Hijack This Log popsup infection warning

Your log is unreadable. Please read this announcement: http://www.dellcommunity.com/supportforums/board/message?board.id=si_hijack&thread.id=55831
When you repost your log, please let us know what type of "infection warning" you are receiving. Please inform us of what resident anti-virus you are using and if this is a pop-up from your anti-virus program. If so, where does it say the infection is located?

On the taskbar it a small window appears and says that my computer is infected and asks me to download antispyware program, when i first clicked on it an IE window poped up with the ameana website.

Logfile of HijackThis v1.99.1

Scan saved at 3:37:15 PM, on 4/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\acs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\ProgramFiles\HijackThis\HijackThis.exe

R1-HKLM\Software\Microsoft\InternetExplorer\Main,Default_Page_URL=http://go.microsoft.com/fwlink/?LinkId=69157

R1-HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://go.microsoft.com/fwlink/?LinkId=54896

R1-HKLM\Software\Microsoft\InternetExplorer\Main,SearchPage=http://go.microsoft.com/fwlink/?LinkId=54896

R0-HKLM\Software\Microsoft\Internet Explorer\Main,StartPage=http://go.microsoft.com/fwlink/?LinkId=69157

O4-HKLM\..\Run:[NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4-HKLM\..\Run:[nwiz] nwiz.exe/install

O4-HKLM\..\Run:[NvMediaCenter]RunDLL32.exeNvMCTray.dll,NvTaskbarInit

O4-HKLM\..\Run:[NeroFilterCheck]C:\ProgramFiles\CommonFiles\Ahead\Lib\NeroCheck.exe

O4-HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4-HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4-HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4-HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\WindowsDefender\MSASCui.exe"-hide

O4-HKLM\..\Run:[tcpipmon]tcpipmon.exe

O4-HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4-Startup: Adobe Gamma.lnk=C:\Program Files\CommonFiles\Adobe\Calibration\AdobeGammaLoader.exe

O4-Global Startup: BelkinWirelessUtility.lnk=C:\Program Files\Belkin\PCI F5D7000\WirelessUtility\Belkinwcui.exe

O8-Extra context menu item:E&xporttoMicrosoftExcel-res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9-Extra button:Research-{92780B25-18CC-41C8-B9BE-3C9C571A8263}-C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9-Extrabutton: (noname)-{e2e2dd38-d088-4134-82b7-f2ba38496583}-%windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9-Extra'Tools'menuitem:@xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9-Extrabutton:Messenger-{FB5F1910-F110-11d2-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe

O9-Extra'Tools'menuitem:WindowsMessenger-{FB5F1910-F110-11d2-BB9E-00C04F795683} -C:\ProgramFiles\Messenger\msmsgs.exe

O11-Optionsgroup:[INTERNATIONAL]International*

O16-DPF:{17492023-C23A-453E-A040-C7C580BBF700}(WindowsGenuineAdvantageValidationTool)-http://go.microsoft.com/fwlink/?linkid=39204

O18-Protocol:livecall-{828030A1-22C1-4009-854F-8E305202313F}-C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 -Protocol:msnim-{828030A1-22C1-4009-854F-8E305202313F}-C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21-SSODL:WPDShServiceObj-{AAA288BA-9A4C-45B0-95D7-94D524869DB5}-C:\WINDOWS\system32\WPDShServiceObj.dll

O23-Service: AtherosConfigurationService(ACS)-Unknownowner-C:\WINDOWS\system32\acs.exe

O23-Service:AdobeLMService-AdobeSystems-C:\Program Files\Common Files\AdobeSystemsShared\Service\Adobelmsvc.exe

O23-Service: iPod Service-AppleInc.-C:\Program Files\iPod\bin\iPodService.exe

O23-Service: NVIDIA DisplayDriverService(NVSvc)-NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

what it would tell me was that the registry could be effected and that i should download the recommended software.

