Posts by tayspen

Ok, good it seems to be gone :). Run HJT one more time, and check these items.

O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\system32\gebcb.dll (file missing)

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...otoUploader.cab

Click Fix Checked - Then you should be clean, one more log just to make sure that file in really gone would not hurt though. Does everything seem to be back to normal?

Did you run Vundo Fix? Because the infection is still there.

If you did run it please do the following.

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

File List

C:\WINDOWS\system32\gebcb.dll

If you didn't run it just run it, and don't do the above step.

Post a new log

Hi, first
Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

Post a new HJT log, and the ewido log

That is a clean log :). Does everything seem to be back to normal?

I would suggest download ewido. It is a great anti malware tool, and will help you clean up the "big" stuff, as well as misc. things such as cookies.

www.ewido.net - Install. Update. Scan. Remove anything it finds (If you choose to use it)

I meant to uninstall :). Please boot into safe mode then delete the folder.

How TO:

1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.

This is a trojan file right here.

C:\WINDOWS\msnmgr.exe

It is a service so first we need to disable it then delete it. To do this:

Start>Run type Services.msc
-Right click Windows XP Manager (Manager)
and choose Stop
-Now choose Properties and change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Windows XP Manager (Manager)
into the box and delete it.

Then ensure that this file is indeed missing, if not delete it.

C:\WINDOWS\msnmgr.exe

Post a new HJT log.

Ok, have HJT fix the following.

O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx

Did you install newdotnet? Because it is still on your system. Please uninstall anything having to with it. And delete this folder

C:\Program Files\NewDoNet

Hi, hope you had a good spring break :).

Run HJT again, and check the following.

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [JT] C:\documents and settings\sam stolz\local settings\temp\JT.exe

O4 - HKLM\..\Run: [liz] C:\WINDOWS\liz.exe

O4 - HKLM\..\Run: [keyboard] C:\\keyboard2.exe

O4 - HKLM\..\Run: [mousepad] C:\\mousepad2.exe

O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys2.exe

O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\system32\slk8x2peu.exe"

O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - HKLM\..\Run: [win3208814528782] C:\WINDOWS\win3208814528782.exe

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [uswwdmkA] C:\WINDOWS\uswwdmkA.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinlrag.exe

O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\system32\w9seq.dll

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\fpr4039qe.dll

O23 - Service: …

Thats a clean log. As far as a slow boot-up, you can look here for info on how to disable these programs, hence speeding up your boot time.

Thanks for your help tayspen!

Your welcome :), and thats a clean log. Does everything seem to be running how it should be?

Its all clean. You can fix the file missing(s) only if you are sure the file is indeed misssing.

Hi, you are indeed infected.

Please run HJT again, select "Do system Scan Only". Then put a check next to these items.

O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:\WINDOWS\system32\ddcyy.dll

O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll

Click Fix Checked

Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.

Post a new HJT log

A few more things. Run HJT check these.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\aWFu\command.exe (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Click Fix Checked.

Post what should be the last log.

You have inded. You have quite a bit of nassties int here ;).

Run HJT again and put a check next to the following items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\Mstray111.exe

O4 - HKLM\..\Run: [dxvid] c:\windows\system32\dxvid.exe /nocomm

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKLM\..\Run: [Windows Updater] paste.exe

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe

O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe

O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe

O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe

O4 - HKLM\..\RunServices: [Windows Updater] paste.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/s...FreeInstall.cab

O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\gprsl3971.dll

Click Fix Checked
----------------------------------------------------
Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons …

Hi, please run HJT again, select Do system scan only and check the following.

O1 - Hosts: 134.96.33.102 crmud01

O1 - Hosts: 134.96.33.103 crmud02

O1 - Hosts: 134.96.33.105 crmud04

O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll

O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32

O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE

O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\04 Other\qqlite_06rc\QQ.EXE

O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll

O9 - Extra 'Tools' menuitem: QQ炫彩工具设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\04 Other\qqlite_06rc\QQIEHelper.dll

O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.ht...ns&btn=yahoomsg (file missing)

O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)

O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)

O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)

O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)

Close all browsers and click Fix Checked

------------------------------------------------------------------------
There are still more infections, but we are going to have the scanners knock them out for us.

Download the Free trial version of Spysweeper

http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg

Update the defintions and run it, let it remove whatever it finds.

Then download ewido

www.ewido.net - Install. Update. Scan. Remove anything …

Nothing looks to bad in your log. Please run HJT again and check off the follwoing items.

