Warning! Your're in danger! your comp...

[johnyx2]

Hello there,

I have a permanent black wallpaper with red and white text that reads:
"Warning! Your're in danger! your computer is infected with spyware! All you do in your computer... blah blah remove all spyware from your PC.

I have seen other threads here about this. I just want to make sure I follow the right steps for my situation instead of following instructions for others.

The computer gets very slow and you can hear the CPU noise very loud.

I follow all initial steps, here is the DDS.txt and the attach.zip
Thanks in advance



DDS (Ver_09-05-14.01) - NTFSx86
Run by Johnny at 22:31:08.21 on Sun 05/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1370 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system\mysmas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\aabvah.exe
C:\WINDOWS\winudpmgr.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\FreePOPs\freepopsd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johnny\Desktop\dds.scr
C:\Program Files\Windows Live\Messenger\msnmsgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - c:\program files\nusphere\phped\NuSphereIEBar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - No File
uRun: [Cacheman] c:\progra~1\cacheman\Cacheman.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [RegistryMechanic]
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows UDP Control Center] winudpmgr.exe
mRun: [PromoReg] c:\windows\system32\aabvah.exe
mRun: [18976874] c:\documents and settings\all users\application data\18976874\18976874.exe
mRun: [98986866] c:\documents and settings\all users\application data\98986866\98986866.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\Johnny\startm~1\programs\startup\freepops.lnk - c:\program files\freepops\freepopsd.exe
IE: NuSphere PhpED :: Debug this page - c:\program files\nusphere\phped\NuSphereIEBar.dll/1000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_13.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: imon.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {00000161-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaud.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://babybeehindsusa.com/Store/upload/XUpload.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Johnny\applic~1\mozilla\firefox\profiles\jnfg63yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalen.com https://globalen.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true
============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2007-3-10 2304]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S4 Fdiautrvrvq;Fdiautrvrvq;c:\windows\system32\drivers\drmkaud.sys [2006-6-7 2944]

=============== Created Last 30 ================

2009-05-17 21:11 11,656 ---sh--- c:\windows\system32\drivers\sysdrv32.sys
2009-05-17 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\98986866
2009-05-17 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\18976874
2009-05-17 11:36 <DIR> --d----- c:\program files\WinPcap
2009-05-17 11:26 428,032 a------- c:\windows\system32\aabvah.exe
2009-05-17 11:22 5,473 a------- C:\abaca.exe
2009-05-17 10:33 51,762 ---shr-- c:\windows\winudpmgr.exe
2009-05-17 10:33 51,762 a------- C:\tra.exe
2009-05-17 10:30 77,312 a------- C:\lats.exe
2009-05-17 10:15 77,312 ---shr-- c:\windows\system\mysmas.exe
2009-05-16 19:58 244 a---h--- C:\sqmnoopt19.sqm
2009-05-16 19:58 232 a---h--- C:\sqmdata19.sqm
2009-05-16 19:54 244 a---h--- C:\sqmnoopt18.sqm
2009-05-16 19:54 232 a---h--- C:\sqmdata18.sqm
2009-05-16 19:50 244 a---h--- C:\sqmnoopt17.sqm
2009-05-16 19:50 232 a---h--- C:\sqmdata17.sqm
2009-05-16 19:46 244 a---h--- C:\sqmnoopt16.sqm
2009-05-16 19:46 232 a---h--- C:\sqmdata16.sqm
2009-05-16 19:42 244 a---h--- C:\sqmnoopt15.sqm
2009-05-16 19:42 232 a---h--- C:\sqmdata15.sqm
2009-05-16 19:38 244 a---h--- C:\sqmnoopt14.sqm
2009-05-16 19:38 232 a---h--- C:\sqmdata14.sqm
2009-05-16 19:33 244 a---h--- C:\sqmnoopt13.sqm
2009-05-16 19:33 232 a---h--- C:\sqmdata13.sqm
2009-05-16 19:29 244 a---h--- C:\sqmnoopt12.sqm
2009-05-16 19:29 232 a---h--- C:\sqmdata12.sqm
2009-05-16 19:25 244 a---h--- C:\sqmnoopt11.sqm
2009-05-16 19:25 232 a---h--- C:\sqmdata11.sqm
2009-05-16 19:21 244 a---h--- C:\sqmnoopt10.sqm
2009-05-16 19:21 232 a---h--- C:\sqmdata10.sqm
2009-05-16 19:17 244 a---h--- C:\sqmnoopt09.sqm
2009-05-16 19:17 232 a---h--- C:\sqmdata09.sqm
2009-05-16 19:11 244 a---h--- C:\sqmnoopt08.sqm
2009-05-16 19:11 232 a---h--- C:\sqmdata08.sqm
2009-05-16 19:07 244 a---h--- C:\sqmnoopt07.sqm
2009-05-16 19:07 232 a---h--- C:\sqmdata07.sqm
2009-05-16 19:03 244 a---h--- C:\sqmnoopt06.sqm
2009-05-16 19:03 232 a---h--- C:\sqmdata06.sqm
2009-05-16 18:59 244 a---h--- C:\sqmnoopt05.sqm
2009-05-16 18:59 232 a---h--- C:\sqmdata05.sqm
2009-05-16 18:55 244 a---h--- C:\sqmnoopt04.sqm
2009-05-16 18:55 232 a---h--- C:\sqmdata04.sqm
2009-05-16 18:51 244 a---h--- C:\sqmnoopt03.sqm
2009-05-16 18:51 232 a---h--- C:\sqmdata03.sqm
2009-05-16 18:46 244 a---h--- C:\sqmnoopt02.sqm
2009-05-16 18:46 232 a---h--- C:\sqmdata02.sqm
2009-05-16 18:42 244 a---h--- C:\sqmnoopt01.sqm
2009-05-16 18:42 232 a---h--- C:\sqmdata01.sqm
2009-05-16 18:41 244 a---h--- C:\sqmnoopt00.sqm
2009-05-16 18:41 232 a---h--- C:\sqmdata00.sqm
2009-05-15 21:35 <DIR> --d----- c:\docume~1\Johnny\applic~1\ACD Systems
2009-05-15 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ACD Systems
2009-05-15 21:34 <DIR> --d----- c:\program files\common files\ACD Systems
2009-05-15 21:34 <DIR> --d----- c:\program files\ACD Systems
2009-05-15 19:59 <DIR> --d----- C:\Snatch
2009-05-15 19:59 150,197 a------- c:\windows\Web Picture Snatch XP Uninstaller.exe
2009-05-15 19:59 <DIR> --d----- c:\program files\WebSnatch
2009-05-14 10:20 <DIR> --d----- c:\program files\iPod
2009-05-14 10:20 <DIR> --d----- c:\program files\iTunes
2009-05-14 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-13 15:42 <DIR> --d----- c:\program files\Extreme Picture Finder 3
2009-05-13 15:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Extreme Picture Finder
2009-05-12 17:34 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-01 01:19 <DIR> --d----- c:\program files\MozBackup
2009-04-30 13:46 <DIR> --d----- c:\program files\FreePOPs
2009-04-30 08:09 <DIR> --d----- c:\program files\YPOPs

