trojan horse in captivity

[nocolonleft]

... for me too,.. thanks Broni

[Broni]

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.


1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- *O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- *O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
- *O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
- *O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
- O4 - HKLM\..\Run: [EarthLink Installer] " /C
- *O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
- O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\4.bin\MWSBAR.DLL,S
- *O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
- *O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
- O4 - HKCU\..\RunOnce: [SpybotDeletingB6312] command /c del "C:\Documents and Settings\Richard\Local Settings\Temp\laf1.exe_old"
- O4 - HKCU\..\RunOnce: [SpybotDeletingD8742] cmd /c del "C:\Documents and Settings\Richard\Local Settings\Temp\laf1.exe_old"
- O4 - HKCU\..\RunOnce: [SpybotDeletingB3511] command /c del "C:\Program Files\Online Add-on\ictun.exe"
- O4 - HKCU\..\RunOnce: [SpybotDeletingD1541] cmd /c del "C:\Program Files\Online Add-on\ictun.exe"
- O4 - HKCU\..\RunOnce: [SpybotDeletingB8255] command /c del "C:\Program Files\Online Add-on\ictmdl.dll_old"
- *O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
- *O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
- O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000
- O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

4. Click on "Fix checked" button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".

7. Delete following files/folders (if present):

- MyWebSearch folder from C:\Program Files
 
8. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Post new HijackThis log.

[nocolonleft]

hey Broni,.. well,.. when i opened up hijackthis to "fix" the selected files,.. i couldn't find all the files you wanted me to fix. there were 6 files i couldn't find ,... 5 were " -04 - HKCU\..\runonce: [spybotdeletingB6312, D8742, B3511, D1541, and B8255,] ,.. and one was -08 - extra context menu item & search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRfox000,.. i checked and fixed all the others,.. but i'm guessing these "missing " files need to be fixed too,. so here's a new HJT log

[file cleanup - saving space - attachment deleted by admin]

[Broni]

It looks much better...
Open HJT one more timr, and checkmark:
- O8 - Extra context menu item: &Search - ?p=ZRfox000
Click "Fix checked".
Restart computer, and post new HJT log.

[nocolonleft]

hi Broni,... here's the newest hjt log

[file cleanup - saving space - attachment deleted by admin]

[Broni]

The log is clean.

Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner

How is your computer doing?

[nocolonleft]

Hi Broni,.. the computer seems to be doing much better ,.. thanks very much to you. I do still have a question or two. Since i've deleted my Norton Anti-virus, what protection do i have now? Is the AVG a good anti-virus/malware protection?... and is my Windows firewall sufficient?
  Thanks again for all your help,.. it's GREATLY appreciated

[Broni]

Good...
AVG is very good AV program. As for malware real time protection, you may want to download, and install free ThreatFire: http://www.threatfire.com/, which will give you real-time protection against malwares.
It won't interfere with your antivirus, nor firewall.

Windows firewall has pretty poor ratings, so I recommend, you download free Comodo firewall: http://www.personalfirewall.comodo.com/, turn off Windows Firewall, and install Comodo.