This is the most recent log file that I have:
Logfile of HijackThis v1.99.1
Scan saved at 12:04:31 AM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Belkin\PCI F5D700F\Wireless Utility\Belkinwcui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O4-HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4- HKLM\..\Run: [nwiz] nwiz.exe /install
O4- HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4- HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4- HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4- HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4- HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4- HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4- HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4- HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4- HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\mqhgptah.dll",setvm
O4- HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4- Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4- Global Startup: Belkin Wireless G Desktop Card Client Utility.lnk = ?
O16- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23- Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23- Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23- Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23- Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23- Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23- Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe





ps the link for the site that it takes me to is amaena.com/securityworm5 if that help any

"ps the link for the site that it takes me to is amaena.com/securityworm5 if that help any"

Yes, that is a big help. Thanks! Now we know what we're hunting for.

Although your two recent logs are different, we'll work on what we see in the most recent log.

Please print these instructions so you can refer to them easily. You will be in Safemode (without networking) for part of this fix so you will not have this page available.

Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.)
Do not run VundoFix yet. We will do that later.

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, unselect the Turn on real-time protection check box
* Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. 
   
2. Once you have downloaded AVG AS, locate the icon on the desktop and double-click it to launch the set up program.
3. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on AVG AS in the system tray and uncheck "Start with Windows".
4. >
5. Go to Start > Run and type: services.msc
6. Press "OK".
7. In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware guard.
8. When you find the guard service, double-click on it.
9. In the Properties Window > General Tab that opens, click the "Stop" button.
10. From the drop-down menu next to "Startup Type", click on "Manual".
11. Now click "Apply", then "OK" and close the Services window
12. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
13. On the main screen select the icon "Update". Tthen select the "Update now" link.
14. Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
15. If you are having problems with the updater, manually update with the AVG Anti-spyware Full database installer from here.
    
16. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
17. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
18. Under "Reports"
19. Select "Automatically generate report after every scan"
20. Un-Select "Only if threats were found"
21. Close AVG Anti-Spyware, Do Not run a scan just yet.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    2. IMPORTANT: Do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning proccess:
       
    3. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
    4. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    5. AVG AS will now begin the scanning process, be patient this may take a little time.
    6. Once the scan is complete do the following:
       
    7. If you have any infections you will prompted, then select "Apply all actions"
    8. Next select the "Reports" icon at the top.
    9. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    10. Close AVG AS and reboot your system back into Normal Mode.
    11. 
        
        
        • Double-click VundoFix.exe to run it.
        • Click the Scan for Vundo button.
        • Once it's done scanning, click the Remove Vundo button.
        • You will receive a prompt asking if you want to remove the files,
        • click YES
          
        • Once you click yes, your desktop will go blank as it starts removing
        • Vundo.
          
        • When completed, it will prompt that it will shutdown your computer,
        • click OK.
          
        • Turn your computer back on.
        
        Note: It is possible that VundoFix encountered a file it could not
        remove.
        In this case, VundoFix will run on reboot, simply follow the above
        instructions starting from "Click the Scan for
        
        Vundo button." when VundoFix appears at reboot. ** If you get a warning in your VundoFix log about updating Java, do not do so until I can give you further instructions.
        
        
        
        Please go to your HijackThis.exe here:
        C:\Program Files\HijackThis\ HijackThis.exe and rename HijackThis.exe to analyzer.exe.
        
        
        Please launch analyzer (HijackThis) and place a checkmark next to this item:
        O4- HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\mqhgptah.dll",setvm
        
        Close all windows except HijackThis and click "Fix Checked".
        
        Close HijackThis.
        
        Reboot into Safemode:
        Turn on the computer.
        Immediately begin tapping the F8 key
        Use the arrow keys to highlight Safe Mode and press the Enter key.
        
        Configure to show all files/folders:
        Go to Start>Search and at the top select Tools>Folder Options
        Select the View tab
        Display the contents of system folders
        Show hidden files and folders
        Uncheck: Hide protected operating system files
        Click on Apply.
        Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
        Be sure the first three boxes are selected:
        Search System folders
        Search Hidden Files and folders
        Search SubFolders
        
        Delete the specified file if it still exists:
        
        C:\WINDOWS\system32\ mqhgptah.dll --file
        
        Reboot normally.
        
        Go back and rehide files:
        Start>Search and at the top select Tools>Folder Options
        Select the View tab
        Display the contents of system folders
        Show hidden files and folders
        Check: Hide protected operating system files
        Click on Apply.
        