==================== Find3M ====================

2009-05-17 21:23 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-03-25 11:00 60,744 a------- c:\documents and settings\Johnny\g2mdlhlpx.exe
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2006-07-27 02:24 162,816 a------- c:\documents and settings\Johnny\frame.exe
2006-07-27 02:23 152,576 a------- c:\documents and settings\Johnny\greet.exe
2006-07-27 02:20 145,920 a------- c:\documents and settings\Johnny\hello.exe
2006-07-25 15:56 262,144 a------- c:\program files\hello.tds
2006-07-25 15:56 145,920 a------- c:\program files\hello.exe
2006-07-25 15:56 15,997 a------- c:\program files\hello.obj

============= FINISH: 22:33:39.40 ===============

[jmw3]

Hello & Welcome to TSF
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

In the meantime please note the following:

• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

I'm looking over your logs now. Get back to you soon.

[jmw3]

ATF Cleaner
Download ATF Cleaner here by Atribune.

• Double-click ATF-Cleaner.exe to run the program
  Under Main choose: Select All
  Click the Empty Selected button

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button
  NOTE: If you would like to keep your saved passwords, please click No at the prompt

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button
  NOTE: If you would like to keep your saved passwords, please click No at the prompt

Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  A guide to do this can be found here
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
Combofix log

[johnyx2]

Thanks for the instructions.
Since I posted this, I ran NOD32 and it found infections, so this log may not be as bad, but I really do not know if everything is gone.

Thanks again


ComboFix 09-05-19.08 - Johnny 05/20/2009 6:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1512 [GMT -4:00]
Running from: c:\documents and settings\Johnny\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYS_MUTEX_ALGORITHM_SERVICE
-------\Legacy_SYSDRV32
-------\Service_MYS Mutex Algorithm Service
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-18 03:37 . 2009-05-18 03:37 -------- d-----w c:\program files\Trend Micro
2009-05-17 15:36 . 2009-05-17 15:36 -------- d-----w c:\program files\WinPcap
2009-05-16 01:35 . 2009-05-16 01:35 -------- d-----w c:\documents and settings\Johnny\Local Settings\Application Data\ACD Systems
2009-05-16 01:35 . 2009-05-16 01:35 -------- d-----w c:\documents and settings\Johnny\Application Data\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\program files\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\program files\Common Files\ACD Systems
2009-05-16 01:33 . 2009-05-16 01:33 -------- d-----w c:\documents and settings\Johnny\Local Settings\Application Data\Downloaded Installations
2009-05-15 23:59 . 2009-05-15 23:59 -------- d-----w C:\Snatch
2009-05-15 23:59 . 2009-05-15 23:59 150197 ----a-w c:\windows\Web Picture Snatch XP Uninstaller.exe
2009-05-15 23:59 . 2009-05-16 00:06 -------- d-----w c:\program files\WebSnatch
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\program files\iPod
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\program files\iTunes
2009-05-14 14:19 . 2009-05-14 14:20 -------- d-----w c:\program files\Common Files\Apple
2009-05-13 19:42 . 2009-05-13 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\Extreme Picture Finder
2009-05-13 19:42 . 2009-05-13 19:42 -------- d-----w c:\program files\Extreme Picture Finder 3
2009-05-12 21:34 . 2009-05-12 21:34 -------- d-----w c:\program files\Common Files\DivX Shared
2009-05-10 22:36 . 2009-05-10 22:36 -------- d-----w c:\documents and settings\Johnny\Local Settings\Application Data\Deployment
2009-05-01 05:19 . 2009-05-01 05:19 -------- d-----w c:\program files\MozBackup
2009-04-30 17:46 . 2009-04-30 17:47 -------- d-----w c:\program files\FreePOPs
2009-04-30 12:09 . 2009-04-30 13:21 -------- d-----w c:\program files\YPOPs
2009-04-30 02:27 . 2009-04-30 02:27 -------- d-----w c:\documents and settings\Johnny\Local Settings\Application Data\Yahoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 10:32 . 2007-03-25 20:57 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-20 10:27 . 2006-07-24 02:33 -------- d-----w c:\program files\Eset
2009-05-20 09:47 . 2009-03-21 10:27 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-18 19:01 . 2006-09-14 01:28 -------- d-----w c:\program files\Java
2009-05-18 00:14 . 2008-06-23 02:11 -------- d-----w c:\program files\Malaware
2009-05-17 17:24 . 2007-07-17 19:26 -------- d-----w c:\program files\Self-Repair Technician
2009-05-17 11:45 . 2006-06-07 21:22 63904 ----a-w c:\documents and settings\Johnny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 14:19 . 2007-09-09 07:21 -------- d-----w c:\program files\Bonjour
2009-05-14 14:15 . 2008-03-22 11:52 -------- d-----w c:\program files\Safari
2009-05-12 21:35 . 2006-09-07 08:24 -------- d-----w c:\program files\DivX
2009-05-04 04:03 . 2007-12-26 00:04 -------- d-----w c:\program files\FileZilla Client
2009-04-11 13:51 . 2009-04-11 13:51 -------- d-----w c:\program files\SSH Communications Security
2009-04-11 13:51 . 2006-06-07 20:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 15:01 . 2009-03-25 15:01 -------- d-----w c:\program files\Citrix
2009-03-25 15:00 . 2009-03-25 15:00 60744 ----a-w c:\documents and settings\Johnny\g2mdlhlpx.exe
2009-03-19 20:32 . 2004-07-29 07:53 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 09:19 . 2008-12-01 19:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2006-07-25 19:56 . 2006-07-25 19:56 262144 ----a-w c:\program files\hello.tds
2006-07-25 19:56 . 2006-07-25 19:56 15997 ----a-w c:\program files\hello.obj
2006-07-25 19:56 . 2006-07-25 19:56 145920 ----a-w c:\program files\hello.exe
2007-01-09 04:45 . 2007-01-09 04:45 13386 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-01-09 04:45 . 2007-01-09 04:45 92746 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-09-09 07:51 7260160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-19 20:45 . 2006-07-10 18:05 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 20:45 . 2006-07-10 18:05 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 20:45 . 2007-06-06 19:06 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 20:45 . 2007-06-06 19:06 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 20:45 . 2006-07-10 18:05 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cacheman"="c:\progra~1\Cacheman\Cacheman.exe" [2003-08-01 1290752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-26 2027792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Johnny\Start Menu\Programs\Startup\
FreePOPs.lnk - c:\program files\FreePOPs\freepopsd.exe [2008-12-27 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"LVPrcSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46779]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/15/2007 4:30 PM 34064]
S2 WinRT;WinRT;c:\windows\system32\drivers\WinRT.sys [9/5/2006 4:58 AM 99360]
S4 Fdiautrvrvq;Fdiautrvrvq;c:\windows\system32\drivers\drmkaud.sys [6/7/2006 4:42 PM 2944]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-07-10 18:45]

