Help removing Win32/Adware.Virtumonde [RESOLVED]

Hi there, your English is 1000% better than my Croation

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {04BA7EEF-B1C1-4D78-85EE-A1E20E376545} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {B0EEDC94-E177-43D2-B600-84E7AC69969B} - C:\WINDOWS\system32\jkkjjgg.dll
O2 - BHO: {d1f387ec-68b4-390b-d5d4-56d965c0adac} - {cada0c56-9d65-4d5d-b093-4b86ce783f1d} - C:\WINDOWS\system32\uqwqccib.dll (file missing)
O4 - HKLM\..\Run: [MSN] wkssvr.exe
O4 - HKLM\..\Run: [640c3365] rundll32.exe "C:\WINDOWS\system32\vraxnxas.dll",b


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Hey Essex, ty for such quick response...

Hope this worked...

Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:13, on 11.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Varžićevi dokumenti\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140437720655
O17 - HKLM\System\CCS\Services\Tcpip\..\{90532672-FBFF-47F7-9429-5932905511E0}: NameServer = 195.29.150.3
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3242 bytes



ComboFix report:

ComboFix 08-01-11.1 - korisnik 2008-01-11 19:48:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.57 [GMT 1:00]
Running from: E:\Varžićevi dokumenti\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1222.exe
C:\191.exe
C:\192.exe
C:\Documents and Settings\korisnik\Application Data\ShoppingReport
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\korisnik\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\images.zip
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\jkkjjgg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\pmnolmj.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 19:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 17:29 . 2008-01-11 17:29 7,590 --a------ C:\WINDOWS\system32\mljgf.dll
2008-01-11 16:15 . 2008-01-11 16:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-11 16:04 . 2008-01-11 16:04 7,590 --a------ C:\WINDOWS\system32\jkkli.dll
2008-01-11 15:38 . 2008-01-11 16:15 <DIR> d-------- C:\VundoFix Backups
2008-01-11 06:52 . 2008-01-11 06:53 17,642,616 --a------ C:\WINDOWS\system32\MRT .exe
2008-01-10 06:58 . 2008-01-10 06:58 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-10 06:56 . 2008-01-10 06:56 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-09 22:40 . 2008-01-09 22:40 7,200 --a------ C:\WINDOWS\system32\klndnsvn.dll
2008-01-09 22:38 . 2008-01-09 22:38 7,200 --a------ C:\WINDOWS\system32\yfltoqer.dll
2008-01-08 22:24 . 2008-01-08 22:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 22:23 . 2008-01-08 22:23 7,200 --a------ C:\WINDOWS\system32\omyfkpdm.dll
2008-01-08 22:17 . 2008-01-08 22:17 7,200 --a------ C:\WINDOWS\system32\fovjlkrs.dll
2008-01-08 12:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-08 12:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-08 12:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-07 23:04 . 2008-01-07 23:04 268 --ah----- C:\sqmdata01.sqm
2008-01-07 23:04 . 2008-01-07 23:04 244 --ah----- C:\sqmnoopt01.sqm
2008-01-07 22:59 . 2008-01-07 22:59 <DIR> d-------- C:\Documents and Settings\korisnik\Contacts
2008-01-07 22:58 . 2008-01-07 22:58 268 --ah----- C:\sqmdata00.sqm
2008-01-07 22:58 . 2008-01-07 22:58 244 --ah----- C:\sqmnoopt00.sqm
2008-01-07 22:57 . 2008-01-07 23:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-07 22:57 . 2008-01-07 23:03 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-07 22:36 . 2008-01-07 22:36 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-07 22:34 . 2008-01-07 22:34 <DIR> d-------- C:\Program Files\Windows Live
2008-01-07 22:34 . 2008-01-07 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-07 10:21 . 2008-01-07 10:21 7,200 --a------ C:\WINDOWS\system32\jidjgwlb.dll
2008-01-07 10:15 . 2008-01-07 10:15 7,200 --a------ C:\WINDOWS\system32\ovafvcrc.dll
2008-01-04 23:04 . 2008-01-04 23:04 7,200 --a------ C:\WINDOWS\system32\pyqbtkhf.dll
2008-01-04 22:50 . 2008-01-04 22:50 7,200 --a------ C:\WINDOWS\system32\ewfrpjxd.dll
2008-01-04 00:32 . 2008-01-04 00:32 <DIR> d-------- C:\Program Files\Real Alternative
2008-01-03 06:58 . 2008-01-03 06:58 7,186 --a------ C:\WINDOWS\system32\wnicoulk.dll
2008-01-03 06:55 . 2008-01-03 06:55 7,200 --a------ C:\WINDOWS\system32\eaxjotxv.dll
2007-12-29 10:38 . 2007-12-29 10:38 7,014 --a------ C:\WINDOWS\dsad31.exe
2007-12-29 09:40 . 2007-12-29 09:40 157,184 --a------ C:\WINDOWS\sda00.exe
2007-12-29 09:37 . 2007-12-29 09:37 7,014 --a------ C:\WINDOWS\dasd13.exe
2007-12-29 08:18 . 2007-12-29 08:18 7,068 --a------ C:\WINDOWS\dsad.exe
2007-12-27 18:10 . 2007-12-27 18:10 14,596 --a------ C:\WINDOWS\activate.exe
2007-12-27 06:49 . 2007-12-27 06:49 6,994 --a------ C:\WINDOWS\activate3.exe
2007-12-26 17:37 . 2007-12-26 17:37 961 --a------ C:\WINDOWS\srvdsgf.exe
2007-12-24 20:38 . 2008-01-11 14:33 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 07:15 . 2007-12-27 06:47 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-22 19:24 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-12-21 18:29 . 2007-12-21 18:29 559,572 --a------ C:\WINDOWS\sdoss.exe
2007-12-21 18:28 . 2007-12-21 18:28 559,572 --a------ C:\WINDOWS\sdos.exe
2007-12-20 18:54 . 2007-12-19 18:08 189,952 -r-hs---- C:\WINDOWS\wkssvr.exe
2007-12-19 16:19 . 2007-12-19 16:21 <DIR> d-------- C:\Program Files\Real
2007-12-19 16:19 . 2007-12-29 12:06 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-19 16:05 . 2007-05-22 11:02 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-19 16:04 . 2007-12-19 16:04 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-18 18:11 . 2007-12-18 18:20 <DIR> d-------- C:\Program Files\VS Revo Group
2007-12-15 22:26 . 2007-12-15 22:26 <DIR> d-------- C:\WINDOWS\Broken Sword
2007-12-12 23:28 . 2007-12-12 23:28 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\My Games
2007-12-12 22:23 . 2007-12-12 22:23 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\InstallShield Installation Information
2007-12-12 22:22 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 11:00 --------- d-----w C:\Program Files\BitTorrent
2007-12-19 15:20 --------- d-----w C:\Program Files\Google
2007-12-19 15:03 --------- d-----w C:\Program Files\DivX
2007-12-18 17:18 --------- d-----w C:\Documents and Settings\korisnik\Application Data\uTorrent
2007-12-14 21:49 --------- d-----w C:\Documents and Settings\korisnik\Application Data\BitTorrent
2007-12-12 21:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-25 13:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 13:35 --------- d-----w C:\Documents and Settings\korisnik\Application Data\Sports Interactive
2007-11-24 13:25 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

