Ok, I'm out of my league... 1

[CharlieSummers]

(*sigh*) I'm generally a really careful guy, but I got a bug I simply cannot get rid of, and so humbly request advice from those much more able than I.

Running Spybot SD shows (in the last run) Zeno, Pacimedia, SexList, 7FaSSt, and BookedSpace; it fixes all but the latter two telling me it needs a reboot to successfully complete; on reboot it finds one or more of the above, which it can't fix until a reboot, ad nausium. I assume the two that cannot be dealt with are pulling others in, as I get different combinations of the others, even after being "cleaned." I've gone so far as to boot in safe mode and run the thing, but still no joy. (Actually, if I run Spybot SD and tell it it may run at next boot, and then re-run it immediately, it tells me there are no immediate threats; but as soon as I reboot, stuff is back and can't be cleaned without a reboot.)

Running Windows Defender B2 tells me my computer is running normally (yeah, right). For some reason I haven't been able to run AdAware for months...something in there locks the machine up every time I run it. AVG says I'm clean.

I've been deleting files from bogus Adobe and Oracle directories in /Program Files/Common/, a phony security directory (CURITY~1) in /Windows/, starting in safe mode, using MSConfig to kill starts, and still the d*mned thing keeps coming back. I have manually removed reg entries in safe mode, and they keep coming back.

I include the HijackThis file below, run immediately after a reboot, and Spybot SD run which "cleaned" everything except 7FaSSt and BookedSpace. I was able to eliminate the pointers to files in the C:\Program Files\Common Files\?racle\ directory (that can't even be good); a visit on the command prompt also shows a C:\Program Files\Common Files\?dobe\ directory...how exactly does one delete a directory name that starts with a wildcard character, anyway? (Other than booting into a linux and using backslash as an escape, I mean.)

I thank all in advance for any advice, and apologize if any of my frustration made it into this post.

Logfile of HijackThis v1.99.1
Scan saved at 12:03:59 PM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\cfg32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Blue Security\bluefrog.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Rocket Software\RocketTime\RocketTime.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Juice\Juice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\RealVNC\VNC4\vncviewer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FileZilla\FileZilla.exe
C:\Program Files\putty\putty.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\streamripper.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.lofcom.com/[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home[/URL]
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UsbPhoneLinker] C:\Program Files\AtcomUsbDialer\AtcomUsbDialer.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Blue Frog] C:\Program Files\Blue Security\bluefrog.exe
O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Rocket.Time.lnk = C:\Program Files\Rocket Software\RocketTime\RocketTime.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [URL unfurl="true"]http://blogs.oldradio.net[/URL]
O15 - Trusted Zone: *.xmradio.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [URL unfurl="true"]http://go.microsoft.com/fwlink/?linkid=39204[/URL]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [URL unfurl="true"]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121231988280[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CAC1D9C-3596-4279-9472-2D4D11D9FD2C}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CAC1D9C-3596-4279-9472-2D4D11D9FD2C}: NameServer = 4.2.2.1,4.2.2.2
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\winvnc4.exe" -service (file missing)

 

[smah]

I didn't read the HJT log yet, but make sure that you run Spybot in Windows Safe Mode by pressing F8 at boot up.

 

[CharlieSummers]

I didn't read the HJT log yet, but make sure that you run Spybot in Windows Safe Mode by pressing F8 at boot up.

Yup, did that. Quite a few times.

More: after reading threads here, downloaded ewido and ran it; it found a whole boatload of stuff, which I removed (except for VNC which I use), and immediately restarted. After the restart, Spybot SD ran, and told me everything was fine. I ran ewido again, and it...you guessed it...found a boatload of stuff. And the second time it ran, it actually triggered the AVG resident shield twice with files in the temporary directory I moved to its virus vault. (*sigh*) This computer is seriously compromised...in a half-hour or so (the machine is recording an Internet radio stream at the moment) I'm going to try running ewido in safe mode and see if that helps.

When this is all over with, I'm going to break open that 15-year-old scotch.

 

[erikhertzel]

Remove the following:

C:\WINDOWS\cfg32.exe

C:\WINDOWS\cfg32a.exe

C:\Program Files\Juice\Juice.exe

R3 - Default URLSearchHook is missing

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

--------if you don't know about the following below delete..
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
------------------

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

http://www.ewido.net/en

Update it and run a complete scan.