2009-05-14 c:\windows\Tasks\WiseUpdt.job
- c:\jts\WiseUpdt.exe [2007-12-20 19:55]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: NuSphere PhpED :: Debug this page - c:\program files\nusphere\phped\NuSphereIEBar.dll/1000
FF - ProfilePath - c:\documents and settings\Johnny\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalen.com https://globalen.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 06:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4516)
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-05-20 6:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-20 10:40
ComboFix2.txt 2008-06-24 11:06

Pre-Run: 15,556,878,336 bytes free
Post-Run: 15,420,112,896 bytes free

203 --- E O F --- 2009-05-13 18:55

[jmw3]

Hi
If I could ask you not to run any scans or tools while we are cleaning here. It makes it harder for me to know what's going on. Plus we like to collect samples of malware when possible & we can't do that if other programs are removing them. I also see this is the second time you have run Combofix. Is there some reason you ran it twice?

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code:

File::
c:\jts\WiseUpdt.exe
c:\windows\Tasks\WiseUpdt.job
DirLook::
c:\program files\Malaware
FileLook::
c:\program files\hello.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

I'd also like to see the contents of the following:
C:\Qoobox\ComboFix-quarantined-files.txt

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

If some programs listed are not present, please do not panic

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

To post in next reply:
Combofix log
Contents of C:\Qoobox\ComboFix-quarantined-files.txt
Kaspersky Scan log

[jmw3]

How are you going with this? Still need assistance?
The thread will be closed if I don't hear from you in three days.

[johnyx2]

Thanks for the instructions and all your help. Here are the requested reports:


ComboFix 09-05-26.05 - John 05/27/2009 17:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1432 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt

