jc81, what I see. HijackThis should not be run from the Desktop as it keeps its backup files there and could really mess up the Desktop.

You should install Service Pack 3.

Thank you…but what is that? LOL
Should I delete and reinstall it???

delete you current copy of hjt
create a folder in a convenient place c:\HJT or something easy to remember
download your new copy to your new folder and rename to jchjt (as some baddies block hjt)
be sure you close your browser when running jchjt

I do not know how to upload those 016 entries either
perhaps SEARCH or FIND them? then navigate to location?

DO NOT UNINSTALL anything
SP-3 is a Microsoft Windows Update available- USE IE to go to windows update
I’d disconnect from the internet and disable AV when installing but that’s just me

YoKenny is trying to keep you safe once your helpers find all the crapola on your computer
So you might want to wait till cleaning is done before the Service Pack 3 update
Then run Secunia tool to check the status on all of your programs
Java, Word, Adobe, all have vulnerabilities which require updates

I’d like to see a clean SuperAntiSpyware scan plus an on line AV scan before starting to make system changes

once you get all of your programs updated we’ll run CCLeaner, Defrag and set a new restore point
but let’s not get ahead of the malware removal now

I do see that you have SD-Helper which means that you have Spybot- good choice for anyone who has IE installed on their computer
update Spybot every Wednasday and re-immunize-- did you upgrade to 1.6 or tell me which version you are running BEFORE you upgrade Did you ever run 1.3 or 1.4 or earlier?
you can always run a spybot scan- report any hits (except cookies)
you can also install spywareblaster by JAVACOOL anytime

anyway the whole point of this thread was supposed to be
DO NOT UNINSTALL anything without direction by Polonus or other helper

I just want to say…I’m so thankful for you all!
You’re all so kind to help me like this, I REALLY appreciate it.
I’ll tackle some of this stuff tomorrow, way too tired right now.

jc

Hi jc81,

Did you fix the three entries with HijackThis. Ok. Where you have it is important, but the main thing is that HJT is not installed in a temp file (N.B. wyrmrider there is a reason for that advice, see our hijackthis cleansing instructions in the sticky).

Then you can search for the 016 files, and then upload them to VirusTotal when you know the path they are in…
On the other hand what you could do now is a full scan with the non-resident scanner DrWebCureIt,
you can get it for free, update it to the latest version, and place launch.exe on the desktop or on a pendrive and run it. Download from: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
It won’t interfere with your avast resident av engine, you can always have it next to that, but again always download to the latest version of launch.exe as the program says there is a newer version.
Give the details of what it found, and give us a new hijackthis log, please.
Welcome here to the avast webforums,

polonus

I’m running these scans now.
In the meantime both firefox & IE keep crashing on me =/…something about an illegal plug in operation.

I made things worse I think by uninstalling & reinstalling firefox…now I get

“the program failed to initialize properly…”

& some V + + thing

Let’s get the malware cleaned up
use IE for the time being
any Firefox experts lurking- is there a clean up utility?
post up what you have done plus appropriate logs and a new HJT (last thing)
we’ll run CCleaner after removing Firefox and before any reinstall just in case there is something corrupted in a temp file
should we flush cache?

Hi jc81,

Bring the task manager up by pushing Ctrl + Alt + Del keys, open and kill the process firefox.exe there, now go to This Computer, in C: to Program Files, in Program Files to Mozilla Firefox, in firefox to uninstall, in uninstall click helper, then uninstall comes up, click uninstall and make the uninstall. After firefox is completely uninstalled, clean out everything that stayed behind in the Mozilla Firefox folder, download again with IE unto the dekstop and make a new install, choose for standard.

pol

My brother-in-law stopped by and fixed that issue…I don’t know what he did but it works fine now.

Now…I am running Dr. Web and it found;
C:\hp\bin\Terminator.exe
infected with Trojan.KillApp.30208

It says; Cure? Yes, Yes to All, No, No to all
Do you want me to just go ahead and click Yes to all and then show you the log or …what?

