[Winantivirus]

Hi DocAlucard,

Thanks for submitting the files!

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
  
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  

[Winantivirus]

Hi DocAlucard,

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:

The Spy Killer Forum

• Click on "New Topic"
  
• Put your name, e-mail address, and this as the title: "Trojan-Downloader.Win32.Delf.pa files"
  
• Put a link to this topic in the description box.
  
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  • C:\WINNT\g11046554.dll
    
    

  [*]Click Open.

  [*]Repeat the above two steps for these files too:

  • C:\WINNT\SYSTEM32\pmnmnno.dll
    
  • C:\WINNT\SYSTEM32\windpk32.dll
    
  • C:\WINNT\system32\admparsek.dll
    
  • C:\WINNT\system32\compstuic.dll
    

  [*]Click Post.

Thank you!

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Sorry for the delayed reply, I seemed to have missed this topic. Please post a fresh HijackThis log and I will have a look at it ASAP.

[Happy Birthday Tj416]

Thanks everybody!! I had a great day

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

I'd like to see a fresh HijackThis log because a lot could have changed since my last post. Legacy 6.0 looks Ok to me. Is there any paticular reason that you think it is dangerous?

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:

The Spy Killer Forum

• Click on "New Topic"
  
• Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\rcnoke\csrss.exe"
  
• Put a link to this Besttechie topic in the description box.
  
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  • C:\WINDOWS\system32\rcnoke\csrss.exe (If you can't find the file, skip this step and proceed to the next step)
    

  [*]Click Open.

  [*]Click Post.

Then, download and run CWShredder:

• Download CWShredder.
  
• Save CWShredder.exe to a convenient location.
  
• Double-click on CWShredder.exe.
  
• Click "Fix ->" and click "OK" at the prompt.
  
• CWShredder will scan and clean your system of CWS files.
  
• Click "Next->" and then "Exit".
  

Then, please download Brute Force Uninstaller.

Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu

Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.

Press exit to terminate the BFU program.

Then, go to Add/Remove Programs and uninstall (if present):

IST Service

Then please run HijackThis, click Scan, and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euveeaqbewamveumxxaghiwiw.info/...tWOrqGCCPy.html

F3 - REG:win.ini: load=C:\WINDOWS\system32\rcnoke\csrss.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\rcnoke\csrss.exe

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll - {60E61928-B0DE-47C0-8EB1-D9C9417647D7} - C:\DOCUME~1\Anthony\LOCALS~1\Temp\ssc.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [454f66a6] C:\WINDOWS\system32\454f66a6.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [iST Service] C:\Program Files\ISTsvc\istsvc.exe

O15 - Trusted Zone: *.coolwebsearch.com

Close all open windows and click Fix Checked.

Then, reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Then, delete this file:

C:\WINDOWS\system32\454f66a6.exe

Then, delete these folders (if present):

C:\Program Files\ISTsvc

C:\WINDOWS\system32\rcnoke

Then, clean out temporary files:

• Start | Run | type cleanmgr | OK
  
• Let it scan your system for files to remove.
  
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  
• Click "OK" to remove them.
  
• Click "Yes" to confirm the deletion.
  

Then, reboot (in the normal mode).

Then, please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  

Then, open Hijackthis, click "Open the Misc Tools section"

Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).

Then click "Generate StartupList log"

Click "Yes" to the box that pops-up.

Then copy and paste the notepad text that appears to this topic and also post your ActiveScan report and also a fresh HijackThis log in this thread.

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Please post a fresh HijackThis log.

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Let us try this again....

Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.

After it disappears, reboot back into normal mode, and post a fresh HijackThis Log.

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Post a HijackThis log.

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Please download MsnVirRem (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.

After it disappears, reboot back into normal mode, and post a fresh HijackThis Log and contents of C:\vundofix.txt in this thread using the "Add Reply" button.

[My Vundofix Results[INACTIVE]]

Hi lolocaust,

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Put a check next to Run VundoFix as a task.
  
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  
• When VundoFix re-opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
  
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  

[Slow Computer, Gliches, Help.]

Hi ampshock,

Don't forget to re-hide all files and folders. To re-hide all files and folders:

• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading deselect "Show hidden files and folders".
  
• Check the Hide protected operating system files (recommended) option.
  
• Click Yes to confirm.
  
• Click OK.
  

To prevent re-infection in the future:

• I suggest you download Spyware Blaster to prevent the installation of Spyware in the first place.
  
• IE-Spyad puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all and I suggest you download it.
  