FILE ::
"c:\jts\WiseUpdt.exe"
"c:\windows\Tasks\WiseUpdt.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\jts\WiseUpdt.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\WiseUpdt.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-18 03:37 . 2009-05-18 03:37 -------- d-----w c:\program files\Trend Micro
2009-05-16 01:35 . 2009-05-16 01:35 -------- d-----w c:\documents and settings\John\Local Settings\Application Data\ACD Systems
2009-05-16 01:35 . 2009-05-16 01:35 -------- d-----w c:\documents and settings\John\Application Data\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\program files\Common Files\ACD Systems
2009-05-16 01:34 . 2009-05-16 01:34 -------- d-----w c:\program files\ACD Systems
2009-05-16 01:33 . 2009-05-16 01:33 -------- d-----w c:\documents and settings\John\Local Settings\Application Data\Downloaded Installations
2009-05-15 23:59 . 2009-05-15 23:59 -------- d-----w C:\Snatch
2009-05-15 23:59 . 2009-05-15 23:59 150197 ----a-w c:\windows\Web Picture Snatch XP Uninstaller.exe
2009-05-15 23:59 . 2009-05-16 00:06 -------- d-----w c:\program files\WebSnatch
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\program files\iPod
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\program files\iTunes
2009-05-14 14:20 . 2009-05-14 14:20 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 14:19 . 2009-05-14 14:20 -------- d-----w c:\program files\Common Files\Apple
2009-05-14 14:17 . 2009-05-14 14:17 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-13 19:42 . 2009-05-13 19:42 -------- d-----w c:\program files\Extreme Picture Finder 3
2009-05-13 19:42 . 2009-05-13 19:42 -------- d-----w c:\documents and settings\All Users\Application Data\Extreme Picture Finder
2009-05-12 21:34 . 2009-05-12 21:34 -------- d-----w c:\program files\Common Files\DivX Shared
2009-05-11 14:28 . 2009-05-11 14:28 57344 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-41b3360e-n\Decora-SSE.dll
2009-05-11 14:28 . 2009-05-11 14:28 24064 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3e7182fb-n\Decora-D3D.dll
2009-05-11 14:28 . 2009-05-11 14:28 315392 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-44c7d539-n\jogl.dll
2009-05-11 14:28 . 2009-05-11 14:28 20480 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-44c7d539-n\jogl_awt.dll
2009-05-11 14:28 . 2009-05-11 14:28 114688 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-44c7d539-n\jogl_cg.dll
2009-05-11 14:28 . 2009-05-11 14:28 499712 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-1b00d5a9-n\msvcp71.dll
2009-05-11 14:28 . 2009-05-11 14:28 499712 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-1b00d5a9-n\jmc.dll
2009-05-11 14:28 . 2009-05-11 14:28 348160 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-1b00d5a9-n\msvcr71.dll
2009-05-11 14:28 . 2009-05-11 14:28 20480 ----a-w c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-47611852-n\gluegen-rt.dll
2009-05-10 22:36 . 2009-05-10 22:36 -------- d-----w c:\documents and settings\John\Local Settings\Application Data\Deployment
2009-05-01 05:19 . 2009-05-01 05:19 -------- d-----w c:\program files\MozBackup
2009-05-01 04:48 . 2009-05-14 17:04 12193 ----a-w c:\documents and settings\John\Application Data\Thunderbird\Profiles\ps9fwzr3.default\Mail\localhost-1\Stamps.com
2009-05-01 04:41 . 2009-05-01 04:41 0 ----a-w c:\documents and settings\John\Application Data\Thunderbird\Profiles\ps9fwzr3.default\Mail\localhost-1\Like.com
2009-04-30 17:46 . 2009-04-30 17:47 -------- d-----w c:\program files\FreePOPs
2009-04-30 12:09 . 2009-04-30 13:21 -------- d-----w c:\program files\YPOPs
2009-04-30 02:27 . 2009-04-30 02:27 -------- d-----w c:\documents and settings\John\Local Settings\Application Data\Yahoo
2009-04-30 02:26 . 2009-03-18 21:55 607472 ----a-w c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 21:11 . 2007-03-25 20:57 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-05-27 21:00 . 2009-03-21 10:27 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-27 20:57 . 2006-07-24 02:33 -------- d-----w c:\program files\Eset
2009-05-26 22:05 . 2007-12-26 00:06 -------- d-----w c:\documents and settings\John\Application Data\FileZilla
2009-05-23 20:06 . 2007-08-19 23:31 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-23 02:35 . 2007-04-14 20:39 -------- d-----w c:\documents and settings\John\Application Data\Skype
2009-05-20 12:22 . 2008-06-23 02:11 -------- d-----w c:\program files\Malaware
2009-05-18 19:01 . 2006-09-14 01:28 -------- d-----w c:\program files\Java
2009-05-17 17:24 . 2007-07-17 19:26 -------- d-----w c:\program files\Self-Repair Technician
2009-05-17 11:45 . 2006-06-07 21:22 63904 ----a-w c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 14:19 . 2007-09-09 07:21 -------- d-----w c:\program files\Bonjour
2009-05-14 14:15 . 2008-03-22 11:52 -------- d-----w c:\program files\Safari
2009-05-12 21:35 . 2006-09-07 08:24 -------- d-----w c:\program files\DivX
2009-05-12 00:59 . 2009-04-12 12:46 -------- d-----w c:\documents and settings\John\Application Data\SSH
2009-05-09 06:00 . 2006-07-10 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-04 04:03 . 2007-12-26 00:04 -------- d-----w c:\program files\FileZilla Client
2009-04-30 02:26 . 2007-03-25 20:18 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-11 13:51 . 2009-04-11 13:51 -------- d-----w c:\program files\SSH Communications Security
2009-04-11 13:51 . 2006-06-07 20:42 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 02:25 . 2009-03-27 02:25 152576 ----a-w c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-25 15:00 . 2009-03-25 15:00 60744 ----a-w c:\documents and settings\John\g2mdlhlpx.exe
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2004-07-29 07:53 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 04:28 . 2009-03-18 04:28 152576 ----a-w c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-09 09:19 . 2008-12-01 19:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2006-07-25 19:56 . 2006-07-25 19:56 262144 ----a-w c:\program files\hello.tds
2006-07-25 19:56 . 2006-07-25 19:56 15997 ----a-w c:\program files\hello.obj
2006-07-25 19:56 . 2006-07-25 19:56 145920 ----a-w c:\program files\hello.exe
2008-12-19 20:45 . 2006-07-10 18:05 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 20:45 . 2006-07-10 18:05 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 20:45 . 2007-06-06 19:06 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 20:45 . 2007-06-06 19:06 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 20:45 . 2006-07-10 18:05 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-01-09 04:45 . 2007-01-09 04:45 13386 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-01-09 04:45 . 2007-01-09 04:45 92746 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2006-05-06 16:42 . 2006-09-09 07:51 7260160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\hello.exe ---
Company: !VERINFO: NOT PE FILE!
File Description: !VERINFO: NOT PE FILE!
File Version: !VERINFO: NOT PE FILE!
Product Name: !VERINFO: NOT PE FILE!
Copyright: !VERINFO: NOT PE FILE!
Original Filename: !VERINFO: NOT PE FILE!
File size: 145920
Created time: 2006-07-25 19:56
Modified time: 2006-07-25 19:56
MD5: 53A4EAA2F67E2CB0D5695A417A50FE74
SHA1: 3D96E894D41377B30A1F27BA56E0C166F26FCD93

---- Directory of c:\program files\Malaware ----

2009-05-20 12:19 . 2009-05-20 09:02 50688 ----a-w c:\program files\Malaware\ATF-Cleaner.exe
2008-06-23 02:05 . 2009-05-20 09:06 2989964 ----a-r c:\program files\Malaware\ComboFix.exe
2008-06-23 02:09 . 2008-06-23 02:09 445641 ----a-w c:\program files\Malaware\FixIEDef.exe
2009-05-20 12:22 . 2009-05-20 12:22 1883662 ----a-w c:\program files\Malaware\SmitfraudFix.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cacheman"="c:\progra~1\Cacheman\Cacheman.exe" [2003-08-01 1290752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-26 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-26 2027792]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"LVPrcSrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [7/29/2004 4:33 AM 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [7/29/2004 5:13 AM 46779]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
S2 WinRT;WinRT;c:\windows\system32\drivers\WinRT.sys [9/5/2006 4:58 AM 99360]
S4 Fdiautrvrvq;Fdiautrvrvq;c:\windows\system32\drivers\drmkaud.sys [6/7/2006 4:42 PM 2944]
.
Contents of the 'Scheduled Tasks' folder

2009-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: NuSphere PhpED :: Debug this page - c:\program files\nusphere\phped\NuSphereIEBar.dll/1000
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalen.com https://globalen.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 17:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5120)
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\FreePOPs\freepopsd.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-05-27 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-27 21:20
ComboFix2.txt 2008-06-24 11:06