I would also check it with some other virus scanners just to make sure.

http://housecall.trendmicro.com

http://www.pandasoftware.com/activescan

Best regards.

Erik

 

[CharlieSummers]

First, much thanks for your reply!

Remove the following:

C:\WINDOWS\cfg32.exe

C:\WINDOWS\cfg32a.exe

(*sigh*) Done that a few times now...d*mned things keep coming back. Will delete again, and more - see below.

C:\Program Files\Juice\Juice.exe

Er...I will, if you think best, but I don't understand why I should delete my podcast client.

R3 - Default URLSearchHook is missing

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

Will delete cfg32.exe, cfg32a.exe, cfg32o.dll, cfg32p.dll, cfg32r.dll, and cfg32s.dll as soon as the current audio recording stops and I can boot back into safe mode. But I don't hold out much hope of them staying gone...something is reloading all this stuff every time I (or the anti-malware software) deletes it.

--------if you don't know about the following below delete..
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
------------------

WinPCap was a necessary install for URL Snooper, which I've used in the past to track recirected URLs. I suppose it could be used by the bad guys, but I'd wager they'd install their own copy. Still, it won't hurt to dump at least for now.

Webroot Spysweeper
<snip>
Ewido download:

Got Ewido...see earlier posting. Didn't download Spysweeper yet, but if the otehrs can't handle it I will.

I also discovered a file C:\stub_venthh.exe - the only Google listing I could find for it is at prevx.com, listing it as a malware downloader (they, of course, want me to buy and run their software so they don't have instructions on how to remove whatever installed it). Yep...deleted it, too, along with C:\Trelew.exe also listed as a malware downloader.

(*sigh*) I'm working tonight to offload all of the autotasks this machine has for tomorrow, so I can spend the whole day in safe mode trying to kill this stuff off once-and-for-all (this machine's not only acting as a video recorder, it's also the only audio recorder computer until I can get the Athelon64 Gentoo install working correctly on the new machine). Will report on my progress (or lack thereof) in the morning after the Mother's Day festivities are handled.

 

[BadBigBen]

Juice is FINE... Leave it...

but what I did not notice, is a mention of the RESTORE FEATURE... while cleaning any MalWare, XP's Restore feature should be turned OFF and all RESTORE POINTS should be CLEANED Prior to removal of any nasties out there...

Read: faq760-4962



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[CharlieSummers]

but what I did not notice, is a mention of the RESTORE FEATURE... while cleaning any MalWare, XP's Restore feature should be turned OFF and all RESTORE POINTS should be CLEANED Prior to removal of any nasties out there...

Yep, should have caught that myself; done and thanks. Working now in safe mode to see if I can get the *#&^%!! thing cleaned up.

 

[CharlieSummers]

Somewhat depressing log of events:

Boot machine into Safe Mode; kill caches in both browsers (routinely use FireFox, but use IE for Windows Update), kill restore feature, etc.

Ran Ewido (220+ minutes!!!), found BookedSpace, quarantined. Ran Spybot SD; found BookedSpace, 7FaSSt, Pacimedia, deleted. Ran AVG; couldn't check MBR or boot sector of disc (???), no viruses found. Ran Ad-Aware SE (runs fine in Safe Mode, although it hangs in straight boot), found BookedSpace (two Items), quarantined and deleted.

Reboot machine into Safe Mode.

Ran Spybot SD; no immediate threat found. Ran Ad-Aware SE smart scan; nothing found. Ran long Ewido scan, nothing (other than my VNC install) found.

Reboot machine into standard mode.

Ran Spybot SD; found BookedSpace, 7FsSSt, Pacimedia, fix selected problems handles 14, 2 in memory to be fixed on reboot. Stop me if you've heard this before...

(*sigh*) I am going to go to bed now (while for giggles running Ewido just to confirm the diagnosis), and in the morning return refreshed to deal with this machine yet again. I'd appreciate any insights more constructive than the thoughts I'm having now, which lean toward shotguns and explosives.

 

[erikhertzel]

Try running spysweeper.

Erik

 

[tfg13]

Thought about RootKits? Maybe try running this from

http://www.sysinternals.com/Utilities/RootkitRevealer.html.

 

[CharlieSummers]

Try running spysweeper.

Will do. Apologies...was unexpectedly out all day, and so didn't get anything accomplished other than to run Ewido last night on a short scan which found nothing, and a through scan this evening which found BookedSpace and PowerStrip. I quarantined and deleted, but more for the sport than any expectation of results.

