector.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"Smrr"="C:\DOCUME~1\sean\APPLIC~1\SSTEM~1\scanregw.exe" [ ]
"Fnrkp"="C:\Documents and Settings\sean\My Documents\??crosoft\w?nlogon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 57344 C:\WIN\ALCXMNTR.EXE]
"NvCplDaemon"="C:\WIN\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 20:07 1519616 C:\WIN\system32\nwiz.exe]
"NvMediaCenter"="C:\WIN\system32\NvMcTray.dll" [2005-07-20 20:07 86016]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-06-16 20:49:51 225280]

C:\Documents and Settings\All Users.WIN\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-07 19:47:08 98304]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Automation Anywhere Event Monitor.lnk - C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe [2007-04-27 21:05:20 57344]
Automation Anywhere Hotkeys.lnk - C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe [2007-04-16 17:18:48 98304]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-03-14 13:35:18 629248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

R2 Automation Anywhere Service;Automation Anywhere Service;C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe [2007-04-02 13:37]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 23:08:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WIN\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Automation Anywhere 3.5\AAService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WIN\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-02-07 23:13:03 - machine was rebooted [sean]
ComboFix-quarantined-files.txt 2008-02-08 07:12:59
.
2008-02-01 16:19:19 --- E O F ---

[Rorschach112]

Hello

ComboFix.exe is perfectly safe as long as you don't use it yourself

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\Dot1XCfg
C:\Documents and Settings\sean\My Documents\??crosoft

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smrr"=-
"Fnrkp"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Reboot and post a new HijackThis log

[Rogerpop]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/09/2008 at 04:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 03:20:32

Memory items scanned : 342
Memory threats detected : 0
Registry items scanned : 5093
Registry threats detected : 4
File items scanned : 210033
File threats detected : 89

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{C862821F-4546-47EB-B227-A266276422CF}
HKCR\CLSID\{C862821F-4546-47EB-B227-A266276422CF}
HKCR\CLSID\{C862821F-4546-47EB-B227-A266276422CF}\InprocServer32
HKCR\CLSID\{C862821F-4546-47EB-B227-A266276422CF}\InprocServer32#ThreadingModel
C:\WIN\SYSTEM32\PMKJJ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\sean\Cookies\sean@serving-sys[2].txt
C:\Documents and Settings\sean\Cookies\sean@tribalfusion[1].txt
C:\Documents and Settings\sean\Cookies\sean@ad[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@mb[1].txt
C:\Documents and Settings\sean\Cookies\sean@mediaplex[1].txt
C:\Documents and Settings\sean\Cookies\sean@advertising[1].txt
C:\Documents and Settings\sean\Cookies\sean@casalemedia[1].txt
C:\Documents and Settings\sean\Cookies\sean@realmedia[2].txt
C:\Documents and Settings\sean\Cookies\sean@doubleclick[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\sean@questionmarket[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\sean@adbrite[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\sean@cgi-bin[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@wordtracker[1].txt
C:\Documents and Settings\sean\Cookies\sean@apmebf[1].txt
C:\Documents and Settings\sean\Cookies\sean@adrevolver[3].txt
C:\Documents and Settings\sean\Cookies\sean@indextools[2].txt
C:\Documents and Settings\sean\Cookies\sean@partner2profit[1].txt
C:\Documents and Settings\sean\Cookies\sean@trafficmp[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@collective-media[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@zedo[2].txt
C:\Documents and Settings\sean\Cookies\sean@adrevolver[2].txt
C:\Documents and Settings\sean\Cookies\sean@revenue[2].txt
C:\Documents and Settings\sean\Cookies\sean@xiti[1].txt
C:\Documents and Settings\sean\Cookies\sean@specificclick[1].txt
C:\Documents and Settings\sean\Cookies\sean@2o7[2].txt
C:\Documents and Settings\sean\Cookies\sean@tradedoubler[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\sean@revsci[2].txt
C:\Documents and Settings\sean\Cookies\sean@adlegend[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@overture[1].txt
C:\Documents and Settings\sean\Cookies\sean@media6degrees[2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@bluestreak[1].txt
C:\Documents and Settings\sean\Cookies\sean@statcounter[1].txt
C:\Documents and Settings\sean\Cookies\sean@atdmt[2].txt
C:\Documents and Settings\sean\Cookies\sean@247realmedia[2].txt
C:\Documents and Settings\sean\Cookies\sean@html[3].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\sean@fastclick[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@tripod[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\sean\Cookies\sean@hitbox[1].txt
C:\Documents and Settings\sean\Cookies\[email protected][2].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\mae@adknowledge[1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\[email protected][2].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\mae@advertising[1].txt
C:\Documents and Settings\mae\Cookies\mae@atdmt[1].txt
C:\Documents and Settings\mae\Cookies\mae@belnk[1].txt
C:\Documents and Settings\mae\Cookies\mae@bluestreak[1].txt
C:\Documents and Settings\mae\Cookies\mae@burstnet[2].txt
C:\Documents and Settings\mae\Cookies\[email protected][2].txt
C:\Documents and Settings\mae\Cookies\mae@doubleclick[1].txt
C:\Documents and Settings\mae\Cookies\mae@elitedoodles[1].txt
C:\Documents and Settings\mae\Cookies\mae@mediaplex[1].txt
C:\Documents and Settings\mae\Cookies\mae@nextag[2].txt
C:\Documents and Settings\mae\Cookies\mae@questionmarket[1].txt
C:\Documents and Settings\mae\Cookies\mae@revenue[1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\[email protected][1].txt
C:\Documents and Settings\mae\Cookies\mae@zedo[2].txt

