[drb0605]

Morning!

OK - here's the log from Castlecops/Find.bad; I got out of my mail program and had nothing else running when I ran this log. I did restart my email to send you this.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM

JQVACP DLL 405,504 07-11-05 10:33a jQvacp.dll
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
2 file(s) 405,536 bytes
0 dir(s) 14,439.56 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 895 07-28-05 9:52p vsconfig.xml
ZLLICTBL DAT 4,212 07-17-05 5:01p zllictbl.dat
HPF81T11 GID 8,628 01-24-05 6:28p HPF81t11.GID
HPF81D11 GID 8,628 06-07-04 7:31a HPF81d11.GID
FFASTLOG TXT 23,226 10-16-02 6:12a FFASTLOG.TXT
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
ATISETUP LOG 0 11-17-99 4:40a ATISETUP.LOG
FOLDER HTT 13,122 11-17-99 4:33a folder.htt
DESKTOP INI 266 11-17-99 4:33a desktop.ini
9 file(s) 59,009 bytes
0 dir(s) 14,439.55 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8F5E7113-73C5-04B1-05E6-1FBC1CF8E492}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Thu Jul 28 2005 9:52:04p A..H. 895 0.87 K
zllictbl.dat Sun Jul 17 2005 5:01:30p ...H. 4,212 4.11 K
jqvacp.dll Mon Jul 11 2005 10:33:50a ..S.R 405,504 396.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 410,611 bytes 400.98 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.I
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.I
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\jQvacp.dll: InitUMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: UMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\sukcg.dll: InitUMonitor
C:\WINDOWS\SYSTEM\sukcg.dll: UMonitor
C:\WINDOWS\SYSTEM\sukcg.dll: /cgi-bin/UMonitorV2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"CriticalUpdate"="c:\\windows\\SYSTEM\\wucrtupd.exe -startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Zone Labs Client"="C:\\Program Files\\ZoneAlarm Firewall\\ZoneAlarm\\zlclient.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




I'll leave the machine on all day, and see what you've sent tonight.

Again, thank you.

Debbie

[Advertisements]

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\jQvacp.dl

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\sukcg.dll
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new hijack this log
A find it log
and the following program's log.

http://www.downloads.subratam.org/VX2Finder9x.exe



(You have a very bad infection. You are doing great. Just takes a long time to clean)

[coachwife6]

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\jQvacp.dl

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\SYSTEM\sukcg.dll
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new hijack this log
A find it log
and the following program's log.

http://www.downloads.subratam.org/VX2Finder9x.exe



(You have a very bad infection. You are doing great. Just takes a long time to clean)

[drb0605]

Glad to be here at all .............Scary stuff! I don't know if I was successful following your directions or not ... and my machine was acting pretty wierd, but here's what happened.

Already had KillBox from an earlier set of your instructions so I didn't download it; I used the one I had. (Note: I'm doing this in regular mode - not safe - because I couldn't shut down.)

I copied and pasted the three file names you sent and hit the delete file button. I then got a small window that said "test" with OK being the only choice. I hit OK.

Each time I deleted one of the three files, I got a message that told me I'd have to reboot, but by pressing "yes", the only choice, I believe, it didn't reboot.

So after the deleting the third file, I did a shutdown and restarted it, and stuck at the Windows 98 screen - it didn't go through the normal "white words on black screen" start up procedure. And it was stuck! I was afraid I was in toaster land. No password to enter window or anything - just stuck. And my printer started kicking out paper with a repetitive message:

Windows could not upgrade the file from : Alcor Micro Au9472 UB Self-powered hub setup utility Ver 1.06a etc. etc. Please wait while Setup updates your configuration files. This may take a few minutes ..... Windows could not upgrade the file.

So I hit CTRL/ALT/DEL to get some movement, and it always came back to the Windows 98 screen - stuck. Did that several times (3?). The 4th time I tried to get it into Safe Mode, and the screen read:

Windows could not upgrade one or more system files before starting. Windows may not start or run properly. If windows fails to start, run SetUp again. Press any key to continue.

