MS Antispyware 2009 and more has got me

[dandoming]

My wife got a pop-up from MS Antispyware 2009 and I am pretty sure she clicked on it, though I wish she hadn't. Now I am getting regular pop-ups from such, notices of malicious spyware from said software, and scary DOS screens every few minutes. When the DOS screens come up it is usually 6 at a time with a dialogue box that says.

16 bit MS-DOS Subsystem
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\~tmpe.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0588 IP:0113 OP:ff ff ff d4 d0 Choose 'CLose' to terminate the application

[Close] [Ignore]

If possible please help... Here's the DDS (My tech savvyness is low)

Dan


DDS (Ver_09-01-07.01) - NTFSx86
Run by Daniel Dominguez at 16:37:54.73 on Mon 02/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.161 [GMT -7:00]

AV: avast! antivirus 4.8.1296 [VPS 090202-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\system32\RunDLL32.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ResChanger 2005\ResChanger2005.exe
C:\Documents and Settings\Daniel Dominguez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\a.exe
C:\Program Files\sony\giga pocket\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Quick ShutDown\qsd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Daniel Dominguez\My Documents\FIX Utilities\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe
uRun: [Google Update] "c:\documents and settings\daniel dominguez\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [MSFox] c:\docume~1\daniel~1\locals~1\temp\a.exe
uRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SiS Tray]
mRun: [SiS KHooker] c:\windows\system32\khooker.exe
mRun: [LTSMMSG] LTSMMSG.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [M-Audio Delta Taskbar Icon] c:\windows\system32\DeltTray.exe
mRun: [DeltTray] DeltTray.exe
mRun: [CleanupProgram] c:\sonysys\cleanup.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\daniel~1\startm~1\programs\startup\quicks~1.lnk - c:\program files\quick shutdown\qsd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gigapo~1.lnk - c:\program files\sony\giga pocket\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-10 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-11-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-11-19 352920]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-8-3 815819]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-10 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-11-19 155160]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2008-11-25 15872]
S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2008-11-25 8704]
S3 JL2005;JL2005A Camera;c:\windows\system32\drivers\toywdm.sys [2005-10-8 71512]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-05-15 19:59 26,392 ac------ c:\docume~1\daniel~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:38:20.65 ===============

[tetonbob]

Hello again, Dan. Seems the machine didn't luck out this time. After we take care of this, let's do some educating.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[dandoming]

I am trying the combofix as we speak... problem is that the black DOS screens keep popping up so I am not sure combofix is going to run properly...I'll let you know what happens.

Dan

[dandoming]

whew... it ran...good stuff... here's the log from combofix




ComboFix 09-02-04.04 - Daniel Dominguez 2009-02-05 11:47:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.192 [GMT -7:00]
Running from: c:\documents and settings\Daniel Dominguez\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090205-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\windows\system32\msxml71.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-05 08:00 . 2009-02-05 08:00 <DIR> d----c--- c:\documents and settings\Primary\Application Data\Apple Computer
2009-02-04 17:20 . 2002-08-03 09:17 <DIR> d----c--- c:\documents and settings\Primary\WINDOWS
2009-02-04 17:20 . 2002-08-15 10:32 <DIR> d----c--- c:\documents and settings\Primary\Application Data\Sony Corporation
2009-02-04 17:20 . 2002-08-15 10:30 <DIR> d----c--- c:\documents and settings\Primary\Application Data\InterTrust
2009-02-04 17:20 . 2009-02-04 17:20 <DIR> d----c--- c:\documents and settings\Primary
2009-02-03 15:24 . 2009-02-03 15:24 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-03 15:24 . 2009-02-03 15:24 <DIR> d-------- c:\program files\Adobe Media Player
2009-02-03 14:58 . 2009-02-03 14:58 <DIR> d-------- c:\program files\Xvid
2009-02-03 14:58 . 2009-02-03 17:13 <DIR> d-------- c:\program files\AoA DVD Ripper
2009-02-03 14:58 . 2007-06-28 18:52 765,952 --a------ c:\windows\system32\xvidcore.dll
2009-02-03 14:58 . 2007-06-28 18:54 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-02-03 14:58 . 2007-06-28 18:55 77,824 --a------ c:\windows\system32\xvid.ax
2009-02-03 14:58 . 2009-02-03 18:53 132 --a------ c:\windows\AoADVDRipper.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 02:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-24 20:55 --------- d-----w c:\program files\TuxPaint
2009-01-23 01:41 --------- d-----w c:\documents and settings\Daniel Dominguez\Application Data\TuxPaint
2009-01-16 14:50 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-15 15:43 --------- d-----w c:\documents and settings\Daniel Dominguez\Application Data\InstallShield
2008-12-28 21:11 --------- d-----w c:\program files\Audible
2008-12-17 22:24 --------- d-----w c:\program files\Java
2008-12-17 20:18 --------- d-----w c:\program files\ATF
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-06 20:19 --------- d-----w c:\program files\DVDVideoSoft
2008-12-06 20:19 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2008-12-05 00:57 --------- d-----w c:\program files\Shrink
2008-12-05 00:57 --------- d-----w c:\program files\DVD Shrink
2008-11-10 12:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-05-16 02:59 26,392 -c--a-w c:\documents and settings\Daniel Dominguez\Application Data\GDIPFONTCACHEV1.DAT
2008-09-12 19:51 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ResChanger 2005"="c:\program files\ResChanger 2005\ResChanger2005.exe" [2005-05-26 885248]
"Google Update"="c:\documents and settings\Daniel Dominguez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-06 133104]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-10-06 793712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-03 40960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2002-08-15 146432]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 11406]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"M-Audio Delta Taskbar Icon"="c:\windows\System32\DeltTray.exe" [2004-08-26 56320]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 c:\windows\LTSMMSG.exe]
"DeltTray"="DeltTray.exe" [2004-08-26 c:\windows\system32\DeltTray.exe]
"nwiz"="nwiz.exe" [2007-06-29 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-29 c:\windows\system32\nvmctray.dll]