Adware.ClearSearch
C:\Program Files\ClearSearch

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE.VIR

[Rorschach112]

Can you post the ComboFix log and a new HijackThis log

[Rogerpop]

I will post the ComboFix.txt, but I don't know what HijackThis is.

[Rogerpop]

ComboFix 08-02.05.3 - Administrator 2008-02-09 12:31:09.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.824 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-07 22:51 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 18:34 . 2008-02-04 18:42 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-04 18:34 . 2008-02-04 18:41 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\SecTaskMan
2008-02-04 18:34 . 2008-02-04 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-02-02 21:49 . 2008-02-02 21:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-01-27 11:19 . 2008-01-27 11:19 270,698 --a------ C:\WIN\system32\LD8F9.tmp
2008-01-27 11:19 . 2008-01-27 11:19 181,965 --a------ C:\WIN\system32\LCE6A.tmp
2008-01-25 20:17 . 2008-01-25 20:17 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\EPSON
2008-01-25 20:16 . 2008-01-25 20:16 <DIR> d-------- C:\EPSONREG
2008-01-25 20:16 . 2008-01-25 20:16 <DIR> d-------- C:\Documents and Settings\sean\Application Data\Leadertech
2008-01-25 20:14 . 2008-01-25 20:14 <DIR> d-------- C:\Program Files\ArcSoft
2008-01-25 20:14 . 1995-08-01 04:44 212,480 --a------ C:\WIN\PCDLIB32.DLL
2008-01-25 20:14 . 2005-02-23 14:58 11,776 --a------ C:\WIN\system32\drivers\afc.sys
2008-01-25 20:11 . 2008-01-25 20:11 <DIR> d-------- C:\Documents and Settings\sean\Application Data\InstallShield
2008-01-25 20:06 . 2008-01-25 20:15 <DIR> d-------- C:\Program Files\epson
2008-01-25 20:06 . 2006-08-10 01:02 75,264 --a------ C:\WIN\system32\E_FLBBVA.DLL
2008-01-25 20:06 . 2006-04-19 01:00 62,976 --a------ C:\WIN\system32\E_FD4BBVA.DLL
2008-01-25 20:06 . 2006-10-13 00:00 61,952 --a------ C:\WIN\system32\escwiad.dll
2008-01-25 20:05 . 2008-01-25 20:16 44 --a------ C:\WIN\EP_CX5000.ini
2008-01-10 23:20 . 2008-01-10 23:20 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\FLEXnet
2008-01-10 23:08 . 2008-01-10 23:08 <DIR> d-------- C:\Program Files\Bonjour
2008-01-10 22:56 . 2008-01-10 22:56 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 02:21 --------- d-----w C:\Program Files\QuickTime
2008-02-01 02:21 --------- d-----w C:\Program Files\iTunes
2008-02-01 02:21 --------- d-----w C:\Program Files\eFax Messenger 4.3
2008-01-26 04:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 21:11 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-14 00:11 --------- d-----w C:\Documents and Settings\sean\Application Data\Skype
2008-01-11 07:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 06:48 --------- d-----w C:\Program Files\Macromedia
2008-01-11 06:47 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-11 06:45 --------- d-----w C:\Program Files\eBay
2008-01-11 06:44 --------- d-----w C:\Documents and Settings\sean\Application Data\Walgreens
2007-12-04 13:04 837,496 ----a-w C:\WIN\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WIN\system32\AVASTSS.scr
2006-06-03 19:18 17,288 ----a-w C:\Documents and Settings\mae\Application Data\GDIPFONTCACHEV1.DAT
2005-11-27 23:50 95,744 ----a-w C:\Program Files\metapad.exe
2005-09-26 19:41 17,288 ----a-w C:\Documents and Settings\sean\Application Data\GDIPFONTCACHEV1.DAT
2005-08-28 19:43 119 ----a-w C:\Documents and Settings\Owner\PageSuckerRegistration.dat
2005-03-27 00:53 56,712 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WIN\system32\NvCpl.dll" [2005-07-20 20:07 7110656]
"nwiz"="nwiz.exe" [2005-07-20 20:07 1519616 C:\WIN\system32\nwiz.exe]
"NvMediaCenter"="C:\WIN\system32\NvMcTray.dll" [2005-07-20 20:07 86016]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-06-16 20:49:51 225280]