I Hit a key and it started in safe mode. Then I did a shutdown. And I left it alone for about 8 hours because I was sure I had permanently broken it.

Started it up when we got home, immediately (too soon) got the Windows 98 screen, but left the room, and when I'd come back 30 minutes later, I had my logon screen ................. and here I am!

I did go ahead and run the three logs you wanted; here they are:

HiJack This
Logfile of HijackThis v1.99.1
Scan saved at 6:55:42 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12

FindIt
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM

JQVACP DLL 405,504 07-11-05 10:33a jQvacp.dll
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
2 file(s) 405,536 bytes
0 dir(s) 14,482.09 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM

VSCONFIG XML 895 07-30-05 6:46p vsconfig.xml
ZLLICTBL DAT 4,212 07-17-05 5:01p zllictbl.dat
HPF81T11 GID 8,628 01-24-05 6:28p HPF81t11.GID
HPF81D11 GID 8,628 06-07-04 7:31a HPF81d11.GID
FFASTLOG TXT 23,226 10-16-02 6:12a FFASTLOG.TXT
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
ATISETUP LOG 0 11-17-99 4:40a ATISETUP.LOG
FOLDER HTT 13,122 11-17-99 4:33a folder.htt
DESKTOP INI 266 11-17-99 4:33a desktop.ini
9 file(s) 59,009 bytes
0 dir(s) 14,482.08 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8F5E7113-73C5-04B1-05E6-1FBC1CF8E492}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vsconfig.xml Sat Jul 30 2005 6:46:28p A..H. 895 0.87 K
zllictbl.dat Sun Jul 17 2005 5:01:30p ...H. 4,212 4.11 K
jqvacp.dll Mon Jul 11 2005 10:33:50a ..S.R 405,504 396.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 410,611 bytes 400.98 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.I
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.I
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\jQvacp.dll: InitUMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: UMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: /cgi-bin/UMonitorV2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"CriticalUpdate"="c:\\windows\\SYSTEM\\wucrtupd.exe -startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Zone Labs Client"="C:\\Program Files\\ZoneAlarm Firewall\\ZoneAlarm\\zlclient.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




VX2 BetterInternet Finder
Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
{8F5E7113-73C5-04B1-05E6-1FBC1CF8E492}

=================================================

So, did I totally mess this up?

What should I do? I'm afraid to shut down again .....

Thanks for your help, and sorry if I botched the whole thing. Obviously, I rebooted more than once, but I didn't seem to have a choice.

I'll wait to hear back. Thank you again.

Debbie

[coachwife6]

I think you did awesome. I'm about to look at someone else's log, but will look at yours right after that.

[drb0605]

Running OK today, too!

I'll wait to hear for next steps.

As always - thank you.

Debbie

[coachwife6]

Download the free VX2 Cleaner here
Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
Install the VX2 Cleaner
Start Ad-Aware SE build 1.05
Go to “Plug-ins”
Select the VX2 Cleaner plug-in and click “Run Plugin”
If your computer isn't infected, click "close"
If your computer is infected:
Select “Clean System”
Reboot your computer
Scan your computer with Ad-Aware
Remove any VX2 objects detected
Reboot your computer again
Run a second scan to make sure the files have been removed from your computer

After restart

After you have done the above, post back with a Fresh hijackthis log
Let me know if the VX2 cleaner found anything

With the fresh hijackthis log could you also
Visit Subratam's site
HERE
and download and save to desktop

Open it up---Click to Find VX2.betterinternet
Make a log of what was found and post it too, thanks

[Swandog46]

Hi drb0605

I've asked coachwife6 if I can step in and help here, because I've been working on a tool to remove this infection on Windows 98 systems. It's a tough one, as you can see from all the steps you two have been trying!

Please download the file attached to the bottom of this post. Unzip it to your desktop, and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the text of the log.txt file which should be in the same folder as RunThis.bat.

In the interests of full disclosure, I will warn you that although I have had total success thus far in my tests, this IS still a test-run, and you should be aware that there may be bugs (though to the best of my knowledge I have worked them all out). Thank you!

Edited by Swandog46, 04 August 2005 - 08:26 AM.

