What are the anti-virus pop-ups reporting? What resident anti-virus are you using on your computer? Where are is the infection located? Exactly WHAT pests are the Ad-aware and Spybot scans removing?
Your HijackThis is in a temporary folder. Please move it to a permanent folder where it can save backups with the program.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder. Move your HJT there.
Message Edited by Bugbatter on 04-15-2007 01:37 PM
ive now created a new folder and placed hjt into it, it now reaads as follows...
Logfile of HijackThis v1.99.1
Scan saved at 09:19:18, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
the most common popup is winantivirus 2007, i also get a few other random drive cleaner progs and a casino one. im using pc guard supplied by virgin media and it shows no viruses. when i run ad aware it shows up with winantivirus 2007 but after deletion it just returns.
Much better! Thanks for the info. Now we know what we are dealing with. Your outdated Java has contributed to your becoming infected. We'll update Java after you are cleaned up. This infection tends to regenerate itself if you go online before you are fully clean, so it would be best if you do not do any surfing until we can get all components of the infection removed.
* Please print these instructions so you can refer to them easily and follow each step in sequence.
* While in Safemode, make sure you are
not using "Safemode with networking".
You will need to be offline during the time that you are in Safemode.
Please download the latest version of
VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\
vundofix.txt.)
Do not run it yet.
Download
AVG Anti-Spyware from
HERE and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG AS, locate the icon on the desktop and double-click it to launch the set up program.
Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on AVG AS in the system tray and uncheck "Start with Windows".
>
Go to Start > Run and type: services.msc
Press "OK".
In Services, click the "Extended tab" and scroll down the list to find AVG anti-spyware guard.
When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update". Tthen select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning proccess:
Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AS will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG AS and reboot your system back into Normal Mode.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will shutdown your computer,
click OK.
Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. ** If you get a warning in your VundoFix log about updating Java, do not do so. We'll do that later.
Please go to your HijackThis here: C:\Hijackthis\HijackThis.exe Rename HijackThis.exe to analyzer.exe. Following the rename, please run a scan and place a checkmark next to these entries if they still exits: (I apologize for the irregular spacing. The forums software is not working correctly.) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\eumgeuwb.dll",setvm O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ugdguqsk.dll",setvm
Close all windows except analyzer (HijackThis) and click "Fix Checked". Reboot into Safemode: Turn on the computer. Immediately begin tapping the F8 key. Use the arrow keys to highlight Safe Mode and press the Enter key.
Configure to show all files/folders: Go to Start>Search and at the top select Tools>Folder Options Select the View tab Display the contents of system folders Show hidden files and folders Uncheck: Hide protected operating system files Click on Apply. Next go to the side of the Search box and select All files and folders. Go down to More advanced options. Be sure the first three boxes are selected: Search System folders Search Hidden Files and folders Search SubFolders
Delete these specified files if they still exist: C:\WINDOWS\system32\ eumgeuwb.dll --file C:\WINDOWS\system32\ ugdguqsk.dll --file
Reboot normally.
Go back and rehide protected files: Start>Search and at the top select Tools>Folder Options Select the View tab Display the contents of system folders Show hidden files and folders Check: Hide protected operating system files Click on Apply.
Please post your report from AVG Anti-Spyware, the contents of C:\vundofix.txt, and a new analyzer (actually HiJackThis) log.
It has been a while since you posted. Therefore if you have been online since my last reply to you, the infection could have changed and added new problems.
The VundoFix tool was updated on April 22. If you downloaded it before that, delete it and run it again using the instructions above. Also please update AVG Anti-Spyware before you run it.
If you cannot get your computer into Safemode, just do the complete fix in normal mode, and we'll see how your logs look after you reply. Thanks. :)
Message Edited by Bugbatter on 04-23-2007 10:57 AM
i posted this in a new thread by mistake at the top of the board.
i`ll reply here too incase you miss it.
i got into safe mode after running the 2 scans.
heres the 3 log files.