O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Click Fix Checked

Then to take care of any misc. things please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

Post a new HJT log, and the ewido log

Sorry for the late reply, must have missed your reply ;). Thats a clean log are you still having problems.

You need to unplug that writer. See if that fixes it, if it does then we know that is the problem.

That support artice was also suggesting that is was a hardware issue.

Your log looks clean now. I notice you have a P2P program installed (Safe-Share). Downloading files from a P2P network can be dangerous, so be careful :).

Are you still having problems?

Yea, you have a small collection of nasties.

Please run HJT again and select Do system scan only. Then place a check in the checkbox next to these items.

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpA22B.tmp

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c46.cab

Close all brwosers and click Fix Checked

----------------------------------------------------------------------

Download smitRem.exe (http://www.bleepingcomputer.com/resources/link240.html), saving the file to your desktop. Double click it to extract the contents to a folder of it's own. Restart your computer in safe mode, logon to the user account that is infected, open the smitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen and allow disk cleanup to complete. Upon reboot, you can reset your desktop background. Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.

How to boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

-----------------------------------------------------------------------
Reboot normally

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

Post a new HJT log, and the ewido log

Are you still having problems? Please post one more log after you remove it all so we can make sure you are clean :)

Run HJT.

Click Do system scan only.

Place a check next to the items above.

Click Fix Checked

Hmmm, sounds like there may be a small conflict with the writer and the computer. You may want to take it out, and leave it for a few days, and see if that fixes the problem.

Your HJT log is clean.

As for the rebooting.

- Has it crashed to a blue screen yet? If so what was the message?

- Did you recently add any new hardware, or software?

- Are you getting any messages on reboot?

Seems to be back for me, no more problems. Thanks :)

Oh, and in case it matters I never had a problem with my CP like Marty around the time it started happen.

Same thing for me to. Tried to go to the home page, yet it took me to.

www.daniweb.com/profile.php

Hasn't happened since though.

Thanks for picking that one up DMR, I must have missed it ;).

No, im sorry you can't remove the virus with spwy sweeper, but you can get the og, then post it here, then we manually remove it.

No they dont.

Ewido is a free trial, when the trial runs out, all you lose is the Live Updates, and a few other features that are not really needed.

CCleaner is free.

Spysweeper is a trial, we will uninstall it when we are done.

You got quite a collection ;).

Please start by doing the following.

Download the Free trial version of Spysweeper

http://www.webroot.com/consumer/pro...&rc=4129&ac=tsg

Update the defintions and run it, let it remove whatever it finds.

Then download ewido

www.ewido.net - Install. Update. Scan. Remove anything it finds.

Then download CCleaner

Run it and let it clean.

Post a new HJT log, along with the ewido log, and the spysweeper log.

Hi, you have a few infections, but lets see if we can get the scanners to knock them out before we begin to do things maunually.

Please download the following.

Ewido (Trial) – http://www.download.com/Ewido-Secur...tml?tag=lst-0-1

SpySweeper: http://www.webroot.com/consumer/products/spysweeper?acode=af1&rc=3599

Install both. Update Definitions. Run Both.

When done scanning, post a new HJT log, along with the ewido log, and the spysweeper log

Hi, I hate to say this, but your HJT version is out of date. Please download and scan with the newest version (1.99.1).

Download hijackThis (1.99.1) . Extract it to its own folder. Then run it and select. Do system scan and save log. Post the contents of the log that pops up.

Yes by flushing your System Restore whenever Tayspen confirms he is thru with the fix. :)

Well it looks clean to me. Just hope that wasn't a test, and there is really a tricky entry in there ;).

As far as flushing (deleting) out your resotre points,

http://www.bleepingcomputer.com/tutorials/tutorial56.html

look under the "Deleting Restore Points" part...

-T

Looks like netmon.exe is a trojan.

Chack it in HJT, then click fix checked.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Then do this.

Start>Run type Services.msc
-Right click Network Monitor
and choose Stop
-Now choose Properties and change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Network Monitor
into the box and delete it.

Then ensure this file is gone.

C:\Program Files\Network Monitor\netmon.exe

Post a new log

Source saying it was bad-- http://www.bleepingcomputer.com/startups/NETMON.EXE-8861.html

Heh, yea I would say it need to go, lets wait to see what demented has to say though.

Any ways, also have HJT fix this, if you dont reconize it, or dont play online poker.

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_67.cab

O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll

Then delete this file -- C:\WINDOWS\SYSTEM32\winrkp32.dll

Good news. It seems taht the file is gone, your looking clean now, just a few more things. If you dont reconize this IP, or itsnot your ISP, check it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67

Click Fix Checked.