Also received an error opening the My Documents folder; "An exception occurred while trying to run C:\WINDOWS\cfg32p.dll,DllSpawn" - clearly the d*mned thing is reloading these cfg32*.* files (which I've manually deleted, as well as allowing the various anti-malware apps to remove). Again, deleted what I could, but this is evil; I ended the cfg32.exe process, and quickly deleted the file. It was recreated almost instantly. By ending the process tree on cfg32a.exe, however, I was able to delete everything except cfg32p.dll. (I have no idea if any of this is relevant, of course.)

I need to push the machine to make some video recordings this evening, but will boot into Safe Mode tomorrow morning and run SpySweeper, and will report results here. I'm also going to physically yank out the networking card to see if that helps.

Before I go, a heartfelt thanks to all for not only the advice but for the handholding.

 

[erikhertzel]

Make sure you update Spysweeper before running. I don't think taking out the NIC will help, just update Spysweeper and then disconnect from the Internet until clean.

Erik

 

[BadBigBen]

Some info on the baddy:

http://fileinfo.prevx.com/QQ781520492211-CFG315854471/CFG32S.DLL.html

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074932

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[CharlieSummers]

Ooookkkk....spent the day working on this puppy.

Before rebooting into Safe Mode, I noticed on another thread a reference to something called SUPERAntiSpyware, the first time I heard of it. So for yucks, I downloaded, installed, and ran a complete scan - it found BookedSpace, ClickSpring/PuritySCAN, ClickSpring/Yazzle, SearchClickAds, some cookies, and the trojan Override. Quarantined. (I was impressed that it found and handled things without requiring a reboot. This is free, with the obligatory Pro version, but Erik you might want to add

http://www.superantispyware.com

to your excellent links page.)

Restart to Safe Mode.

Ran SpyBot SD; no threats found. Ran Ewido; quick scan reports, nothing found, Ran SpySweeper; found elietemediagroup-mediamotor, zenosearchassistant, quarantined. Ran Ad-Aware SE; no critical objects found. Ran SUPERAntiSpyware (complete scan); nothing found.

Reboot into standard mode.

Run RootkitRevealer as suggested by tfg13; the lines I can't explain (d*mned if Juice didn't download an MP3 file while it was running, so there was a .part file) follow:

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0	11/17/2005 3:12 PM	4 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1	11/17/2005 3:12 PM	4 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2	11/17/2005 3:12 PM	4 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0	11/17/2005 3:12 PM	32 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0	11/17/2005 3:12 PM	4 bytes	Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4	11/17/2005 6:49 PM	0 bytes	Hidden from Windows API.
I:	 	0 bytes	Error mounting volume

I admit I'm a little unclear how to intepret the \cfg\ entries, but I'm hoping they're a stub from the cfg32 stuff; I assume the problem with drive I: is that it's FAT32. Anyway, ran Spybot SD; nothing found. Ran SUPERAntiSpyware; nothing found. Ran a full scan in ewido; nothing found. Ran SpySweeper; nothing found.

(Man, that's a whole lot of scanning...)

I am cautiously optimistic; dare I dream that the machine is clean enough to be placed back into full service?

 

[Glenn9999]

I would have probably just claimed my files, reformatted the thing, and reinstalled it all by now (you have more patience than I).

http://www.blumentals.net/products/procview.php

The other thing I can think of to try that hasn't been mentioned is "ProcView". It's a full process viewer which should show you everything that is currently running on the system. Actually to me, this has become a first step in searching out rogue programs. If you know what is supposed to be running on a clean system, you can look over the list it produces and then kill the processes of the strange programs before you run your scanners - even if you kill the programs that are normally supposed to be loaded on the computer, you won't permanently change the config and the bad program can't stop the other programs from working.

If this stuff is resident, it's going to copy over things, restore links, change back the registry entries HiJackThis! does and everything else. Either from a file stash somewhere else on your drive, from the internet, or what have you.

So, just thought I'd add another option to the table.

 

[erikhertzel]

Charlie,

I would say you are good to go at this point, what else can be done. MOnitor closely. A star for you for mentioning the new software that I will be checking out.

Glenn9999....there is definately a point and time to just format depending on the situation and the computer that is involved. It just depends I guess. But, you are very correct in pointing this fact out.

Best regards.

Erik