Pre-Run: 15,240,183,808 bytes free
Post-Run: 15,252,062,208 bytes free

235 --- E O F --- 2009-05-13 18:55

___________________________________________________________
Contents of C:\Qoobox\ComboFix-quarantined-files.txt

2008-06-24 02:39:47 . 2009-05-27 21:05:19 156 ----a-w C:\Qoobox\Quarantine\catchme.log
2009-05-27 2152 . 2009-05-27 2152 0 ----a-w C:\Qoobox\Quarantine\catchme.txt
2007-12-20 13:21:27 . 2006-11-08 19:55:02 194,775 ----a-w C:\Qoobox\Quarantine\C\Jts\WiseUpdt.exe.vir
2007-11-15 20:30:48 . 2007-11-15 20:30:48 92,792 ----a-w C:\Qoobox\Quarantine\C\Program Files\WinPcap\rpcapd.exe.vir
2007-11-15 20:30:48 . 2007-11-15 20:30:48 88,696 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir
2006-04-22 23:00:10 . 2006-04-22 23:00:10 53,299 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2007-11-15 20:30:48 . 2007-11-15 20:30:48 68,224 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\WanPacket.dll.vir
2007-11-15 20:30:48 . 2007-11-15 20:30:48 240,248 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2004-08-04 12:00:00 . 2004-08-04 12:00:00 611,328 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir
2007-11-15 20:30:48 . 2007-11-15 20:30:48 34,064 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2009-05-18 01:11:51 . 2009-05-18 01:11:51 11,656 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir
2007-09-13 18:43:01 . 2009-05-21 13:43:56 208 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Tasks\WiseUpdt.job.vir
2009-05-20 10:39:11 . 2009-05-20 10:39:11 104 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RegistryMechanic.reg.dat
2009-05-20 10:31:08 . 2009-05-20 10:31:08 958 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_MYS_MUTEX_ALGORITHM_SERVICE.reg.dat
2009-05-27 21:09:29 . 2009-05-27 21:09:29 1,258 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2009-05-20 10:31:08 . 2009-05-20 10:31:08 1,244 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_SYSDRV32.reg.dat
2009-05-27 21:19:29 . 2009-05-27 21:19:29 562 ----a-w C:\Qoobox\Quarantine\Registry_backups\SafeBoot-procexp90.Sys.reg.dat
2009-05-20 10:31:08 . 2009-05-20 10:31:08 3,052 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_MYS Mutex Algorithm Service.reg.dat
2009-05-27 21:09:29 . 2009-05-27 21:09:29 2,418 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_npf.reg.dat
2009-05-20 10:31:08 . 2009-05-20 10:31:08 2,690 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_sysdrv32.reg.dat
2009-05-20 10:30:14 . 2009-05-27 21:08:48 6,140 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
___________________________________________________________




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 00:40:43
Records in database: 2261428
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
X:\

Scan statistics:
Files scanned: 366039
Threat name: 8
Infected objects: 9
Suspicious objects: 13
Duration of the scan: 09:56:06


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15EB4BD2.zip Infected: Trojan-Downloader.Java.OpenConnection.ao 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15EB4BD2.zip Infected: Trojan.Java.ClassLoader.au 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir Infected: Worm.Win32.AutoRun.ezt 1
E:\My Documents\globalen\www.globalen.com BACKUP\Main Site\backup-globalen.com-1-25-2009.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 4
E:\My Documents\globalen\www.globalen.com BACKUP\Main Site\backup-globalen.com-1-5-2009.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\My Documents\globalen\www.globalen.com BACKUP\Main Site\backup-globalen.com-10-31-2008.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\My Documents\globalen\www.globalen.com BACKUP\Main Site\backup-globalen.com-2-2-2009.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 5
H:\My Downloads\oDC\Metaserver 2.0 Dde For Metastock And Tradestation Forex Cd.zip Infected: not-a-virus:AdWare.Win32.Shopper.y 1
H:\My Downloads\Flash Effect Maker Pro v5.01\Flash Effect Maker Pro v5.01.rar Infected: not-a-virus:AdWare.Win32.AdBar.r 1
H:\My Downloads\Flash Effect Maker Pro v5.01\Flash Effect Maker\albumboader\myflashplayer.exe Infected: not-a-virus:AdWare.Win32.AdBar.r 1
H:\My Downloads\FastStone Capture v6.1\fsc58_kg.exe Infected: Backdoor.Win32.Hupigon.cxih 1
H:\My Downloads\IDM.UltraCompare.Professional.v6.00.rar Infected: Trojan-Dropper.Win32.Agent.ycb 1

The selected area was scanned.

[jmw3]

Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.

• Copy & paste the following File & Path in the text box next to the Browse button.
  Code:

  H:\My Downloads\FastStone Capture v6.1\fsc58_kg.exe

• Click Upload.
• Wait for scans to finish then copy & paste the results into your next reply.

Following the instructions above do the same for:
H:\My Downloads\IDM.UltraCompare.Professional.v6.00.rar
c:\program files\hello.exe
c:\program files\hello.obj
c:\program files\hello.tds

This Folder: c:\program files\Malaware
The tools in that folder can cause irreparable damage if used incorrectly plus looking at the dates they wouldn't be much use today. The only thing you should keep is ATF-Cleaner. Move that to your desktop then delete the folder.

To post in next reply:
Results of VirSCAN

[jmw3]

How are you going with this?

[johnyx2]

Hello, I tried for days to run the scans in Firefox with VirScan and the process would hang on step 3. Then I finally tried with IE and it worked, so here are the reports.
Sorry about the delay.