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!
Attempting to delete C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\bvycanlx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\ddcywxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\dddgh.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\fccyvus.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\hgddd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\iutsbmln.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\jwmfdynd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\opnlmjj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\qomkiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\uqrogsqf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuuuvt.dll
C:\WINDOWS\system32\vtuuuvt.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 22:50:39, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
So far, so good, but we have more to do. Try to not do any surfing until you are clean. This infection tends to return.
* Double-click VundoFix.exe to run it.
Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the entries below into the boxes
C:\WINDOWS\system32\copupaam.dll
C:\WINDOWS\system32\maapupoc.*
C:\WINDOWS\system32\innxcgoo.dll
C:\WINDOWS\system32\oogcxnni.*
* Click Add Files. Repeat until they are all added. Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
** If you get a warning in your VundoFix log about updating Java, do not do so until I can give you further instructions.
Please launch analyzer (HijackThis) and place a checkmark next to these if they still exist:
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\copupaam.dll O2 - BHO: (no name) - {4706B236-685A-4289-9393-BCB53BD4ED43} - C:\WINDOWS\system32\hgddd.dll (file missing) O2 - BHO: (no name) - {7B31E370-5EB2-40B2-815B-8C39CE1BAE72} - C:\WINDOWS\system32\innxcgoo.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
Close all windows except analyzer and click "Fix Checked".
Reboot.
* Please post the contents of C:\vundofix.txt and a new analyzer log.
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!
Attempting to delete C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\bvycanlx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\ddcywxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\dddgh.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\fccyvus.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\hgddd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\iutsbmln.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\jwmfdynd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\opnlmjj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\qomkiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\uqrogsqf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuuuvt.dll
C:\WINDOWS\system32\vtuuuvt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.20
Checking Java version...
Scan started at 19:28:39 24/04/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\copupaam.dll
C:\WINDOWS\system32\copupaam.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\innxcgoo.dll
C:\WINDOWS\system32\innxcgoo.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 19:57:36, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
That looks better. :) We still have a little more work to do...
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run.
Please follow these steps to remove older version Java components and update.
thats great, thanks a million for your help. i`ll monitor the pc over the next couple of nights and report back my progress.
heres thee final log.
Logfile of HijackThis v1.99.1
Scan saved at 01:34:29, on 25/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
You're welcome. Your log appears to be in good shape.
After something like this it is a good idea to purge the Restore Points and start fresh.
If everything is running well.... To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.
Reboot.
Go back in and turn System Restore ON. A new Restore Point will be created.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
You may have already taken some of these steps: 1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update:
http://v4.windowsupdate.microsoft.com/en/default.asp
2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
I would check for updates in SpyBot once a week or so.
Check for updates in Ad-aware frequently.
If you have recently installed AVG Anti-Spyware, it is a free trial product for 30 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update it using the *update* button
8. If you have not already done so, you might want to install
CCleaner and run it in each user's profile:
http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
9. If you use
Adobe Reader it may need to be updated to be sure that you have a more secure version. If you are using a version prior to v. 6.05, you should update to 6.05, preferably version 8. It would be best to remove prior versions before updating to a new version.
Info here:
http://www.adobe.com/support/security/bulletins/apsb06-20.html If you need additional assistance, the Adobe forums are here:
http://www.adobe.com/support/forums/main.html
10.
Make sure you are using the most updated version of Java. The current version is Java Runtime Environment (JRE) 6u1
You can go here to download the latest version of
Java Runtime Environment (JRE) 6.
Scroll down to where it says "
Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".
Click the link to download the
Windows (Offline Installation) package: Save it, do
not run it. When the download is complete, close the browser.
Remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on
jre-6u1-windows-i586-p.exe to install the newest version.
Official JAVA Installation Instructions if needed.
Reboot.
11. Practice Safe Surfing with with
SiteAdvisor by McAfee. SiteAdvisor is a browser plugin that assigns a safety rating to domains listed in your search engine.