[drb0605]

Hello to both of you wonderful helpers!! I can't believe all the time you're spending hanging in here with me ...............

I've been away for a few days, and got both of your messages together. Just so you know, I skipped CoachWife6's suggested steps of 8/1, and went directly to Swandog46's instructions. The only problem I had was that the machine just wouldn't shut down after the batch completed, so I finally (eek) just turned it off. But it came up OK, and here are the logs you requested:

Here's the RunThis.bat log.txt file:

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\12m9xfix

************

Files found:

C:\WINDOWS\system\jQvacp.dll
C:\WINDOWS\system\jQvacp.dll
C:\WINDOWS\system\jQvacp.dll

************

Registry entries found:





************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

And here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:40:07 PM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12

So, how did we do? What next??

Thank you both! I'll wait to hear back on result ....

Debbie

[Swandog46]

Hi drb0605

First of all, thanks for being only my third or fourth test 'in the wild' of this tool --- it has worked on the other two or three so far, so I'm optimistic!

The batch has been updated a few times since the version you used, so let's try it once more to make sure everything is okay. I've uploaded the new copy to the bottom of this post. Please download it and follow the same instructions as last time, and post the log for me, as well as a new HijackThis log. Thanks!


Edit: GeeksToGo now has a mirror up at:
http://www.geekstogo...ds/l2m9xfix.zip

So I am removing the attachment from this thread. Please use the GeeksToGo mirror, and post the log when finished. Thanks!

Edited by Swandog46, 04 August 2005 - 08:38 AM.

[drb0605]

Hi Swandog -

OK, downloaded the newer RunThis file and ran it. Then did a shut-down (not a restart), and it shut down fine. Brought it up and ran another HijackThis. Following are the two logs you requested:

RunThis

Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\12m9xfix\2-12m9xfix

************

Files found:


************

Registry entries found:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!


Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 8:33:30 PM, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...ntr_current.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12

===================================================

So, how did we do? Can you tell me what my infection is called?

And, can you tell me how to prevent this from happening again?

And you're welcome ..... I hope we're both happy. I appreciate the time and help - thank you.

I'll wait to hear back,

Debbie

[Swandog46]

Well, I'm happy! Are you happy?

Are all of your symptoms gone?

The infection is called Look2Me. It changes every few weeks... We'd been able to fix in on Windows 2000 and XP platforms for a while; but 98*admin removal was much harder until a few days ago.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

[drb0605]

Yes, I'm happy, too - thanks to you and CoachWife6. Please extend my sincere thanks to her for sticking it out with me.

I've just spend the best 3 trouble-free days with this machine in a long time ....

Especially since it worked and nothing bad happened, I'm pleased to have played a part of your "trial"!

It's comforting to know that there are guys like you out there to help when I get over my head in trouble.

You'll be pleased to know that I double-checked, and there are no critical updates available for me that haven't already been installed, and I'll take your advice and download the software you suggested to help in the future.

Question: What do I do with all the programs and tools I downloaded over the last month during the course of the "cure"? Should I keep them, or remove them and download new stuff if I ever have the need? Many of these are on my desktop .....

Thanks again! I truly appreciate your help.

Debbie

[Swandog46]

No problem! Happy to help

If you mean programs like CWShredder, about:buster, HijackThis, etc --- you can delete them. For programs like CleanUp (which I see you installed), you will need to remove them from Start -> Control Panel -> Add/Remove Programs. Personally I would probably leave programs like CleanUp around because they're nice to have for temporary folder cleaning, and I would keep a copy of HijackThis tucked away somewhere just in case. The rest can probably go --- but do install the programs I recommended and read the tutorials, to keep yourself protected.

Take care

[drb0605]

Hi.........

Still running well! But I have another question ....

A Panda Activescan I did today still found all the Look2Me files tucked away in a folder on my C Drive named "!Submit". I'm assuming they're harmless there, but I'm wondering if I could/should delete this folder? Or is it appropriate to leave it there forever???

Thanks again for your help,

Debbie

[Swandog46]

Those are the Killbox backups, and safe to remove now, assuming everything looks fine.