Please help with HJT!!

[bama]

Here is my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 2:50:44 PM, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\PAUL~1.PAU\LOCALS~1\Temp\Rar$EX00.078\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\c6002gdmg60a2.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

 

[Computer Genius]

C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe - Unknown FINE NOTHING WRONG WITH THAT ONE.

O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto - Nasty VERY NASTY. THAT IS THE RESULT OF THE RADO VIRUS AND MUST BE REMOVED

O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\c6002gdmg60a2.dll - Unknown LEASVE THAT ONE UNTIL BUZZ1627 CHECK THIS ONE

 

[Jars]

Before you follow his instructions we need to properly install HiJackThis.

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

[Computer Genius]

He has done this, that is why he has a log.

And i have checked each line of the log and i have given my findings above

 

[Jars]

C:\DOCUME~1\PAUL~1.PAU\LOCALS~1\Temp\Rar$EX00.078\ HijackThis.exe

That is a temperary folder. If he cleans his temp folder it will delete all backups and he will not be able to restore anything he deletes. It will also delete HiJackThis.

C:\Program Files\winupdate\winupdate.exe

You can't just remove it. Their are special programs designed to remove this.

 

[bama]

Here's my new log and downloading Hijack This once again.
Logfile of HijackThis v1.99.1
Scan saved at 10:14:01 PM, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: IME - C:\WINDOWS\system32\fp8q03l5e.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[bama]

The previous post was after redownloading hijack this.

I had already fixed the one below as of ComputerGenius' advice.
O4 - HKLM\..\Run: [winupdate] C:\Program Files\winupdate\winupdate.exe /auto - Nasty VERY NASTY. THAT IS THE RESULT OF THE RADO VIRUS AND MUST BE REMOVED

 

[Jars]

I will post my fix in a few minutes. What i need you to do is back up and restore that entry, it is bad but it cannot just be removed by HiJackThis.

 

[bama]

okay. Thanks alot for the help. Doesn't seem to have major problems, but the internet page that I'm on changes to an ad every couple of minutes. I have to press the "back" button the get to the page that I was on. What can I do to fix it?

 

[Jars]

1. Please download Ewido Anti-Malware

• Install ewido anti-malware
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
  You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")
• Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon
  
  and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

 

[bama]

Jars,
Thanks for the help. I followed the steps although it took some time to run the ewido. Here is the Ewido text report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:24:55 AM, 5/13/2006
+ Report-Checksum: DF5165AB

+ Scan result:

[712] C:\WINDOWS\system32\dqstyle.dll -> Adware.Look2Me : Error during cleaning
[840] C:\WINDOWS\system32\dqstyle.dll -> Adware.Look2Me : Error during cleaning
:mozilla.18:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
-> : Error during cleaning
:mozilla.30:C:\Documents and Settings\Paul.PAUL-6BC1DA8B52\Application Data\Mozilla\Firefox\Profiles\hekghy3o.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup


::Report End



And the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:15 AM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\o6pqlg7516.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


What should I do next?

 

[Jars]

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer

Also can I need you to confirm one thing. Go to your Crogram Files. Check to see if their is a folder in their named Winupdates.

Also it seems you have not included the Panda scan log. Please re-scan and post the log.

Logs i need:
HijackThis
Look2Me Destroyer log
Panda Log

~Jars

 

[bama]

Here's the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 1:45:52 AM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


The look2me destroyer log
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/13/2006 1:30:03 AM

Infected! C:\WINDOWS\system32\o6pqlg7516.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053150.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053151.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053200.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053211.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053212.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053220.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053221.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053230.dll
Infected! C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053236.dll
Infected! C:\WINDOWS\system32\f00o0ad3ed0.dll
Infected! C:\WINDOWS\system32\o6pqlg7516.dll
Infected! C:\WINDOWS\system32\sueio.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\o6pqlg7516.dll
C:\WINDOWS\system32\o6pqlg7516.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053150.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053150.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053151.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053151.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053200.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053200.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053211.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053211.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053212.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053212.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053220.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053220.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053221.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053221.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053230.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053230.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053236.dll
C:\System Volume Information\_restore{3CCE962D-A266-4A17-BC7D-44BDB00AAF6F}\RP271\A0053236.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f00o0ad3ed0.dll
C:\WINDOWS\system32\f00o0ad3ed0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o6pqlg7516.dll
C:\WINDOWS\system32\o6pqlg7516.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sueio.dll
C:\WINDOWS\system32\sueio.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{98D2FC1F-FFB8-4865-B9D2-4E444CA70023}"
HKCR\Clsid\{98D2FC1F-FFB8-4865-B9D2-4E444CA70023}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7161D2DD-71BD-4D5E-B460-1426DAF77EE8}"
HKCR\Clsid\{7161D2DD-71BD-4D5E-B460-1426DAF77EE8}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C7657DED-97D1-40DE-92B6-92AA1049FAD2}"
HKCR\Clsid\{C7657DED-97D1-40DE-92B6-92AA1049FAD2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

And the Pandascan didn't seem to work. I made it to the screen that said select a drive to scan, but it wouldn't let me choose any of them when I clicked on them.

 

[Jars]

Just wondering how is everything running?

 

[bama]

Jars,
Thank you very very very much. Doesn't seem to have any problems now. Thanks alot for your time and help. I really appreciate it. How often should I run those scans? Is there anything I should do and any programs I should get rid of? Or should I just let things be?

 

[Jars]

You can run the Ewido Scan every Month.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place?

 

[cell4me]

Dont forget to keep windows updated, many infections can be avoided by just downloading microsofts updates, they release new ones the second tuesday of everymonth unless its a hot fix.

Also use the tea timer on Spybot to monitor any unwanted changes to your registry.

You can scan your computer as often as you like I run many antimalware programs and will scan my PC with at least one of them everyday as some programs will miss something another may pick up.

A couple of more great programs are SpywareBlaster and A-Squared, spyware blaster is not a scanner but it keeps spyware from installing in the first place and asquared is a excellent free program that will remove trojans, dialers, spyware and worms.

 

[bama]

Thanks for the tips cell4me. I'll be sure to keep everything up to date. Thanks for the links.