The following color codes are used by SiteAdvisor to indicate the safety of each site.
Red for Warning Yellow for Use Caution Green for Safe Grey for Unknown
13. This is an excellent resource for users of all levels. General computer maintenance as well as internet security is covered.
Rootkits for Dummies (Paperback)
by Larry Stevenson (Author), Nancy Altholz (Author)
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 15th, 2007 16:00
Your HijackThis is in a temporary folder. Please move it to a permanent folder where it can save backups with the program.
To create a folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder. Move your HJT there.
Message Edited by Bugbatter on 04-15-2007 01:37 PM
hutchy74
10 Posts
0
April 16th, 2007 07:00
Logfile of HijackThis v1.99.1
Scan saved at 09:19:18, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC St 6\LaunchApplication.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PC StTrayApplication] C:\Program Files\Nokia\Nokia PC st 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\eumgeuwb.dll",setvm
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ugdguqsk.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC1C5A5-F980-49F1-B20E-635EC7315313}: NameServer = 192.168.254.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
hutchy74
10 Posts
0
April 16th, 2007 07:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 16th, 2007 15:00
* Please print these instructions so you can refer to them easily and follow each step in sequence.
* While in Safemode, make sure you are not using "Safemode with networking".
You will need to be offline during the time that you are in Safemode.
Please download the latest version of VundoFix.exe to your desktop. (If you have an earlier version, delete it and its old log here: C:\ vundofix.txt.)
Do not run it yet.
Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. ** If you get a warning in your VundoFix log about updating Java, do not do so. We'll do that later.
Please go to your HijackThis here: C:\Hijackthis\HijackThis.exe
Rename HijackThis.exe to analyzer.exe. Following the rename, please run a scan and place a checkmark next to these entries if they still exits:
(I apologize for the irregular spacing. The forums software is not working correctly.)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\eumgeuwb.dll",setvm
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ugdguqsk.dll",setvm
Close all windows except analyzer (HijackThis) and click "Fix Checked".
Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
Delete these specified files if they still exist:
C:\WINDOWS\system32\ eumgeuwb.dll --file
C:\WINDOWS\system32\ ugdguqsk.dll --file
Reboot normally.
Go back and rehide protected files:
Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Check: Hide protected operating system files
Click on Apply.
hutchy74
10 Posts
0
April 23rd, 2007 10:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 23rd, 2007 13:00
The VundoFix tool was updated on April 22. If you downloaded it before that, delete it and run it again using the instructions above. Also please update AVG Anti-Spyware before you run it.
If you cannot get your computer into Safemode, just do the complete fix in normal mode, and we'll see how your logs look after you reply. Thanks. :)
Message Edited by Bugbatter on 04-23-2007 10:57 AM
hutchy74
10 Posts
0
April 23rd, 2007 21:00
i`ll reply here too incase you miss it.
i got into safe mode after running the 2 scans.
heres the 3 log files.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 22:10:10 23/04/2007
+ Scan result:
HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#RemovableMedia#6&241bf43f&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Control\\ReferenceCount -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan\My Documents\Incomplete\T-749463-_Myth_ lp ripper (Latest) Unreleased.rar/Setup.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan\My Documents\Random Stuff\new stuff\NI.Reaktor.5.rar/NI Reaktor 5\ni+reak5.zip/Native Instruments Reaktor (Version 5.0.0.7) - Crack 01.exe -> Logger.Agent.nbq : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan\My Documents\Random Stuff\new stuff\NI.Reaktor.5.rar/NI Reaktor 5\ni+reak5.zip/Native Instruments Reaktor (Version 5.0.0.7) - Crack 02.exe -> Logger.Agent.nbq : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan\My Documents\Random Stuff\new stuff\NI.Reaktor.5.rar/NI Reaktor 5\ni+reak5.zip/Native Instruments Reaktor (Version 5.0.0.7) - Crack 03.exe -> Logger.Agent.nbq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP684\A0065577.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP708\A0067020.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP715\A0068419.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP716\A0068646.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP718\A0068741.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP720\A0069087.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan\Cookies\ryan@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Ryan\Cookies\ryan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Ryan\Cookies\ryan@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Ryan\Cookies\ryan@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Ryan\Cookies\ryan@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Program Files\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP715\A0068457.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A900EB58-EF16-4476-B10D-4A16CB1A68D5}\RP718\A0068842.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
[1220] C:\WINDOWS\system32\hgddd.dll -> Trojan.Vundo.ah : Cleaned with backup (quarantined).