C:\Documents and Settings\All Users.WIN\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-07 19:47:08 98304]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Automation Anywhere Event Monitor.lnk - C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe [2007-04-27 21:05:20 57344]
Automation Anywhere Hotkeys.lnk - C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe [2007-04-16 17:18:48 98304]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-03-14 13:35:18 629248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

S2 Automation Anywhere Service;Automation Anywhere Service;C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe [2007-04-02 13:37]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 12:36:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-09 12:38:34
ComboFix-quarantined-files.txt 2008-02-09 20:38:20
ComboFix2.txt 2008-02-08 07:13:04
.
2008-02-01 16:19:19 --- E O F ---

[Rorschach112]

Sorry do this

CLICK HERE to download the HijackThis Installer:

• Save HJTInstall.exe to your desktop.
• Double-click on HJTInstall.exe to run the program.
• By default it will install to C:\Program Files\Trend Micro\HijackThis.
• Accept the license agreement by clicking the "I Accept" button.
• Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
• Click "Save log" to save the log file and then the log will open in Notepad.
• Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
• Come back here to this thread and paste the log in your next reply.
• Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Also tell me how your PC is running

[Rogerpop]

My computer seems to be running fine, the only thing that are weird that I notice are:

1. After the initial attack and after rebooting, my system tray icons and services that usually appear at start up - well most of them are not popping up anymore. However all the new software you had me install is showing up in the system tray.

here is the log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17, on 2008-02-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Automation Anywhere 3.5\AAService.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\Explorer.EXE
C:\WIN\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe
C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WIN\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD 4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Smrr] "C:\DOCUME~1\sean\APPLIC~1\SSTEM~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Fnrkp] "C:\Documents and Settings\sean\My Documents\??crosoft\w?nlogon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Automation Anywhere Event Monitor.lnk = C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe
O4 - Global Startup: Automation Anywhere Hotkeys.lnk = C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126464467250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126464454828
O17 - HKLM\System\CCS\Services\Tcpip\..\{80900A71-C627-4BCC-878A-A5F66D8BFA4C}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WIN\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WIN\system32\ati2sgag.exe
O23 - Service: Automation Anywhere Service - Unknown owner - C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe

--
End of file - 5587 bytes

[Rorschach112]

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O4 - HKCU\..\Run: [Smrr] "C:\DOCUME~1\sean\APPLIC~1\SSTEM~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Fnrkp] "C:\Documents and Settings\sean\My Documents\??crosoft\w?nlogon.exe"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Reboot and post a new HijackThis log

[Rogerpop]

Ok I followed your instructions and it went to a Hijackthis screen that didn't do anything. I waited for a while and then finally pressed scan. I created a new log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:25, on 2008-02-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Automation Anywhere 3.5\AAService.exe
C:\WIN\system32\Ati2evxx.exe
C:\WIN\Explorer.EXE
C:\WIN\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe
C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WIN\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WIN\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD 4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Automation Anywhere Event Monitor.lnk = C:\Program Files\Automation Anywhere 3.5\AAEventMonitor.exe
O4 - Global Startup: Automation Anywhere Hotkeys.lnk = C:\Program Files\Automation Anywhere 3.5\AAHotkeys.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126464467250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126464454828
O17 - HKLM\System\CCS\Services\Tcpip\..\{80900A71-C627-4BCC-878A-A5F66D8BFA4C}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WIN\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WIN\system32\ati2sgag.exe
O23 - Service: Automation Anywhere Service - Unknown owner - C:\Program Files\Automation Anywhere 3.5\Automation Anywhere Service.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe

--
End of file - 5352 bytes

[Rorschach112]

Your logs are clean ! We need to do a few things

[*]Click START then RUN
[*]Now type Combofix /u in the runbox and click OK[/list]The above procedure will do the following:

• Delete ComboFix and its associated files and folders.
• Delete VundoFix backups, if present
• Delete the C:\Deckard folder, if present
• Delete the C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

[Rogerpop]

Hey thanks a lot!

I have one last question. Do you know why a lot of my applications that would start running at start up are not running at start up anymore? For instance Skype doesn't pop up anymore and sign in, the Avast icons are not appearings, quicktime etc...?