• Another excellent program I recommend is SpywareGuard. It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
  
• I recommend that you read a thead titled So how do I get infected in the first place? by Tony Klein which informs you on how to tighten the security of your PC.
  

Take care,

TJ

[Slow Computer, Gliches, Help.]

Hi ampshock,

Your log looks clean. How is everything running?

[Slow Computer, Gliches, Help.]

Hi ampshock,

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Go to Add/Remove Programs and uninstall (if present):

winsupdater

winupdates

ISTsvc

DNS

Then, open HijackThis, run a scan and check these items:

O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

O4 - HKLM\..\Run: [] winlog.exe

O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

O4 - HKLM\..\Run: [aXRcE] C:\WINDOWS\xwwebhfa.exe

O4 - HKLM\..\Run: [KmeOkbvF5] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [KmeOkbvùõš/‚²‘ÆßfÃC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [ó# ë"h'þ9ÓœW3rÅ°WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\sudfpt.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\RunServices: [] winlog.exe

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then, reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

You will need to configure Windows XP to show all files and folders.

• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Uncheck the Hide protected operating system files (recommended) option.
  
• Click Yes to confirm.
  
• Click OK.
  

Then, delete these files:

C:\Program Files\Common Files\mc-58-12-0000140.exe

C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe

C:\Program Files\Common Files\Windows\services32.exe

C:\Program Files\Common Files\services.exe

C:\WINDOWS\xwwebhfa.exe

C:\WINDOWS\sudfpt.exe

Then, search for this file and delete it:

winlog.exe

Thesn, delete these folders:

C:\Program Files\winsupdater

C:\Program Files\winupdates

C:\Program Files\ISTsvc

C:\Program Files\DNS

Then, clean out temporary files:

• Start | Run | type cleanmgr | OK
  
• Let it scan your system for files to remove.
  
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  
• Click "OK" to remove them.
  
• Click "Yes" to confirm the deletion.
  

Then, reboot (in the normal mode) and post a fresh log in this thread.

[Slow Computer, Gliches, Help.]

Hi ampshock,

Since HijackThis does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you run a full system scan tool like an online virus scan, Ad-aware SE and Spybot S&D. I would like to START with those steps and finish the cleanup of strays or undetected items with HJT. I have provided instructions on how to run scans with a Online virus scanner, Ad-aware SE and Spybot S&D in this post.

1) Run one of these Online virus scanners:

• Housecall
  
• Panda
  
• RAV Anti-virus Online
  
• eTrust Anti-virus Scanner
  

2) Download, install, update and run a scan with Spybot S&D:

• Download and Install Spybot S&D, accepting the Default Settings.
  
• In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
  
• Close ALL windows except Spybot S&D
  
• Click the button to ‘Search for Updates’ and then download and install all available Updates.
  
• Next click the button ‘Check for Problems’
  
• When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
  
• Make certain there is a check mark beside all of the RED entries ONLY.
  
• Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
  
• REBOOT to complete the scan and clear memory.
  

3) Download, install, update, configure and run a scan with Ad-aware SE:

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan.
   
2. Close ALL windows except Ad-Aware SE.
   
3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
   
4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
   1. 
      
   2. In the ‘General’ window make sure the following are selected in green:
      
      1. Under Safety:
         • Automatically save log-file
           
         • Automatically quarantine objects prior to removal
           
         • Safe Mode (always request confirmation)
           

[*]Under Definitions:

• Prompt to update outdated definitions - set the number of days
  

[*]Click on the ‘Scanning’ button on the left and select in green :

1. Under Driver, Folders & Files:
   • Scan Within Archives
     

[*]Under Select drives & folders to scan:

• choose all hard drives
  

[*]Under Memory & Registry: all green

• Scan Active Processes
  
• Scan Registry
  
• Deep Scan Registry
  
• Scan my IE favorites for banned URL’s
  
• Scan my Hosts file
  

[*]Click on the ‘Advanced’ button on the left and select in green:

1. Under Shell Integration:
   • Move deleted files to recycle bin
     

[*]Under Logfile Detail Level: (all green)

• include addtional object information
  
• DESELECT - include negligible objects information
  
• include environment information
  

[*]Under Alternate Data Streams:

• Don't log streams smaller than 0 bytes
  
• Don't log ADS with the following names: CA_INOCULATEIT
  

[*]Click the ‘Tweak’ button and select in green:

1. Under ‘Scanning Engine’:
   • Unload recognized processes during scanning
     
   • Scan registry for all users instead of current user only
     

[*]Under ‘Cleaning Engine’:

• Let Windows remove files in use at next reboot
  

[*]Under Log Files:

• Include basic Ad-aware SE settings in logfile
  
• Include additional Ad-aware SE settings in logfile
  
• Please do not check: Include Module list in logfile
  

[*]Click on ‘Proceed’ to save the settings.