c:\documents and settings\Daniel Dominguez\Start Menu\Programs\Startup\
Quick ShutDown.lnk - c:\program files\Quick ShutDown\qsd.exe [2003-02-18 294400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-20 113664]
Giga Pocket Remocon Driver.lnk - c:\program files\sony\giga pocket\usbsircs.exe [2006-12-09 741376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= jl_mjpg2.drv
"VIDC.JDCT"= jl_jdct.drv

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\giga pocket\\gps.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Daniel Dominguez\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Daniel Dominguez\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-10 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-10 20560]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-08-03 815819]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2008-11-25 15872]
S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2008-11-25 8704]
S3 JL2005;JL2005A Camera;c:\windows\system32\drivers\toywdm.sys [2005-10-08 71512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47c05c44-b226-11dc-a52a-00e018d9dd10}]
\Shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47c05c45-b226-11dc-a52a-00e018d9dd10}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1106520001-3292650235-1482789601-1005.job
- c:\documents and settings\Daniel Dominguez\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 15:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SiS KHooker - c:\windows\System32\khooker.exe
HKLM-Run-CleanupProgram - c:\sonysys\cleanup.exe
HKLM-Run-SiS Tray - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 11:50:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-02-05 11:54:59
ComboFix-quarantined-files.txt 2009-02-05 18:53:41

Pre-Run: 5,121,101,824 bytes free
Post-Run: 5,396,213,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

148 --- E O F --- 2009-01-15 02:04:03

[tetonbob]

Hello -

I should think the issues you show in the screenshots are no longer troubling you.

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------


How is the machine behaving now, please?

[dandoming]

Well I am happy to say it is running real well and no more DOS pop-ups. I ran the Kaspersky scan and it came up with nothing, which I assume is good.

Because it came up with nothing there was no report to save unless I did something wrong. I have attached a screenshot of the scan screen so you could see what I mean.

Now I got to look at donating CASH to the fourm...You were a big help. If I could just keep my wife and kid away from the computer I'd be set.

Dan

[tetonbob]

Good to hear, Dan. Thanks for saving the screenshot, that will suffice. Did the "View Scan Report" link at the bottom not work for you? Even a 0 infected objects log should be able to be saved. But...we don't need that now, just adding some information.

Your logs appear clean.You should be good to go. We still have a few items to address.

You may want to consider setting up a Limited Account for the other users of the computer, and password protecting your account,including the screensaver for when you walk away. That might cause problems on the home front if not handled right, so the next best thing would be to ensure the machine is up to date with all it's patches, that it has protection in place, and talk about security.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[dandoming]

Thanks for everything...go ahead and mark me 'resolved'

I'll be sure to work through your last set of instructions step-by-step.

dan

[tetonbob]

Cheers, Dan. Glad to help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.