When this is done I’ll do Hijack this again.

Hi jc81,

You do not need terminator.exe if you do not use TERMINATOR, see: http://www.clickomania.ch/progs/Terminator.htm

In the case you do not need terminator then delete it with DrWeb, if you use Terminator to shut down windows, upload terminator.exe to virustotal to see if it is really malicious at http://www.virustotal.com/

Yep, and then post a new hjt log txt.file,

polonus

New Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:27 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\launch.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX1_start.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX1\setup.exe
C:\Program Files\AIM6\aim6.exe
C:\hijackthis\JCHiJackThis.exe
C:\WINDOWS\system32\Ko3C11T6.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - .DEFAULT User Startup: AutoPlay.exe (User ‘Default user’)
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://wheresheliesbrokeninside.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.76.downloads.estara.com./as/OneCCDM.php?template=35769&sessionid=429251185_69.25.47.76_50991&=&req=1149726245140OneCC.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://candymountain.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

–
End of file - 10578 bytes

Hi jc81,

You can fix this with hjt:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Upload this file to virustotal and give the results:
Ko3C11T6.exe
The path, it is here: C:\WINDOWS\system32\Ko3C11T6.exe

polonus

File ko3C11T6.exe received on 08.24.2008 21:09:08 (CET)
Current status: Finished
Result: 15/35 (42.86%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.24 TR/Crypt.ULPM.Gen
Authentium 5.1.0.4 2008.08.24 -
Avast 4.8.1195.0 2008.08.23 -
AVG 8.0.0.161 2008.08.24 Clicker.PLM
BitDefender 7.2 2008.08.24 Trojan.Adclicker.HB
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.24 -
DrWeb 4.44.0.09170 2008.08.24 -
eSafe 7.0.17.0 2008.08.24 Suspicious File
eTrust-Vet 31.6.6044 2008.08.23 -
Ewido 4.0 2008.08.24 -
F-Prot 4.4.4.56 2008.08.24 -
Fortinet 3.14.0.0 2008.08.24 PossibleThreat
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.24 Trojan.Adclicker.HB
K7AntiVirus 7.10.427 2008.08.23 -
Kaspersky 7.0.0.125 2008.08.24 -
McAfee 5368 2008.08.22 New Malware.bl
Microsoft 1.3807 2008.08.24 -
NOD32v2 3382 2008.08.23 a variant of Win32/TrojanClicker.Agent.NEB
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.24 Suspicious file
PCTools 4.4.2.0 2008.08.24 -
Prevx1 V2 2008.08.24 Malicious Software
Rising 20.58.62.00 2008.08.24 Trojan.Win32.Undef.jrw
Sophos 4.32.0 2008.08.24 Mal/HckPk-A
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.24 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 PAK_Generic.001
VBA32 3.12.8.4 2008.08.23 suspected of Win32.Trojan-Downloader
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.24 -
Webwasher-Gateway 6.6.2 2008.08.24 Trojan.Crypt.ULPM.Gen
Additional information
File size: 82434 bytes
MD5…: 35c4d9423dbd514ac62b31c7e70e0c3f
SHA1…: f5163a43b85467dd9f5aaf6b660083091e24d7d6
SHA256: 8de5b0193c36351229897e4e1818b6a0082af359d05a6ecd60242f1420c0eede
SHA512: 52997c0bcde0bcb5da7143dd6a3bc48a95461236ed2da05f410ebf64ab1731ee
46897a6ec4006608ac05e4f1d362bd338c45526f6345010aa60969e9616da786
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4217a9
timedatestamp…: 0x48b093a3 (Sat Aug 23 22:48:03 2008)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xd000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xe000 0x14000 0x13a00 7.99 ba37e5d176644c11bbac4f4e98157565
.rsrc 0x22000 0x1000 0x400 2.87 559bb30f4f6b1185c0379c266f036837

( 9 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey
NETAPI32.dll: NetScheduleJobAdd
ole32.dll: OleRun
OLEAUT32.dll: -
SHELL32.dll: StrChrA
SHLWAPI.dll: StrDupA
USER32.dll: wsprintfA
WININET.dll: InternetOpenA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F564CFBB020E1463423A019D5FED4900B46269C6

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Fix the entry for it in HJT and if you added a copy to the avast chest delete the original file.