VirSCAN.org Scanned Report :
Scanned time : 2009/06/01 13:33:19 (EDT)
Scanner results: All Scanners reported not find malware!
VirSCAN.org Scanned Report :
Scanned time : 2009/06/01 13:49:15 (EDT)
Scanner results: 29% Scanner(11/38) found malware!
File Name : fsc58_kg.exe
File Size : 63682 byte
File Type : RAR archive data, v1d, os
MD5 : ab3d8ff87b668b804da5e7157e0fc801
SHA1 : 6db873db871e8f10a0eb5f958bf3d6af22d504d2
Online report : http://virscan.org/report/f184ffd6e9...641ec3bd1.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090601233117 2009-06-01 2.08 Trojan.MulDrop!IK
AhnLab V3 2009.06.01.01 2009.06.01 2009-06-01 0.84 -
AntiVir 8.2.0.180 7.1.4.41 2009-06-01 0.10 TR/Agent.65024.O
Antiy 2.0.18 20090601.2492256 2009-06-01 0.22 -
Arcavir 2009 200906011434 2009-06-01 0.20 Trojan.Muldrop.9109
Authentium 5.1.1 200906011359 2009-06-01 2.00 -
AVAST! 4.7.4 090531-0 2009-05-31 0.02 -
AVG 8.5.286 270.12.48/2148 2009-06-01 3.86 -
BitDefender 7.81008.3284922 7.25757 2009-06-02 3.00 -
CA (VET) 9.0.0.143 31.6.6530 2009-06-01 6.90 -
ClamAV 0.95.1 9410 2009-06-01 0.06 -
Comodo 3.9 1229 2009-06-01 0.70 Unclassified Malware
CP Secure 1.1.0.715 2009.06.01 2009-06-01 9.89 Troj.Spy.W32.Banker.ts
Dr.Web 4.44.0.9170 2009.06.01 2009-06-01 4.89 Trojan.MulDrop.9109
F-Prot 4.4.4.56 20090601 2009-06-01 1.90 -
F-Secure 5.51.6100 2009.06.01.08 2009-06-01 0.27 -
Fortinet 2.81-3.117 10.455 2009-06-01 0.42 -
GData 19.5528/19.349 20090601 2009-06-01 4.36 -
ViRobot 20090601 2009.06.01 2009-06-01 0.93 -
Ikarus T3.1.01.57 2009.06.01.72804 2009-06-01 3.02 Trojan.MulDrop
JiangMin 11.0.706 2009.06.01 2009-06-01 2.01 -
Kaspersky 5.5.10 2009.06.01 2009-06-01 0.17 -
KingSoft 2009.2.5.15 2009.6.1.18 2009-06-01 0.53 -
McAfee 5.3.00 5633 2009-06-01 3.00 Generic.dx
Microsoft 1.4701 2009.06.01 2009-06-01 4.29 -
mks_vir 2.01 2009.06.01 2009-06-01 3.35 -
Norman 6.01.05 6.01.00 2009-05-29 1.76 -
Panda 9.05.01 2009.06.01 2009-06-01 3.64 -
Trend Micro 8.700-1004 6.160.10 2009-06-01 0.07 -
Quick Heal 10.00 2009.06.01 2009-06-01 1.25 Trojan.Agent.IRC
Rising 20.0 21.32.04.00 2009-06-01 1.15 -
Sophos 2.87.1 4.42 2009-06-02 2.45 -
Sunbelt 5163 5163 2009-05-31 1.00 Trojan.Agent.65024.O
Symantec 1.3.0.24 20090601.003 2009-06-01 0.29 -
nProtect 20090601.01 4096343 2009-06-01 5.26 -
The Hacker 6.3.4.3 v00335 2009-06-01 0.81 -
VBA32 3.12.10.6 20090531.1104 2009-05-31 2.02 Trojan.MulDrop.9109
VirusBuster 4.5.11.10 10.106.6/1462521 2009-06-01 2.17 -

VirSCAN.org Scanned Report :
Scanned time : 2009/06/01 13:59:31 (EDT)
Scanner results: 26% Scanner(10/38) found malware!
File Name : IDM.UltraCompare.Professional.v6.00.rar
File Size : 3143764 byte
File Type : RAR archive data, v1d, os
MD5 : 82e580cf35387bbb43796dc8841b1439
SHA1 : c81f5c5c5261603341219fd86c4f10b28059e193
Online report : http://virscan.org/report/c7f56026ad...d43958945.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090601233117 2009-06-01 2.01 Trojan.Generic!IK
AhnLab V3 2009.06.01.01 2009.06.01 2009-06-01 0.69 -
AntiVir 8.2.0.180 7.1.4.41 2009-06-01 0.26 HEUR/Crypted
Antiy 2.0.18 20090601.2492256 2009-06-01 0.58 -
Arcavir 2009 200906011434 2009-06-01 0.18 -
Authentium 5.1.1 200906011359 2009-06-01 1.34 W32/Keygen.A.gen!Eldorado (Possible)
AVAST! 4.7.4 090531-0 2009-05-31 1.37 -
AVG 8.5.286 270.12.48/2148 2009-06-01 8.91 -
BitDefender 7.81008.3284922 7.25757 2009-06-02 3.69 Trojan.Generic.1434831
CA (VET) 9.0.0.143 31.6.6530 2009-06-01 5.86 -
ClamAV 0.95.1 9410 2009-06-01 3.81 -
Comodo 3.9 1229 2009-06-01 0.85 Unclassified Malware
CP Secure 1.1.0.715 2009.06.01 2009-06-01 10.04 Packed.W32.CPEX-based.dw
Dr.Web 4.44.0.9170 2009.06.01 2009-06-01 7.87 -
F-Prot 4.4.4.56 20090601 2009-06-01 1.30 W32/Keygen.A.gen!Eldorado (generic, not disinfectable)
F-Secure 5.51.6100 2009.06.01.08 2009-06-01 10.95 -
Fortinet 2.81-3.117 10.455 2009-06-01 0.68 -
GData 19.5528/19.349 20090601 2009-06-01 7.42 -
ViRobot 20090601 2009.06.01 2009-06-01 0.44 -
Ikarus T3.1.01.57 2009.06.01.72804 2009-06-01 3.33 Trojan.Generic
JiangMin 11.0.706 2009.06.01 2009-06-01 2.24 -
Kaspersky 5.5.10 2009.06.01 2009-06-01 2.25 -
KingSoft 2009.2.5.15 2009.6.1.18 2009-06-01 1.95 -
McAfee 5.3.00 5633 2009-06-01 3.48 -
Microsoft 1.4701 2009.06.01 2009-06-01 7.78 -
mks_vir 2.01 2009.06.01 2009-06-01 3.50 -
Norman 6.01.05 6.01.00 2009-05-29 1.77 -
Panda 9.05.01 2009.06.01 2009-06-01 5.39 -
Trend Micro 8.700-1004 6.160.10 2009-06-01 0.49 -
Quick Heal 10.00 2009.06.01 2009-06-01 1.66 Suspicious - DNAScan
Rising 20.0 21.32.04.00 2009-06-01 4.52 -
Sophos 2.87.1 4.42 2009-06-02 2.58 Mal/Generic-A
Sunbelt 5163 5163 2009-05-31 0.82 -
Symantec 1.3.0.24 20090601.003 2009-06-01 0.51 -
nProtect 20090601.01 4096343 2009-06-01 7.44 -
The Hacker 6.3.4.3 v00335 2009-06-01 1.45 -
VBA32 3.12.10.6 20090531.1104 2009-05-31 13.05 -
VirusBuster 4.5.11.10 10.106.6/1462521 2009-06-01 4.45 -




