my computer has been infected with spy locked. I thought I got rid of it a week ago, but windows auto-restarted my computer today, and when I got home from work the popup in the systray was back.My anti spyware programs don't seem to see it at all now. I've tried SpyBot: Search and Destroy, and last week it found it, and the popup stopped, but now SpyBot says everything is ok.

Please help me, this thing is driving me crazy, and I can't figure out how to squash it.

Here is a current SmitFraudFix scan report

SmitFraudFix v2.171

Scan done at 15:20:26.10, Wed 05/09/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{4233ac08-a2c4-4742-a0b4-83719613d62c}"="grassily"

[HKEY_CLASSES_ROOT\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32]
@="C:\WINDOWS\system32\ilmpjy.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32]
@="C:\WINDOWS\system32\ilmpjy.dll"


Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CCS\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: DhcpNameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: NameServer=85.255.116.87,85.255.112.174
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.87 85.255.112.174
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.87 85.255.112.174
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=216.237.72.66 216.237.77.2
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.116.87 85.255.112.174


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler]
"{4233ac08-a2c4-4742-a0b4-83719613d62c}"="grassily"

[HKEY_CLASSES_ROOT\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32]
@="C:\WINDOWS\system32\ilmpjy.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4233ac08-a2c4-4742-a0b4-83719613d62c}\InProcServer32]
@="C:\WINDOWS\system32\ilmpjy.dll"



End

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O17 - HKLM\System\CCS\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: NameServer = 85.255.116.87,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E5E5FC7-4174-4074-91F0-7CEF40A984C8}: NameServer = 85.255.116.87,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6472A9E-7FE6-4D02-B90B-6656CD13DCE6}: NameServer = 85.255.116.87,85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.87 85.255.112.174
O17 - HKLM\System\CS1\Services\Tcpip\..\{146F4705-53C5-4DD4-A1F4-B0F88811128A}: NameServer = 85.255.116.87,85.255.112.174
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.87 85.255.112.174

Close Hijack This.

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Higlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

* Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter.
Exit the command window.

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

How are things now?

Please post a new Hijack This log.

seems to be ok, the popup in my systray is gone. I'm still running a little slow, but everything seems to be good.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

What items have been disabled with msconfig? We need to see those too.
Please recheck all the items that were turned off, then post a new Hijack This log.

Thank you.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.