<pre>
----a-w		   185,632 2007-12-29 10:56:48  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   949,376 2007-12-27 05:48:12  C:\Program Files\ESET\nod32kui .exe
----a-w		   171,448 2007-12-29 10:56:54  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w			15,360 2008-01-11 13:33:12  C:\WINDOWS\system32\ctfmon .exe
----a-w		17,642,616 2008-01-11 05:53:47  C:\WINDOWS\system32\MRT .exe
----a-w		   155,648 2007-12-27 05:47:57  C:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 20:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 10:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 07:49 73728 C:\WINDOWS\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 07:23]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 19:52:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-01-11 19:54:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-11 18:54:20
.
2008-01-10 05:58:44 --- E O F ---

Some more to kill

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\klndnsvn.dll
C:\WINDOWS\system32\jidjgwlb.dll
C:\WINDOWS\system32\ovafvcrc.dll
C:\WINDOWS\system32\pyqbtkhf.dll
C:\WINDOWS\system32\ewfrpjxd.dll
C:\WINDOWS\system32\yfltoqer.dll
C:\WINDOWS\system32\omyfkpdm.dll
C:\WINDOWS\system32\fovjlkrs.dll
C:\WINDOWS\system32\wnicoulk.dll
C:\WINDOWS\system32\eaxjotxv.dll
C:\WINDOWS\dsad31.exe
C:\WINDOWS\sda00.exe
C:\WINDOWS\dasd13.exe
C:\WINDOWS\dsad.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\sdoss.exe
C:\WINDOWS\sdos.exe
C:\WINDOWS\wkssvr.exe

Renv::
<pre>
----a-w		   185,632 2007-12-29 10:56:48  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   949,376 2007-12-27 05:48:12  C:\Program Files\ESET\nod32kui .exe
----a-w		   171,448 2007-12-29 10:56:54  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w			15,360 2008-01-11 13:33:12  C:\WINDOWS\system32\ctfmon .exe
----a-w		17,642,616 2008-01-11 05:53:47  C:\WINDOWS\system32\MRT .exe
----a-w		   155,648 2007-12-27 05:47:57  C:\WINDOWS\system32\NeroCheck .exe
</pre>

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Combofix log:

ComboFix 08-01-11.1 - korisnik 2008-01-11 20:42:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.47 [GMT 1:00]
Running from: E:\Varžićevi dokumenti\ComboFix(2).exe
Command switches used :: E:\Varžićevi dokumenti\CFScript.txt E:\Varžićevi dokumenti\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\dasd13.exe
C:\WINDOWS\dsad.exe
C:\WINDOWS\dsad31.exe
C:\WINDOWS\sda00.exe
C:\WINDOWS\sdos.exe
C:\WINDOWS\sdoss.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\system32\eaxjotxv.dll
C:\WINDOWS\system32\ewfrpjxd.dll
C:\WINDOWS\system32\fovjlkrs.dll
C:\WINDOWS\system32\jidjgwlb.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\klndnsvn.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\omyfkpdm.dll
C:\WINDOWS\system32\ovafvcrc.dll
C:\WINDOWS\system32\pyqbtkhf.dll
C:\WINDOWS\system32\wnicoulk.dll
C:\WINDOWS\system32\yfltoqer.dll
C:\WINDOWS\wkssvr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dasd13.exe
C:\WINDOWS\dsad.exe
C:\WINDOWS\dsad31.exe
C:\WINDOWS\sda00.exe
C:\WINDOWS\sdos.exe
C:\WINDOWS\sdoss.exe
C:\WINDOWS\srvdsgf.exe
C:\WINDOWS\system32\eaxjotxv.dll
C:\WINDOWS\system32\ewfrpjxd.dll
C:\WINDOWS\system32\fovjlkrs.dll
C:\WINDOWS\system32\jidjgwlb.dll
C:\WINDOWS\system32\jkkli.dll
C:\WINDOWS\system32\klndnsvn.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\omyfkpdm.dll
C:\WINDOWS\system32\ovafvcrc.dll
C:\WINDOWS\system32\pyqbtkhf.dll
C:\WINDOWS\system32\wnicoulk.dll
C:\WINDOWS\system32\yfltoqer.dll
C:\WINDOWS\wkssvr.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-11 19:46 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 16:15 . 2008-01-11 16:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-11 15:38 . 2008-01-11 16:15 <DIR> d-------- C:\VundoFix Backups
2008-01-10 06:58 . 2008-01-10 06:58 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-10 06:56 . 2008-01-10 06:56 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-08 22:24 . 2008-01-08 22:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 12:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-08 12:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-08 12:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-07 23:04 . 2008-01-07 23:04 268 --ah----- C:\sqmdata01.sqm
2008-01-07 23:04 . 2008-01-07 23:04 244 --ah----- C:\sqmnoopt01.sqm
2008-01-07 22:59 . 2008-01-07 22:59 <DIR> d-------- C:\Documents and Settings\korisnik\Contacts
2008-01-07 22:58 . 2008-01-07 22:58 268 --ah----- C:\sqmdata00.sqm
2008-01-07 22:58 . 2008-01-07 22:58 244 --ah----- C:\sqmnoopt00.sqm
2008-01-07 22:57 . 2008-01-07 23:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-07 22:57 . 2008-01-07 23:03 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-07 22:36 . 2008-01-07 22:36 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-07 22:34 . 2008-01-07 22:34 <DIR> d-------- C:\Program Files\Windows Live
2008-01-07 22:34 . 2008-01-07 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 00:32 . 2008-01-04 00:32 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-27 18:10 . 2007-12-27 18:10 14,596 --a------ C:\WINDOWS\activate.exe
2007-12-27 06:49 . 2007-12-27 06:49 6,994 --a------ C:\WINDOWS\activate3.exe
2007-12-24 20:38 . 2008-01-11 14:33 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2007-12-24 20:38 . 2008-01-11 14:33 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2007-12-24 07:15 . 2007-12-27 06:47 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-12-22 19:24 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2007-12-19 16:19 . 2007-12-19 16:21 <DIR> d-------- C:\Program Files\Real
2007-12-19 16:19 . 2007-12-29 12:06 <DIR> d-------- C:\Program Files\Common Files\Real
2007-12-19 16:05 . 2007-05-22 11:02 163,840 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-19 16:04 . 2007-12-19 16:04 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-18 18:11 . 2007-12-18 18:20 <DIR> d-------- C:\Program Files\VS Revo Group
2007-12-15 22:26 . 2007-12-15 22:26 <DIR> d-------- C:\WINDOWS\Broken Sword
2007-12-12 23:28 . 2007-12-12 23:28 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\My Games
2007-12-12 22:23 . 2007-12-12 22:23 <DIR> d-------- C:\Documents and Settings\korisnik\Application Data\InstallShield Installation Information
2007-12-12 22:22 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 11:00 --------- d-----w C:\Program Files\BitTorrent
2007-12-19 15:20 --------- d-----w C:\Program Files\Google
2007-12-19 15:19 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-19 15:19 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-19 15:03 --------- d-----w C:\Program Files\DivX
2007-12-18 17:18 --------- d-----w C:\Documents and Settings\korisnik\Application Data\uTorrent
2007-12-14 21:49 --------- d-----w C:\Documents and Settings\korisnik\Application Data\BitTorrent
2007-12-12 21:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-25 13:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-24 13:35 --------- d-----w C:\Documents and Settings\korisnik\Application Data\Sports Interactive
2007-11-24 13:25 --------- d--h--w C:\Program Files\Zero G Registry
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-11 06:13 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-11_19.54.02.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-11 18:47:46 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-11 19:41:28 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-11 18:47:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-11 19:41:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-11 18:47:46 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-11 19:41:28 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-11 18:47:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-11 19:41:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-11 18:47:46 3,571,712 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-11 19:41:28 3,571,712 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-11 18:47:46 118,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-11 19:41:29 118,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-11 05:51:51 18,286,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-11 05:53:47 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-11 14:33 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 20:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 10:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 07:49 73728 C:\WINDOWS\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-11 14:33 15360]