Post a new log, and hopefully the last.

Ok, so that telcoms.exe file is back :-|, and since it seems to be malicious we are going to take em out once and for all.

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

C:\WINDOWS\System32\telcoms.exe

-----------------------------------------------

Then run HJT and check the following.

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

O15 - Trusted Zone: http://*.winsoftware.com

Click Fix Checked.

Post a new HJT log.

Thats a clean log Goodfuzzy. Good job :).

Also, We need to configure windows to crash to a blue screen, that way we can get more info. Thing is I dont remember how to do that. If somebody knows please share. Then when you computer crashes to a blue screen, post the exact message.

Cool, now were ready to proceed. Your pretty loaded with nasties. Lets download a few tools and run them before we try this maunally, hopefully they will knock alot of it out.

Please download the following:

Ewido (Trial) – http://www.download.com/Ewido-Secur...tml?tag=lst-0-1

SpySweeper (Trial) - http://www.webroot.com/consumer/products/spysweeper?acode=af1&rc=3599

Install them both. Update them both. Then run them Both. Remvoe anything they find.

Post a new HJT log, and the ewido log

Hi, and welcome to DaniWeb!

This line of your log

C:\Documents and Settings\PETER\Local Settings\Temporary Internet Files\Content.IE5\GTORK5WN\hijackthis[1]\HijackThis.exe

Shows that HJT was run from a Temporary file. This is an "unsafe" location, as it may not scan everything.

Please do the following. Re-Downoad HJT, and save it your desktop. Then make a new folder on your desktop (Right click your desktop go to >New>Fold), Name the folder HJT. Now double click the Hijackthis.zip you download and right click Hijackthis.exe, select cut then double click the HJT fodler on your desktop you just made. Right clck in the white space and click paste. Then scan again, and post a new log.

Thanks

Your log is clean, very clean :). Im not sure why that happens with your internet, wouldn't hurt to try Winsockfix - http://www.webattack.com/get/winsockxpfix.html

Perhaps you have a virus the scanners are overlooking, or your internet is hijacked.

Download HJT - http://www.merijn.org/files/hijackthis.zip - And post the log. We will take a look at it.

Just run, and click "Do system scanand save log" Then post the text that pops up in notepad.

Download ewido, and run it, that should fix it. WHen you done running it post the ewido log.

Well, your log looks clean to me. Im sure someone will be along to verify it. Also whats the name of the vius it pick up?

Hi, post a HJT log so we can check to make sure you dont have more infections. Then we will help you get rid of em'

Hi, keep ewido its a great program. Its free, but you will just have to keep it updated manually. Also try spybot search and detroy, and AVG free. Those are all free, a good one that isnt free isSpy Sweeper. For a complete list of Anti-Virus/Spyware programs have a look here .

Hi, ou have quite a bit of nasties in there ;). Boot into safe mode run HJT and have it fix the following.

C:\WINNT\SYSC00.exe

C:\WINNT\sys011134565166-.exe

C:\WINNT\slupiww.exe

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

F3 - REG:win.ini: run=

O2 - BHO: (no name) - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - (no file)

O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe

O4 - HKLM\..\Run: [Tagasuarus7.exe] C:\WINNT\system32\Tagasuarus7.exe

Then have HJT fix these.

O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\SYSC00.exe

O4 - HKLM\..\Run: [slupiwwA] C:\WINNT\slupiwwA.exe

O10 - Hijacked Internet access by New.Net

O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - (no file)

O20 - Winlogon Notify: H323TSP - C:\WINNT\system32\kt2ul7f91.dll (file missing)

After that browse to and delete this file (if found).

C:\WINNT\system32\Tagasuarus7.exe

In order to see it, you mau have to have windows "Show hiiden files" And SHow proteted operating sytem files"

To do this:

Start>My Computer>Tools>Folder Options>View tab>Check show hidden folders>and uncheck hide protected operating system file Hit yes to the dialog box that comes up.

When thats deleted. Reboot normally, and download ewido Install it. Run it and save a log.

Scan again with HJT, and post that log along with the ewido log.

-T

EDIT: I was to late :(

Hi again, delete your temp internet files. To do this on internet explorer. Then click

Tools>Internet Options>Then click Delete Cookies, and Delete Files.

Then download CCleaner - http://www.ccleaner.com/

And run it.

Post back, that should take care of any remnants of it.

Doh! I must have been blind :o. Thanks for follwoing up. Im still learning :cheesy: .