Localhost was one word not two. But now, after the safe mode scans, when I rebooted into normal mode, I received the same message about the hosts file. When I looked at the hosts file there are now three lines with the entry of "127.0.0.1 localhosts". There was also a message that my internet browser home page was trying to be changed, I did not accept the change on that.

Here are the logs this time:

Blacklight in normal mode:

01/10/06 22:08:13 [Info]: BlackLight Engine 1.0.30 initialized
01/10/06 22:08:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/10/06 22:08:13 [Note]: 7019 4
01/10/06 22:08:13 [Note]: 7005 0
01/10/06 22:08:17 [Note]: 7006 0
01/10/06 22:08:17 [Note]: 7011 1032
01/10/06 22:08:18 [Note]: FSRAW library version 1.7.1014
01/10/06 22:08:30 [Note]: 7007 0


FixWareout in safe mode:


Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\wlpmd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSSTP.EXE
C:\WINDOWS\SYSTEM32\DMPLW.EXE
C:\WINDOWS\SYSTEM32\IDEMLO~1.REN
C:\WINDOWS\SYSTEM32\HOWIPE~1.REN
C:\WINDOWS\SYSTEM32\FAVSET~1.REN

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


Ewido in safe mode:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:32:19 PM, 1/10/2006
+ Report-Checksum: 6BC5AE7F

+ Scan result:

C:\WINDOWS\system32\dmplw.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\IDEMLOG.EXE.ren -> Hijacker.Small : Cleaned with backup
C:\WINDOWS\system32\HOWIPER.EXE.ren -> Trojan.Qhost.df : Cleaned with backup
C:\Recycled\Dc9\mm[1].js -> Spyware.Chitika : Cleaned with backup


::Report End


Thx again

Looking good. Let us know if there are any continuing issues still turning up.

When I looked at the hosts file there are now three lines with the entry of "127.0.0.1 localhosts".

Remove the two (2) extra lines. But wait until suggested procedure #7 (below).






To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



ONCE your are as clean as possible - As a final cleanup step, it is often advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(Windows XP)

c:\System Volume Information\_restore….

To Turn OFF System Restore.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
4. Click Apply.

To Turn ON System Restore.

1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
2. Create new System Restore points.

(Windows ME)

c:\_RESTORE\TEMP\….

See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
   http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
   http://www.microsoft.com/windows/ie/default.asp
   
   
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
   AVG: http://free.grisoft.com/doc/1
   Avast: http://www.avast.com/eng/avast_4_home.html
   
   
3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
   Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
   Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
   MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
   
   
4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
   Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
   *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
   Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
   
   It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
   
   
5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
   Mozilla Firefox: http://www.mozilla.org/products/firefox/
   
   
6. Consider increasing your browser security by using these programs:
   SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
   SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
   • If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
     
   • IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
     https://netfiles.uiuc.edu/ehowes/www/resource.htm
   
   
7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
   • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
   • Next select ‘Open host file manager’ button.
   • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
   • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
     
     
     #start of lines added by WinHelp2002
     # [Misc A - Z]
     127.0.0.1 phpadsnew.abac.com
     127.0.0.1 a.abnad.net
     127.0.0.1 e.abnad.net
     127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
     .
     .
     .
     #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:

• Keep all of these programs up-to-date, and
• Use them on a regular basis.

Vincent,

Thank you for all your help. Now if I could only keep the kid from getting the computer sick anymore.

I will run with the computer for the next couple of days and see if things are better.

Hey, while I am thinking of it, is there any reason to not trust any of the instant messenger programs that are out there. The kid is in college and uses both Yahoo Messanger and AOL Instant Messanger, all the time and at the same time. I keep telling him that one of these programs is the reason he keeps getting viruses and badly attacked by adware. I was just wondering what your thoughts were on this.

Thank you for any and all input you have given me and any input you are willing to share with me.

Thank you again.
BeHunie

Instant Messaging (IM) Risks and Rewards
Search Terms: tips instant messenger risk OR risks

IM can be a very productive activity and is also an extremely popular activity to keep in touch. Unfortunately, many of the most popular IM solutions aren't designed for business use and aren't secure. But, the answer isn't to ban IM. If you do, you're likely to encounter fierce resistance.

You can no more ban IM than you can ban the use of email. Every activity on the Internet has risks and individual user behavior is the main contributing factor. If someone sends you a message (even a known friend) with a link and you click on that link (or attachment) thinking it is from a trusted source or trustworthy content, you may be very mistaken. Multitaskers are less likely to see danger in "check out this cool link" message.

"IM presents as many potential security risks as email and must be properly managed." We asked Tim first to explain the risks. Referring to the way kids like to share files, photos, videos, and tunes via IM, he said the difference between attaching files to IMs versus emails is like "placing a letter in your mailbox for the postman to retrieve and deliver" (email) versus "leaving the doors and windows to your home wide open while you wait for the intended recipient (and anyone else) to come in and pick up the letter you've left for them on your desk (and browse around your home)" with IM.

When you allow file-sharing in an IM program (such as AOL's AIM or Yahoo or MSN Instant Messenger), you're not only opening "a wide door on your machine," you're also "broadcasting your presence" on the Internet, Tim said. Even when you close the IM window without quitting the program, "the application [at its default setting] is running in the background, broadcasting your presence" for personal info collectors, malicious hackers, etc. (stay tuned - more on the default-setting issue below). Your PC is just as vulnerable to viruses and spam with IM as with email, if not more. "The [IM] conversation is traveling across the Net in clear open text," Tim said. "People can use a variety of methods to just pull the text down, hijack personal information."

http://www.netfamilynews.org/nl040109.html


10 tips for safer instant messaging
http://www.microsoft.com/athome/secu.../imsafety.mspx


Common sense and caution
http://www.symantec.com/home_homeoff.../im_risks.html

One last reminder:

F-Secure BlackLight found hidden items! What should I do?
If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

If a full re-installation is not an [IMMEDIATE] option, removing the necessary hidden items can [may TEMPORARILY] help in some situations.

Accordingly, you need to treat your PC as if it were NOW a wide open book. Someone else may be in possession of and CONTINUE to be privy to sensitive information such as passwords and banking details. Under no circumstances should it be considered for use to conduct financial transactions on the Net. There would also normally be a concern for potential identity theft and fraud issues. Certainly, the use of a firewall may be able to alert you to any 'call home' attempted traffic but this is not likely their only means of potential contact with your PC.

Only a completely reinstalled PC can bring you back to a completely safe resolution and appropriate closure over what has transpired on your PC.