R1 BIOS;BIOS;C:\WINDOWS\System32\drivers\BIOS.sys [2005-03-16 07:23]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;"C:\Program Files\MSN Messenger\usnsvc.exe" [2007-01-19 12:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 20:44:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Eset\pr_imon.dll
.
Completion time: 2008-01-11 20:44:54
ComboFix-quarantined-files.txt 2008-01-11 19:44:32
ComboFix2.txt 2008-01-11 18:54:38
.
2008-01-10 05:58:44 --- E O F ---




Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:46:39, on 11.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
E:\Varžićevi dokumenti\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140437720655
O17 - HKLM\System\CCS\Services\Tcpip\..\{90532672-FBFF-47F7-9429-5932905511E0}: NameServer = 195.29.150.3
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3184 bytes

Looking much better I will now clear the orphan registry entries and then see what remains

Download and then run SuperAntispyware

• On the first page select Check for Updates
• On completion select SCAN YOUR COMPUTER
• On the next page select COMPLETE SCAN and tick ALL your drives
• The next stage will take a while as your entire drive(s), memory and registry are scanned
• When it has completed click NEXT
• The next screen shows the problems found click OK
• On the next screen place a tick against all items and select NEXT
• Now to get the log Go to the PREFERENCES button on the right bottom
• Select the STATISTICS/LOG tab
• Highlight the scan just completed and click VIEW LOG
• This will open a notepad text file copy and paste this to your next reply

Logs required : Superantispyware and a new Hijackthis plus how is your computer running now ?

hey m8, u see theres a little problem now... i have nod32 installed, and i can't uninstall in because i don't have a key. (i'm an owner). so, should i install superantispyware anyway? Or should i repair problems with nod? system running better now.

Edited by virrus, 12 January 2008 - 10:21 AM.

Superantispyware (SAS) is a malware removal tool and so it should not interfere with nod32

SAS will remove any entries that I have missed

hi, here are logs...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 07:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 00:23:27

Memory items scanned : 356
Memory threats detected : 0
Registry items scanned : 4117
Registry threats detected : 0
File items scanned : 24176
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\korisnik\Cookies\[email protected][2].txt
C:\Documents and Settings\korisnik\Cookies\[email protected][1].txt
C:\Documents and Settings\korisnik\Cookies\[email protected][1].txt

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JKKJJGG.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DAB242B6-3545-40DF-ADDF-E8002FC16FC9}\RP3\A0000012.DLL
C:\VUNDOFIX BACKUPS\JKKJJGG.DLL.BAD
E:\VARžIćEVI DOKUMENTI\BACKUPS\BACKUP-20080111-194401-846.DLL

Trojan.Vundo/Variant-Installer
C:\VUNDOFIX BACKUPS\GEBYW.EXE.BAD



....




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:32:50, on 12.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Varžićevi dokumenti\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140437720655
O17 - HKLM\System\CCS\Services\Tcpip\..\{90532672-FBFF-47F7-9429-5932905511E0}: NameServer = 195.29.150.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 3760 bytes


Well, something's wrong, my comp started to crawl again... hmmmm...

Well, something's wrong, my comp started to crawl again

You look to be free of malware now so lets go for a wash and brush up to clear the junk

Prefetch is clickable for more information

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Click start then all programmes, accessories, system tools to run disc clean up

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run Tune Up 2007 Trial

Run Tune Up disc clean up

Run Tune Up registry clean up

Click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor

oh m8, THANK YOU alot... if you were girl i could kiss you!!!! One nightmare just dissapeared!!! All praises to you!!!

I guess that means you are now OK ?

Now the best part of the day ----- Your log now appears clean

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

• SpywareBlaster to help prevent spyware from installing in the first place.

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.