File Name : hello.exe
File Size : 145920 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 53a4eaa2f67e2cb0d5695a417a50fe74
SHA1 : 3d96e894d41377b30a1f27ba56e0c166f26fcd93
Online report : http://virscan.org/report/c7f56026ad...d43958945.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090601233117 2009-06-01 1.93 -
AhnLab V3 2009.06.01.01 2009.06.01 2009-06-01 0.73 -
AntiVir 8.2.0.180 7.1.4.41 2009-06-01 0.35 -
Antiy 2.0.18 20090601.2492256 2009-06-01 0.12 -
Arcavir 2009 200906011434 2009-06-01 0.10 -
Authentium 5.1.1 200906011359 2009-06-01 1.50 -
AVAST! 4.7.4 090531-0 2009-05-31 0.01 -
AVG 8.5.286 270.12.48/2148 2009-06-01 3.46 -
BitDefender 7.81008.3284922 7.25757 2009-06-02 3.03 -
CA (VET) 9.0.0.143 31.6.6530 2009-06-01 5.87 -
ClamAV 0.95.1 9410 2009-06-01 0.03 -
Comodo 3.9 1229 2009-06-01 0.71 -
CP Secure 1.1.0.715 2009.06.01 2009-06-01 9.91 -
Dr.Web 4.44.0.9170 2009.06.01 2009-06-01 4.67 -
F-Prot 4.4.4.56 20090601 2009-06-01 1.41 -
F-Secure 5.51.6100 2009.06.01.08 2009-06-01 0.10 -
Fortinet 2.81-3.117 10.455 2009-06-01 0.29 -
GData 19.5528/19.349 20090601 2009-06-01 4.15 -
ViRobot 20090601 2009.06.01 2009-06-01 0.41 -
Ikarus T3.1.01.57 2009.06.01.72804 2009-06-01 3.12 -
JiangMin 11.0.706 2009.06.01 2009-06-01 1.97 -
Kaspersky 5.5.10 2009.06.01 2009-06-01 0.08 -
KingSoft 2009.2.5.15 2009.6.1.18 2009-06-01 0.53 -
McAfee 5.3.00 5633 2009-06-01 2.99 -
Microsoft 1.4701 2009.06.01 2009-06-01 4.24 -
mks_vir 2.01 2009.06.01 2009-06-01 3.34 -
Norman 6.01.05 6.01.00 2009-05-29 1.76 -
Panda 9.05.01 2009.06.01 2009-06-01 1.70 -
Trend Micro 8.700-1004 6.160.10 2009-06-01 0.03 -
Quick Heal 10.00 2009.06.01 2009-06-01 1.22 -
Rising 20.0 21.32.04.00 2009-06-01 0.77 -
Sophos 2.87.1 4.42 2009-06-02 2.31 -
Sunbelt 5163 5163 2009-05-31 0.99 -
Symantec 1.3.0.24 20090601.003 2009-06-01 0.05 -
nProtect 20090601.01 4096343 2009-06-01 5.79 -
The Hacker 6.3.4.3 v00335 2009-06-01 0.66 -
VBA32 3.12.10.6 20090531.1104 2009-05-31 2.04 -
VirusBuster 4.5.11.10 10.106.6/1462521 2009-06-01 1.83 -


VirSCAN.org Scanned Report :
Scanned time : 2009/06/02 18:25:11 (CST)
Scanner results: All Scanners reported not find malware!
File Name : hello.obj
File Size : 15997 byte
File Type : 8086 relocatable (Microsoft)
MD5 : 757c5224dd1717fc0302053e67cb89cd
SHA1 : c1348f1aceaa3fc137f6c62188b0b59f3124e264
Online report : http://virscan.org/report/7fb5f1cde0...51fbafc27.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090601233117 2009-06-01 2.10 -
AhnLab V3 2009.06.02.01 2009.06.02 2009-06-02 0.70 -
AntiVir 8.2.0.180 7.1.4.44 2009-06-02 0.41 -
Antiy 2.0.18 20090602.2495106 2009-06-02 0.13 -
Arcavir 2009 200906020551 2009-06-02 0.03 -
Authentium 5.1.1 200906012237 2009-06-01 1.11 -
AVAST! 4.7.4 090601-0 2009-06-01 0.00 -
AVG 8.5.286 270.12.49/2149 2009-06-02 3.31 -
BitDefender 7.81008.3288869 7.25771 2009-06-02 2.96 -
CA (VET) 9.0.0.143 31.6.6534 2009-06-02 6.17 -
ClamAV 0.95.1 9412 2009-06-02 0.00 -
Comodo 3.9 1232 2009-06-02 0.75 -
CP Secure 1.1.0.715 2009.06.02 2009-06-02 9.91 -
Dr.Web 4.44.0.9170 2009.06.02 2009-06-02 4.62 -
F-Prot 4.4.4.56 20090601 2009-06-01 1.15 -
F-Secure 5.51.6100 2009.06.02.08 2009-06-02 5.69 -
Fortinet 2.81-3.117 10.457 2009-06-01 0.18 -
GData 19.5544/19.350 20090602 2009-06-02 4.25 -
ViRobot 20090601 2009.06.01 2009-06-01 0.43 -
Ikarus T3.1.01.57 2009.06.02.72808 2009-06-02 3.05 -
JiangMin 11.0.706 2009.06.02 2009-06-02 1.98 -
Kaspersky 5.5.10 2009.06.02 2009-06-02 0.02 -
KingSoft 2009.2.5.15 2009.6.2.18 2009-06-02 0.48 -
McAfee 5.3.00 5633 2009-06-01 3.01 -
Microsoft 1.4701 2009.06.02 2009-06-02 4.18 -
mks_vir 2.01 2009.06.02 2009-06-02 3.19 -
Norman 6.01.05 6.01.00 2009-05-29 1.78 -
Panda 9.05.01 2009.06.01 2009-06-01 1.66 -
Trend Micro 8.700-1004 6.162.01 2009-06-01 0.02 -
Quick Heal 10.00 2009.06.02 2009-06-02 1.17 -
Rising 20.0 21.32.12.00 2009-06-02 0.37 -
Sophos 2.87.1 4.42 2009-06-02 2.33 -
Sunbelt 5164 5164 2009-06-01 0.79 -
Symantec 1.3.0.24 20090601.003 2009-06-01 0.06 -
nProtect 20090602.01 4108167 2009-06-02 5.60 -
The Hacker 6.3.4.3 v00335 2009-06-01 0.60 -
VBA32 3.12.10.6 20090601.1623 2009-06-01 1.93 -
VirusBuster 4.5.11.10 10.106.7/1462679 2009-06-02 1.79 -


