I have had the virus about 3 weeks now. It first appeared in webrebates ads. I searched and deleted all those folders and now it keeps popping up in my c/windows/temp folder. I can delete it but as soon as I delete it from the recycle bin it reappears in the temp folder. It keeps doing this until I shut down my restore and then a few hours later it starts all over. I even tried deleting the temp folder but it keeps coming back. Does anyone have some RAID for this bug?
TurtleHurder

Howdy,

As this is a lot of information to work with at one time, I suggest you print these instructions so that you can make sure you have gotten everything done.

Try one or both of these online scans:

http://www.ravantivirus.com/scan

http://www.bitdefender.com/scan/Msie/index.php

let it autoclean. Reboot, and then please download the following programs and follow the instructions:

Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open Adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "Customize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then Click the Advanced Button on the left side to open the Advanced Settings screen. Make sure the following is on with a "green" checkmark:

Others are optional to be checked or unchecked.

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Click the "Next" button to start the scan.

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be careful with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
Close Ad-aware, reboot your system and go on below.

The download for Spybot S&D is available here:

/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems"
Close Spybot S&D, reboot your system

Download "Hijack This!".
Save it in a permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and post your log in the

Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! Forum.

Most of what it lists will be harmless or even essential, don't fix anything yet.

When you post in the other forum please explain your problem again in detail so that the experts in the HJT forum will have the complete picture. Someone will be along to help you, but please be patient as the experts are very busy as of late!!

In the mean time, for your protection, I suggest you download and install these 2 very small, free programs that you run once and then just occasionally have to check for updates.

SpywareBlaster will block bad ActiveX and malevolent cookies.

http://www.javacoolsoftware.com/spywareblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

Please also read this article.
So how did I get infected in the first place?

When you start a new thread in Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!, please post back here to let me know so that we can close this thread.