Constant Pop ups

[delongboy]

Have been getting constant popups that usually go to one of 3 sites.
hxxp://automobilewdew.com/?a=duendeslow
hxxp://www.appcraver.com/
hxxp://www.registrydefender.com/l/indexsg.asp?utm_source=CD458&kwd=
Have run spybot, adaware and avast. avast found 2 viruses
Name: A0007128.exe
Original Location: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP112
Virus: Win32:Trojan-gen {Other}

Name: ~.exe
Original Location: C:\WINDOWS\system32
Virus: Win32:Trojan-gen {Other}

moved both to chest.

logs follow:


DDS (Version 1.0) - NTFSx86
Run by kshereba at 9:04:31.00 on Tue 11/11/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.319 [GMT -5:00]

=============== Created Last 30 ================

2008-11-11 08:51 250 a------- c:\windows\gmer.ini
2008-11-11 08:11 <DIR> --d----- c:\program files\Trend Micro
2008-11-10 07:54 25,088 a------- c:\windows\system32\__c004E90D.dat
2008-11-10 07:54 25,088 a------- c:\windows\system32\__c00F9A3C.dat
2008-10-30 12:56 <DIR> --d----- c:\docume~1\kpenrose\applic~1\.purple
2008-10-29 09:49 <DIR> --d----- c:\program files\Lavasoft
2008-10-29 09:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-10-29 09:24 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-10-29 09:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-10-29 08:04 25,088 a------- c:\windows\system32\__c0017D31.dat
2008-10-24 10:02 <DIR> --d----- c:\program files\EditPlus 2
2008-10-24 08:49 754 a------- c:\windows\WORDPAD.INI
2008-10-21 13:05 <DIR> --d----- c:\docume~1\kpenrose\applic~1\GetRightToGo

================== Find3M ==================

2008-11-10 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-10 09:38 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-18 11:48 <DIR> --d----- c:\program files\View22
2008-09-16 13:10 <DIR> --d----- c:\program files\MSECache
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-08-28 05:04 333,056 -------- c:\windows\system32\dllcache\srv.sys
2008-08-27 03:24 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-25 03:38 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 03:37 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 00:56 635,848 -------- c:\windows\system32\dllcache\iexplore.exe
2008-08-23 00:54 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-08-14 04:57 2,185,984 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 04:57 2,185,984 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-08-14 04:55 2,142,720 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-08-14 04:51 138,368 -------- c:\windows\system32\dllcache\afd.sys
2008-08-14 04:18 2,020,864 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-08-14 04:18 2,062,976 a------- c:\windows\system32\ntkrnlpa.exe
2008-08-14 04:18 2,062,976 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-04-15 13:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft
2008-04-15 09:59 <DIR> --d----- c:\docume~1\kpenrose\applic~1\Dell
2008-04-10 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2004-08-11 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============== Psuedo HJT Report ===============

uStart Page = hxxp://stinger.saucontech.com/pscaringi/
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080410
uSearch Bar =
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\kpenrose\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent -Ati2evxx.dll
Notify: __c004E90D -c:\windows\system32\__c004E90D.dat
SSODL: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ==============

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys

============= FINISH: 9:04:42.37 ===============

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
   
   ---------------------------------------------------------------------------------------------

[delongboy]

Here are the combofix results. It did shut down CTFLoader while it was running which caused an error.

ComboFix 08-11-10.01 - kshereba 2008-11-11 12:53:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT -5:00]
Running from: c:\documents and settings\kpenrose\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\__c0017D31.dat
c:\windows\system32\__c004E90D.dat
c:\windows\system32\__c00F9A3C.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 08:51 . 2008-11-11 08:51 250 --a------ c:\windows\gmer.ini
2008-11-11 08:11 . 2008-11-11 08:11 <DIR> d-------- c:\program files\Trend Micro
2008-10-30 12:56 . 2008-10-30 12:59 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\.purple
2008-10-29 09:49 . 2008-10-29 09:49 <DIR> d-------- c:\program files\Lavasoft
2008-10-29 09:49 . 2008-10-29 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-29 09:24 . 2008-11-11 08:46 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-29 09:24 . 2008-11-11 08:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 08:33 . 2008-10-29 08:33 <DIR> d-------- c:\program files\Alwil Software
2008-10-24 10:02 . 2008-10-24 13:21 <DIR> d-------- c:\program files\EditPlus 2
2008-10-24 08:49 . 2008-10-24 08:49 754 --a------ c:\windows\WORDPAD.INI
2008-10-21 13:53 . 2008-10-21 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-21 13:05 . 2008-10-21 13:57 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 17:56 --------- d-----w c:\documents and settings\kpenrose\Application Data\OpenOffice.org2
2008-11-11 13:58 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-10 14:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 14:38 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-18 16:48 --------- d-----w c:\program files\View22
2008-09-16 18:10 --------- d-----w c:\program files\MSECache
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 c:\windows\stsystra.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\kpenrose\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-10 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2007-05-23 3456]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
Notify-__c004E90D - c:\windows\system32\__c004E90D.dat


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\kpenrose\Application Data\Mozilla\Firefox\Profiles\vgi9k061.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 12:57:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiadap.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-11-11 13:00:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 18:00:50

Pre-Run: 108,174,725,120 bytes free
Post-Run: 108,558,331,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

120 --- E O F --- 2008-10-24 17:12:15

[tetonbob]

Next steps....

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[delongboy]

After combofix everything seemed to be much better. here is the log from the eset scan

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3606 (20081112)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=061acc3db555864abc69bbbab7d0cbae
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-11-12 02:18:06
# local_time=2008-11-12 09:18:06 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=305994
# found=1
# scan_time=2236
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c0017D31.dat.vir Win32/TrojanDownloader.Agent.NZH trojan 70E1DCBFBBEF6F611AF9ED157FC62C6C

[tetonbob]

Well done. The only item found is in ComboFix quarantine. This will be removed by uninstalling ComboFix as instructed below.

Other than that.........

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[delongboy]

Thanks a lot. Everything is working great!

[tetonbob]

Glad to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.