This was when it first started, but I'd guess things have changed quite a bit since then, considering all the scans I've done, deleted a few things, and since spyware seems to install more spyware.
I have followed flying penguin's guide several times including running M$AS (in addition to NAV, Spybot and Ad Aware), but then after I boot to normal windows, in task manager I still have spyware and/or trojans running. And I get online for a bit, then do the scans again later, and everytime, most of them keep finding spyware. Even Spybot will find a few that the others missed. How do they keep 'coming back'? Considering how many scanners I'm using, why can't I get rid of it completely?
Also is it possible that spyware can take over the normal windows files that run in the background, like csrss.exe, smss.exe, etc, so you're not even sure if spyware is running or not? If so, what would the scanners be able to do with them?
These are running when I boot that I'm wondering about:
mszx23.exe, wdfmgr.exe, winlogon.exe, wuauclt.exe, system, services.exe
BTW, oddly, if I search my drive for winlogon.exe and services.exe, they're not found, even though they are in my \system32 folder. Why?
Also after running all the scans, I still have quite a few suspicious files in my root, windows and windows\system32 folders. They have dates that are the same as or newer than when I got attacked. There were more, but some have been deleted by me and the scanners. Anyone care to tell me which of these I should rename/delete? I've tried googleing them, but get way too much conflicting info.
In c:
trig.dtl
1.dml
In c:\windows
streamhlp.dll
msxct1.ini
GDDIHJG.ini
ms3.exe
ms2.exe
hosts
tool2.exe
tool1.exe
dimak
bootstat.dat
Why is hosts located here? And there are a lot of sex site and other URLs in it, all with 127.0.0.3
In c:\windows\system32
p2.ini
ps.a3d
wpa.dbl
mszx23.exe
tmpf00.exe
vdmt16.sys
win32.exe
~update.exe
gcmd5query.dll
$$$_.log
gh4lm4tq.ini
frru241d.html
repecsvc.exe
ntpvc32.exe
u2rjmpr7.dat
kpsemimi.dat
ora5h6b0.ini
gt82lb9r.ini
07u5m4d7.dat
paytime.exe
trf32.dll
mscnf.dll
wcnl32.dll
hst32.dll
zlbw.dll
vx.tll
One of the scanners I had just run found paytime.exe. Why didn't it delete it?
My system.ini has a new file date as well. Anything I should delete in it?
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[vicax]
msacm711=27464
msacm811=50565
msacm911=42405
Also when using M$ Antispyware in safe mode (640x480, I can't go higher), I can't see the bottom part of the window. Any idea how to?
I have followed flying penguin's guide several times including running M$AS (in addition to NAV, Spybot and Ad Aware), but then after I boot to normal windows, in task manager I still have spyware and/or trojans running. And I get online for a bit, then do the scans again later, and everytime, most of them keep finding spyware. Even Spybot will find a few that the others missed. How do they keep 'coming back'? Considering how many scanners I'm using, why can't I get rid of it completely?
Also is it possible that spyware can take over the normal windows files that run in the background, like csrss.exe, smss.exe, etc, so you're not even sure if spyware is running or not? If so, what would the scanners be able to do with them?
These are running when I boot that I'm wondering about:
mszx23.exe, wdfmgr.exe, winlogon.exe, wuauclt.exe, system, services.exe
BTW, oddly, if I search my drive for winlogon.exe and services.exe, they're not found, even though they are in my \system32 folder. Why?
Also after running all the scans, I still have quite a few suspicious files in my root, windows and windows\system32 folders. They have dates that are the same as or newer than when I got attacked. There were more, but some have been deleted by me and the scanners. Anyone care to tell me which of these I should rename/delete? I've tried googleing them, but get way too much conflicting info.
In c:
trig.dtl
1.dml
In c:\windows
streamhlp.dll
msxct1.ini
GDDIHJG.ini
ms3.exe
ms2.exe
hosts
tool2.exe
tool1.exe
dimak
bootstat.dat
Why is hosts located here? And there are a lot of sex site and other URLs in it, all with 127.0.0.3
In c:\windows\system32
p2.ini
ps.a3d
wpa.dbl
mszx23.exe
tmpf00.exe
vdmt16.sys
win32.exe
~update.exe
gcmd5query.dll
$$$_.log
gh4lm4tq.ini
frru241d.html
repecsvc.exe
ntpvc32.exe
u2rjmpr7.dat
kpsemimi.dat
ora5h6b0.ini
gt82lb9r.ini
07u5m4d7.dat
paytime.exe
trf32.dll
mscnf.dll
wcnl32.dll
hst32.dll
zlbw.dll
vx.tll
One of the scanners I had just run found paytime.exe. Why didn't it delete it?
My system.ini has a new file date as well. Anything I should delete in it?
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[vicax]
msacm711=27464
msacm811=50565
msacm911=42405
Also when using M$ Antispyware in safe mode (640x480, I can't go higher), I can't see the bottom part of the window. Any idea how to?