I just spent 30 minutes on the phone with our cable ISP and they did a remote reset of my modem . . . so now I'm back online and replying from home! I'm still concerned about viruses and settings because it is taking a real long time to get logged in and connected. Should I still run GMER?

Good news
Please, run GMER.
We'll couple more scan to make sure your computer is totally clean....

When I run GMER it appears to complete its scan and I can click Save or Copy. Problem is my machine then locks and I cannot paste the log, close GMER, or open any other application. I did this after my last post yesterday and after rebooting lost my browser and e-mail connectivity again. Turns out ZoneAlarm was blocking all attempts to connect so I uninstalled it and let Windows Firewall run.

Back in business again but the GMER scan is still outstanding and things are generally running slow. Should I try GMER again or some other utility, and should I remove some of the others I ran originally (like SuperAntiSpyware) or permanently disable them? Like you said it would be good to confirm the computer is completely clean. Thanks.

Please download The Avenger by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select Extract All...
- Follow the prompts and extract the avenger folder to your desktop

Double click on avenger.exe.
Click OK in pop-up window.

Avenger window will open.

Click on Execute button.
Click OK in two consecutive pop-up windows.

Your computer will re-boot now.

Upon re-boot, Notepad window will open.
Select all text, copy it, and paste it into next reply.

NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.

Here's the Avenger log.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Are we still dealing with redirection issue?

No redirect, IE is running fine. Ready to declare my computer clean? If so the only question I would have left is what protective softwares should I keep active to minimize the risk of this happening again.

Very well then

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
• Archives
• Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

TFC and Kaspersky ran with no issues (Kaspersky report page blank, no threats found). The new HJT log is attached.

Attached Files

hijackthis_2010-02-13.txt (8.7 KB, 1 views)

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

==========================================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

=========================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

nothing malicious to remove

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
- O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
- O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]


5. Click on Fix checked button.

6. Restart computer.


When done....


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

My browsers are working fine and all other processes seem to have bumped back up to their old speeds. I have Avast and Ad-Aware running with the Windows firewall (I removed ZoneAlarm after finding it was causing grief with my internet access). I implemented your latest recommendations today and will go through the protection items from the bleepingcomputer.com post.

I really appreciate all the help you have provided. Not sure how you folks can meet all the cries for help . . . it's a great service.

You're very welcome
I suggest, you uninstall Ad-aware, which is a tool of the past and use Super and 'Bytes instead.
Happy surfing

By that you mean Malwarebytes and SuperAntiSpyware?

Yes..........

Hey Broni - thought you might like to know that everything is still running smooth and fast. One last question if you don't mind. How often would you recommend running Super and 'Bytes . . . is weekly adequate? Thanks again.

Weekly is fine, or, if you feel like your computer misbehave.