This is Adware
It looks as if NOD-32
http://www.eset.com/onlinescan/
and Bit-Defender
“on line” scans
would get it-- and not a bad idea in any case IMHO
(I think these have to be run from IE if Active X is required although there may be Java Versions)

I always recommend an online AV scan when finishing cleaning up malware
usually Kaspersky but here we are led in other directions
choice is good

also
virus encyclopedia says
Ad-Aware von Lavasoft
Spybot Search & Destroy von Spybot.info
work
have you tried Spybot 1.6?
I like Immunize
you can install SD-Helper but DO NOT INSTALL T-Timer at this time
update and run a scan

as with any tool watch for false positives

polonus may have other ways
DAvidR says to fix with HJT-
Good Advice
that would get the active part but may leave fragments/ files / the installer
so best to keep checking- this has been around long enough that complete solutions should be available
If you do any of the above post a fresh HJT when you are done

Hi jc81,

First and foremost undo system restore:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Adclicker removal instructions

You have to be the Administrator (full priviledges). The way it works, it loads into RAM and then uses your O/S as it’s slave to replicate and try to do its damage. One of the first things we do is temporarily kill its slave off.

1. Quit all open apps. Kill off everything except avast, your firewall, and anti-spyware programs, drivers.
2. Open the Task Manager (CTRL-ALT-DEL)
3. Find “Explorer.exe” and RIGHT-CLICK on it. Choose “end-process tree” to kill Explorer entirely.
4. Start DrWebCureIT from a mem stick. Scan your entire disk to get rid of all those infecting DLLs (You can have over 15,000).
5. Now that the slave is killed, lets go identify the “master” still in RAM. Under the Task Manager, Launch “sysinfo32”.
6. Go to “Software Environment->Loaded Modules”. Choose Advanced View. Once it’s preflighted everything and displayed a list, sort it by date, so you can see what was most recently installed. Look at the Manufacturer column and look for “Melkosoft”. You might see more than one evil entry.
7. Under SysInfo32, go to “Software Environment->Startup Programs” THIS is the one that causes it to launch when Explorer.exe runs.: It could look like

“c:\winnt\system32????.exe”

Under the Task Manager, now that you know its name, go to File->Start Task and launch regedit. Search for the name. Mine was found in the registry here:

Computer->HKEY_LOCAL_MACHINE->SOFTWARE->Microsoft->Windows->CurrentVersion->Run->Control handler
Delete registry values:

Browse to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete the values ‘SVCHOST’, ‘TcpDetect’ and ‘win32app’

8. DELETE the specific entry for “???.exe” (whatever yours was named).
9. Back in the Task Manager, go to File->Start Task, and launch Explorer.exe to bring your O/S back up. avast should not holler because when Explorer.exe starts, it no longer launches the virus.
10. Go into where the replicating DLLs are:

c:\winnt\system32\

and add “.vir” to the end of the DLLs that anti-virus couldn’t clean out because they were “in use” and couldn’t be deleted (you identified these in Step #6.
11) Reboot
12) Go back into

c:\winnt\system32\

and delete all files you added the “.vir” suffix to.

13. Lastly, run your anti-spyware program and have it search your entire disk. This will remove malicious cooks that this thing also seems to plant.
14. Reboot.

polonus

polonus may have other ways

Hi jc81 and wyrmrider,

It might also be necessary to run an additional tool.
Please download SmitfraudFix (by S!Ri) from here:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Extract the content (a folder named SmitfraudFix) to your Desktop.
Start up your PC in SafeMode. Read how: http://www.pchell.com/support/safemode.shtml

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.

polonus