VirSCAN.org Scanned Report :
Scanned time : 2009/06/02 18:28:03 (CST)
Scanner results: All Scanners reported not find malware!
File Name : hello.tds
File Size : 262144 byte
File Type : data
MD5 : 31b8be9e956e780922d13932bfda2814
SHA1 : bdc6c1d750a9bce80ae9cc0074605e0c8811571d
Online report : http://virscan.org/report/78152b5c4a...2e6266b5c.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090601233117 2009-06-01 2.28 -
AhnLab V3 2009.06.02.01 2009.06.02 2009-06-02 0.73 -
AntiVir 8.2.0.180 7.1.4.44 2009-06-02 0.23 -
Antiy 2.0.18 20090602.2495106 2009-06-02 0.12 -
Arcavir 2009 200906020551 2009-06-02 0.02 -
Authentium 5.1.1 200906012237 2009-06-01 1.18 -
AVAST! 4.7.4 090601-0 2009-06-01 0.03 -
AVG 8.5.286 270.12.49/2149 2009-06-02 3.68 -
BitDefender 7.81008.3288869 7.25771 2009-06-02 2.97 -
CA (VET) 9.0.0.143 31.6.6534 2009-06-02 6.93 -
ClamAV 0.95.1 9412 2009-06-02 0.02 -
Comodo 3.9 1232 2009-06-02 0.74 -
CP Secure 1.1.0.715 2009.06.02 2009-06-02 10.02 -
Dr.Web 4.44.0.9170 2009.06.02 2009-06-02 4.67 -
F-Prot 4.4.4.56 20090601 2009-06-01 1.13 -
F-Secure 5.51.6100 2009.06.02.08 2009-06-02 5.67 -
Fortinet 2.81-3.117 10.457 2009-06-01 0.19 -
GData 19.5544/19.350 20090602 2009-06-02 4.16 -
ViRobot 20090601 2009.06.01 2009-06-01 0.43 -
Ikarus T3.1.01.57 2009.06.02.72808 2009-06-02 3.03 -
JiangMin 11.0.706 2009.06.02 2009-06-02 1.97 -
Kaspersky 5.5.10 2009.06.02 2009-06-02 0.02 -
KingSoft 2009.2.5.15 2009.6.2.18 2009-06-02 0.48 -
McAfee 5.3.00 5633 2009-06-01 2.96 -
Microsoft 1.4701 2009.06.02 2009-06-02 4.66 -
mks_vir 2.01 2009.06.02 2009-06-02 3.25 -
Norman 6.01.05 6.01.00 2009-05-29 1.78 -
Panda 9.05.01 2009.06.01 2009-06-01 1.66 -
Trend Micro 8.700-1004 6.162.01 2009-06-01 0.02 -
Quick Heal 10.00 2009.06.02 2009-06-02 1.46 -
Rising 20.0 21.32.12.00 2009-06-02 0.33 -
Sophos 2.87.1 4.42 2009-06-02 2.37 -
Sunbelt 5164 5164 2009-06-01 0.79 -
Symantec 1.3.0.24 20090601.003 2009-06-01 0.05 -
nProtect 20090602.01 4108167 2009-06-02 5.70 -
The Hacker 6.3.4.3 v00335 2009-06-01 0.70 -
VBA32 3.12.10.6 20090601.1623 2009-06-01 1.96 -
VirusBuster 4.5.11.10 10.106.7/1462679 2009-06-02 1.81 -

[jmw3]

OTM
Download OTM by OldTimer Here & save it to your desktop.

• Double click on OTM.exe to run it
• Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved

Note: Do not type it out to minimize the risk of typo error

Code:

:Files
H:\My Downloads\FastStone Capture v6.1\fsc58_kg.exe
H:\My Downloads\IDM.UltraCompare.Professional.v6.00.rar
:Commands
[Purity]
[EmptyTemp]
[Reboot]

• Click on MoveIt!
• When done, click on Exit

Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here & save to your desktop.

• Double-click mbam-setup.exe & follow the prompts to install the program
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish
• If an update is found, it will download and install the latest version
• Once the program has loaded, select Perform full scan, then click Scan
• When the scan is complete, click OK, then Show Results to view the results
• Be sure that everything is checked, and click Remove Selected
• When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
  Note:
• The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.

To post in next reply:
OTM log
Malwarebytes log
Update in how the computer is running

[johnyx2]

Thanks for all instructions.
The computer is running fine, no decrease in performance!

Here are the logs


OTM
========== FILES ==========
H:\My Downloads\FastStone Capture v6.1\fsc58_kg.exe moved successfully.
H:\My Downloads\IDM.UltraCompare.Professional.v6.00.rar moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Johny\LOCALS~1\Temp\Edit.001 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Johny\LOCALS~1\Temp\Perflib_Perfdata_e34.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Johny\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2b0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.0 log created on 06032009_080612

Files moved on Reboot...
File C:\DOCUME~1\Johny\LOCALS~1\Temp\Edit.001 not found!
File C:\DOCUME~1\Johny\LOCALS~1\Temp\Perflib_Perfdata_e34.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_2b0.dat not found!
C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Johny\Local Settings\Application Data\Mozilla\Firefox\Profiles\jnfg63yo.default\Cache\_CACHE_MAP_ moved successfully.

Registry entries deleted on Reboot...



Malwarebytes' Anti-Malware 1.37
Database version: 2225
Windows 5.1.2600 Service Pack 2

6/3/2009 10:14:53 PM
mbam-log-2009-06-03 (22-14-53).txt

Scan type: Full Scan (C:\|E:\|F:\|H:\|)
Objects scanned: 481336
Time elapsed: 1 hour(s), 46 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\QooBox\quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
e:\my documents\information\Windows\windows xp sp1 install repair and create cd bootable\windows xp sp1\tutorial windows xp sp1\- Info\Files\XPsp1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[jmw3]

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /u

• Double-click OTM
• Click the CleanUp! button
• Select Yes when the Begin cleanup Process? prompt appears
• If you are prompted to Reboot during the cleanup, select Yes
• The tool will delete itself once it finishes, if not delete it yourself

You can delete the following from your desktop:
DDS.scr
Any logs that may have been saved to your desktop
If you haven't already done so, open Malwarebytes' Anti-Malware, click Quarantine then Delete All. Close the program.
You can either keep or delete ATF-Cleaner. It's a handy tool for cleaning out temporary folders.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):

• A short distance down the page in the centre, click on the Download button
• Agree to the license
• On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
• Double click the Installer on your desktop and let it Install the Hosts Manager
• After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
• When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
• Click Disable DNS Service. This is important
• In the Left Pane, click Download
• It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

[jmw3]

Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

jmw3