        
    12. Please post the contents of C:\vundofix.txt, your report from AVG Anti-Spyware, and a new analyzer (actually your renamed HiJackThis) log.

Let me know you are still getting the amaena popups.

Message Edited by Bugbatter on 04-11-2007 07:19 PM

Vundofix:

Checking Java version...

Java version is 1.5.0.11

Scan started at 6:28:11 PM 4/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\blijbeva.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\blijbeva.dll
C:\WINDOWS\system32\blijbeva.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.bak2
C:\WINDOWS\system32\llkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

HTJ:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:41 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Belkin\PCI F5D700F\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\analyzer.exe

O4-HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4-HKLM\..\Run: [nwiz] nwiz.exe /install
O4-HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4-HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4-HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4- HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4- HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4- HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4- HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4- HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4- HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4- Global Startup: Belkin Wireless G Desktop Card Client Utility.lnk = ?
O16- DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23- Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23- Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23- Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23- Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23- Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23- Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23- Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:25:48 PM 4/11/2007

+ Scan result:



C:\SystemVolumeInformation\_restore{C97882D8-C9E6-4D11-A0DE-B4519E465B33}\RP50\A0003978.exe -> Adware.VB : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqpmjg.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\SystemVolumeInformation\_restore{C97882D8-C9E6-4D11-A0DE-B4519E465B33}\RP50\A0003980.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tcpipmon.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Cashut\Cookies\cashut@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Cashut\Cookies\cashut@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Cashut\Cookies\cashut@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Cashut\Local Settings\Temp\mst39.tmp -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winjyg32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).


::Report end






i haven't had any popups that direct me to any ameana site.
thanks for the support.

That's good news. We still have a bit more to do, though.
Run Disk Cleanup in each user's profile:
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• 
  
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.


After that, if everything is still running smoothly, let's flush System Restore and create a clean Restore Point. If everything is running well....
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

You may have already taken some of these steps:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
b. SpywareGuard:
http://www.javacoolsoftware.com/spywareguard.html
Tutorial here: http://www.bleepingcomputer.com/tutorials/tutorial50.html
Periodically check for updates in both programs.

4. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Sunbelt Kerio has a free version: http://www.kerio.com/kpf_download.html

5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. Ad-aware: http://www.lavasoft.de/software/adaware/

b. SpyBot S&D: http://safer-networking.org/en/news/2005-05-31.html

I would check for updates in SpyBot once a week or so.
Check for updates in Ad-aware frequently.

If you have recently installed AVG Anti-Spyware, it is a free trial product for 30 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update it using the *update* button

7. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List.
Here is the link:
http://www.spywarewarrior.com/rogue_anti-spyware.htm


8. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

9. If you use Adobe Reader it may need to be updated to be sure that you have a more secure version. If you are using a version prior to v. 6.05, you should update to 6.05, preferably version 8. It would be best to remove prior versions before updating to a new version.
Info here: http://www.adobe.com/support/security/bulletins/apsb06-20.html
If you need additional assistance, the Adobe forums are here: http://www.adobe.com/support/forums/main.html


10. Make sure you are using the most updated version of Java.
The current version is Java Runtime Environment (JRE) 6u1
You can go here to download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says " Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".

Click the link to download the Windows (Offline Installation) package: Save it, do not run it. When the download is complete, close the browser.

Remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Official JAVA Installation Instructions if needed.
Reboot.

11. Practice Safe Surfing with with SiteAdvisor by McAfee. SiteAdvisor is a browser plugin that assigns a safety rating to domains listed in your search engine.
The following color codes are used by SiteAdvisor to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown


12. Here are some helpful articles:
"So how did I get infected in the first place?"
by TonyKlein
http://computercops.biz/postlite7736-.html

"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

13. This is an excellent resource for users of all levels. General computer maintenance as well as internet security is covered.
Rootkits for Dummies
(Paperback)
by Larry Stevenson (Author), Nancy Altholz (Author)

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

thanks again. as far as using firefox, thats the main browser i've used. i do have adaware installed and will look into the other programs.

You're most welcome. I'm glad we could help. :)