[692] C:\WINDOWS\system32\hgddd.dll -> Trojan.Vundo.ah : Cleaned with backup (quarantined).
::Report end
VundoFix V6.2.6
Checking Java version...
Scan started at 01:34:17 31/10/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.20
Checking Java version...
Scan started at 22:15:04 23/04/2007
Listing files found while scanning....
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\vtuuuvt.dll
Beginning removal...
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!
Attempting to delete C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\bvycanlx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\ddcywxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\dddgh.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\fccyvus.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\hgddd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\iutsbmln.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\jwmfdynd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\opnlmjj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\qomkiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\uqrogsqf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuuuvt.dll
C:\WINDOWS\system32\vtuuuvt.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 22:50:39, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\analyzer.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\copupaam.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {4706B236-685A-4289-9393-BCB53BD4ED43} - C:\WINDOWS\system32\hgddd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {7B31E370-5EB2-40B2-815B-8C39CE1BAE72} - C:\WINDOWS\system32\innxcgoo.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC1C5A5-F980-49F1-B20E-635EC7315313}: NameServer = 192.168.254.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 24th, 2007 04:00
* Double-click VundoFix.exe to run it.
Click Scan for Vundo button.
* Once the scan is complete, Right Click inside the listbox (white box) and click add more files
* Copy&Paste the entries below into the boxes
C:\WINDOWS\system32\copupaam.dll
C:\WINDOWS\system32\maapupoc.*
C:\WINDOWS\system32\innxcgoo.dll
C:\WINDOWS\system32\oogcxnni.*
* Click Add Files. Repeat until they are all added. Click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
** If you get a warning in your VundoFix log about updating Java, do not do so until I can give you further instructions.
Please launch analyzer (HijackThis) and place a checkmark next to these if they still exist:
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\copupaam.dll
O2 - BHO: (no name) - {4706B236-685A-4289-9393-BCB53BD4ED43} - C:\WINDOWS\system32\hgddd.dll (file missing)
O2 - BHO: (no name) - {7B31E370-5EB2-40B2-815B-8C39CE1BAE72} - C:\WINDOWS\system32\innxcgoo.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
Close all windows except analyzer and click "Fix Checked".
Reboot.
* Please post the contents of C:\vundofix.txt and a new analyzer log.
hutchy74
10 Posts
0
April 24th, 2007 17:00
VundoFix V6.2.6
Checking Java version...
Scan started at 01:34:17 31/10/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.20
Checking Java version...
Scan started at 22:15:04 23/04/2007
Listing files found while scanning....
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\vtuuuvt.dll
Beginning removal...
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt Has been deleted!
Attempting to delete C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and settings\Ryan\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt Has been deleted!