[*]Click ‘Start’

[*]Choose 'Perform Full System Scan'

[*]DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

[*]Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

[*]If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

[*]Save the log file when it asks and then click ‘Finish’

[*]REBOOT to complete the removal of what Ad-Aware SE found.

4) Prepare in your reply:

• A fresh HijackThis log.
  

[Hijack This Log]

Hi Wargod18,

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
   
2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
   
4. After the update finishes (the status bar at the bottom will display "Update successful")
   
5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
   
6. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
   
7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
   

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.

[Pesky Little Worm In My Puter]

Hi IAMTHEONE,

You need to disable Microsoft Anti-Spyware because it may interfere while fixing items with HJT.

Then, open HijackThis, run a scan and check these items:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

If you haven't used Spybot S&D or another protection program to set these restrictions, or if your system administrator hasn't set these, check these entries too:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then,reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

You will need to configure Windows XP to show all files and folders.

1. Open My Computer.

2.Select the Tools menu and click Folder Options.

3. Select the View Tab.

4.Under the Hidden files and folders heading select Show hidden files and folders.

5.Uncheck the Hide protected operating system files (recommended) option.

6.Click Yes to confirm.

7.Click OK.

Then, delete this file:

C:\WINDOWS\ALCXMNTR.EXE

Then, delete Temp Files. To delete temp files:

Click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Do this same process for %windir%\temp.

Then, delete Temporary Internet Files. To delete Temporary Internet Files:

Open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Then,reboot (in the normal mode) and post a new log in this thread

[Happy Birthday To Who?]

HAPPY BIRTHDAY!

[Pesky Little Worm In My Puter]

I'm sorry for my late reply. Could you please post a new HJT log?

[Pesky Little Worm In My Puter]

Hi IAMTHEONE,

Please paste your entire log.

TJ

[Happy Birthday Crow]

Happy Bithday, Crow!!

TJ

[Happy Birthday Jdm]

Happy Birthday!

Tj

[Hjt Log]

You're Welcome!

I am moving this to the HijackThis Logs (Resolved) section.

[Hjt Log]

Your log is clean. Good Work!

To prevent re-infection in the future:

1.I suggest you download Spyware Blaster to prevent the installation of Spyware in the first place.

2.IE-Spyad puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all and I suggest you download it.

3. I noticed that you do not have a firewall and that makes you vulnerable to Hackers. I recommend you use Zone Alarm or Kerio Firewall

4.I recommend that you read a thead titled So how do I get infected in the first place? by Tony Klien which informs you on how to tighten the security of your PC.

[Hjt Log]

Hi bluzdude,

Open Hijack This!, run a scan and check these items:

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 ieautosearch

If you don't use Poker sites, check these items.

O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

Now please close all windows and browsers, except HijackThis, and have HijackThis fix them by clicking on Fix Checked.

Then,reboot in Safe mode. To reboot in Safe mode:

Restart your computer and immediately begin tapping the F8 key on your keyboard. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Delete this file:

C:\WINDOWS\System32\wkqwuw.exe

Then, reboot.

Then, right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

Then, run a full system scan with Spybot:

1. Download and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems’

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9.REBOOT to complete the scan and clear memory.

Then, run a full system scan with Ad-aware:

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:

*Automatically save log-file

*Automatically quarantine objects prior to removal

*Safe Mode (always request confirmation)

Under Definitions:

*Prompt to udate outdated definitions - set the number of days

2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:

*Scan Within Archives

Under Select drives & folders to scan -

*choose all hard drives

Under Memory & Registry: all green

*Scan Active Processes

*Scan Registry

*Deep Scan Registry

*Scan my IE favorites for banned URL’s

*Scan my Hosts file

3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:

*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)

*include addtional object information

*DESELECT - include negligible objects information

*include environment information

Under Alternate Data Streams:

*Don't log streams smaller than 0 bytes

*Don't log ADS with the following names: CA_INOCULATEIT

4) Click the ‘Tweak’ button and select in green:

Under ‘Scanning Engine’:

*Unload recognized processes during scanning

*Scan registry for all users instead of current user only

Under ‘Cleaning Engine’:

*Let Windows remove files in use at next reboot

Under Log Files:

*Include basic Ad-aware SE settings in logfile

*Include additional Ad-aware SE settings in logfile

*Please do not check: Include Module list in logfile

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'

*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found.

Then, post a new log in this thread.