New here with major popup issues, Please see my logs, I hope I can get help :( Options

[Brenda2007]

Here you go


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 10/12/2007
The current time is: 17:23:51.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

01/19/2007 12:54 PM 5,674,352 MsnMsgr.Exe
1 File(s) 5,674,352 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/23/2005 02:14 AM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/02/2007 05:58 PM 179 hpsysdrv.DAT
05/07/1998 12:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,915 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 08:00 AM 15,360 ctfmon.exe
10/25/2004 06:17 PM 90,112 ps2.exe
2 File(s) 105,472 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 05:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"


end of report

[AndyManchesta]

Thanks Brenda,

Just afew remaining steps to make sure its not caused damage in other area's

Double-click FindAWF.exe to start the tool.

• Select option #3 - Remove bak folders by typing 3 and press 'Enter'
• A text file will open up. Please copy/paste the following bolded text into the text file:

"C:\Program Files\MSN Messenger\bak"
"C:\WINDOWS\SMINST\bak"
"C:\WINDOWS\system\bak"
"C:\WINDOWS\system32\bak"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak"
"C:\Program Files\Java\jre1.6.0_02\bin\bak"

• Close the .txt file and click 'Yes' to save the changes.
• When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply.

Now, in FindAWF,

• Select option #4 - Reset Domain Zones by typing 4 and press 'Enter'
• You will be prompted to answer "Reset the domain zones?" Type 1 and press Enter.
• After completion, then type E and press 'Enter'

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


Download: ResetProtocolDefaults.reg from here

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

Save it to your desktop then double click the ResetProtocolDefaults.reg (or right click and choose Merge) and allow it to be merged into the registry

Next open a I.E browser window then goto Tools on the top bar then Internet Options

• Goto The Advanced Tab and Press Restore Defaults
• Goto The Security Tab, it will then be highlighting the Internet Zone, click the Default Level if its not grayed out then click Apply and OK to close the Security Settings screen.

Finally download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, we need to change the default settings. On the Menu Bar at the top, Go to Options>Change Settings.
• Click on the Actions tab, Using the drop down menus, change each item under Objects and Malware to Report then click Apply and OK
• Next, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'No to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• post the contents of the log from Dr.Web you saved previously in your next reply.

Thanks

Andy

[Brenda2007]

afw.txt


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sat 10/13/2007
The current time is: 11:32:27.87


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

01/19/2007 12:54 PM 5,674,352 MsnMsgr.Exe
1 File(s) 5,674,352 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 05:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
5674352 Jan 19 2007 "C:\Program Files\MSN Messenger\bak\MsnMsgr.Exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report



Dr.Webb

I was doing just fine until I got to this part:

Next, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'No to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
post the contents of the log from Dr.Web you saved previously in your next reply

After I changed the dropdowns to say Report (Objects and Malware) hit apply, and then OK, it took me back to the scan screen. I don't see there where I can mark the drives. I'll wait for your response

[AndyManchesta]

Its looks like you may have a couple of remaining bak folders on your system but as they all contain clean files they cannot cause any harm, you could delete them though if they still exist by removing these folders

C:\Program Files\MSN Messenger\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak


For DrWeb, sorry about that Ive just tried it and need to update the instructions as its changed abit,

After it returns to the main Menu screen when you have changed the settings to Report, click Complete Scan then click the Green arrow to the right to start the scan

Cheers

[Brenda2007]

Here you go:

KillWind.exe;C:\hp\bin;Tool.ProcessKill;;
slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;;
A0017038.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP52;Adware.TryMedia;;
A0024239.rbf;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP62;Trojan.Fakealert.351;;
A0030058.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030059.EXE;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030060.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030062.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030063.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030064.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP79;Trojan.Fakealert.351;;
A0030689.exe;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP85;Tool.Prockill;;
A0031999.dll;C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP85;Adware.Look2me.origin;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
firstopt.js;D:\I386\Apps\APP27559;Probably SCRIPT.Virus;;

[AndyManchesta]

Hi Benda,

That looks fine, afew infected restore points and some detections for harmless files so just this one file to remove:

Delete

C:\Program Files\Common Files\Sandlot Shared\slghex.dll

Then clear your System Restore points again

Goto Start > Run > type (or copy and paste)

control sysdm.cpl,,4

press Enter

Place a check in the box Turn off System Restore

Click Apply then click Yes on the confirmation popup

Turn it back 'On' by unticking the same checkbox & click OK


To help prevent more infections consider installing and running the following free programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" feature.

Spywareblaster
SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages.
A tutorial on using SpywareBlaster may be found here.

More information on how to prevent malware can also be found Here (By Tony Klein)


Please post a final HijackThis log and let me know if there's any remaining problems

Thanks

Andy

[Brenda2007]

Do I have to run these programs before Hijackthis? And what do I do with all the programs I have installed (afw, drweb, etc)? They are not in the add/remove program list and they are on my desktop. Here is the final Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:48 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.59.107.175:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: POPStopperIE.CToolbar - {4B7B69EB-A00F-4FCD-B601-ACCBB86ED528} - C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Anonymizer] C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe -nogui
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {36D04559-44B7-45E0-BA81-E1508FAB359F} - http://unity3d.com/download_webplayer/UnityWebPlayer.cab
O16 - DPF: {3C5B2DBA-9C59-4A9D-8CB2-D67F93863962} (CSGI Control) - http://www.crystalsquid.com/games/CSGI.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {475E5A2B-6EAC-4EA3-880A-55207CB012B5} (CMA_X Class) - http://wucma.wyldfyre.com/bin/CMAX.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/install/iftwclix.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139523928046
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/ballistik...gwebinstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://orders.wyldfyre.com/downloads/CMAWeb/6/isetup.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdas...sh.1.0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - http://download.clickteam.com/vitalize3/vitalize.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B933AC2-7D2E-40E1-ACEE-5B09BC93C242}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10367 bytes

[AndyManchesta]

Hi Brenda,

Thats a clean log (eventually)

You can delete FINDAWF and DrWeb as they are not needed now, just delete the files as they do not add anything else to the system, it's up to you if you wanted to install the two programs I suggested in the last post, they are free programs and will hopefully help you to prevent more infections, SpywareBlaster will help by adding hundreds of malicious sites to the restricted zone of IE so they cannot download any files to your system, it doesnt run in the background and can just be run, updated then enable all protection and close the program, it can then just be run once every other week to check for any updates, Spybot is a free malware remover, it also has an Immunize feature that will prevent access to known malware sites and TeaTimer protection to monitor the system for any changes and ask if they can be allowed before they happen but if you didnt want to enable that option with your kids also using the pc then it can be unchecked when you run the installer, the tutorial links I added in the last post will give alot more information on the programs though if needed.

Please also read Tony Klein's excellent article below as that contains alot of useful information and links to help keep the pc secure,
So how did I get Infected in the First Place?

Your logs now look fine and hopefully the extra programs will help prevent more trojans as you had a couple of nasties there with the first using rootkit features to hide its files and the second replacing legit files with copies of itself

Let us know how it goes or if there's any problems remaining

Cheers

[Brenda2007]

Thank you! Wow that was a trip huh. I'll make sure to keep my pc clean regularly. Thanks again for your patience and easy to understand instruction

[AndyManchesta]

Your welcome Brenda, I'm glad I could help

Happy Surfing

Andy