Attempting to delete C:\WINDOWS\system32\bvycanlx.dll
C:\WINDOWS\system32\bvycanlx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddcywxw.dll
C:\WINDOWS\system32\ddcywxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak1
C:\WINDOWS\system32\dddgh.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.bak2
C:\WINDOWS\system32\dddgh.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini
C:\WINDOWS\system32\dddgh.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.ini2
C:\WINDOWS\system32\dddgh.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\dddgh.tmp
C:\WINDOWS\system32\dddgh.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyvus.dll
C:\WINDOWS\system32\fccyvus.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hgddd.dll
C:\WINDOWS\system32\hgddd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iutsbmln.dll
C:\WINDOWS\system32\iutsbmln.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jwmfdynd.dll
C:\WINDOWS\system32\jwmfdynd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\opnlmjj.dll
C:\WINDOWS\system32\opnlmjj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qomkiih.dll
C:\WINDOWS\system32\qomkiih.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uqrogsqf.dll
C:\WINDOWS\system32\uqrogsqf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtuuuvt.dll
C:\WINDOWS\system32\vtuuuvt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.20
Checking Java version...
Scan started at 19:28:39 24/04/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\copupaam.dll
C:\WINDOWS\system32\copupaam.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\innxcgoo.dll
C:\WINDOWS\system32\innxcgoo.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 19:57:36, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Hijackthis\analyzer.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC1C5A5-F980-49F1-B20E-635EC7315313}: NameServer = 192.168.254.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 24th, 2007 20:00
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.
Updating Java:
Official JAVA Installation Instructions if needed.
Following that, please post a fresh analyzer (HijackThis) log for final review, and let me know if your issue has been resolved. Thanks.
hutchy74
10 Posts
0
April 24th, 2007 23:00
heres thee final log.
Logfile of HijackThis v1.99.1
Scan saved at 01:34:29, on 25/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Opera\Opera.exe
C:\Hijackthis\analyzer.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC1C5A5-F980-49F1-B20E-635EC7315313}: NameServer = 192.168.254.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
hutchy74
10 Posts
0
April 28th, 2007 01:00
Bugbatter
3 Apprentice
•
20.5K Posts
0
April 28th, 2007 02:00
After something like this it is a good idea to purge the Restore Points and start fresh.
If everything is running well....
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.
Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
You may have already taken some of these steps:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
3. Download and install the following free programs:
a. SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
b. SpywareGuard:
http://www.javacoolsoftware.com/spywareguard.html
Tutorial here: http://www.bleepingcomputer.com/tutorials/tutorial50.html
Periodically check for updates in both programs.
4. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Sunbelt Kerio has a free version: http://www.kerio.com/kpf_download.html
5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/
6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. Ad-aware: http://www.lavasoft.de/software/adaware/
b. SpyBot S&D: http://safer-networking.org/en/news/2005-05-31.html
I would check for updates in SpyBot once a week or so.
Check for updates in Ad-aware frequently.
If you have recently installed AVG Anti-Spyware, it is a free trial product for 30 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update it using the *update* button
7. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List.
Here is the link:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
8. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
9. If you use Adobe Reader it may need to be updated to be sure that you have a more secure version. If you are using a version prior to v. 6.05, you should update to 6.05, preferably version 8. It would be best to remove prior versions before updating to a new version.
Info here: http://www.adobe.com/support/security/bulletins/apsb06-20.html
If you need additional assistance, the Adobe forums are here: http://www.adobe.com/support/forums/main.html
10. Make sure you are using the most updated version of Java.
The current version is Java Runtime Environment (JRE) 6u1
You can go here to download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says " Java Runtime Environment (JRE) 6u1 allows end-users to run Java applications".
Click the link to download the Windows (Offline Installation) package: Save it, do not run it. When the download is complete, close the browser.
Remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
Official JAVA Installation Instructions if needed.
Reboot.
11. Practice Safe Surfing with with SiteAdvisor by McAfee. SiteAdvisor is a browser plugin that assigns a safety rating to domains listed in your search engine.
The following color codes are used by SiteAdvisor to indicate the safety of each site.
Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown
12. Here are some helpful articles:
"So how did I get infected in the first place?"
by TonyKlein
http://computercops.biz/postlite7736-.html
"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx
13. This is an excellent resource for users of all levels. General computer maintenance as well as internet security is covered.
Rootkits for Dummies
(Paperback)
by Larry Stevenson (Author), Nancy Altholz (Author)
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!