Banker fox.A and win32/nuqel.E

Hello GeekPolice!

First and foremost I would like to start off saying that I really appreciate your services. Second I have a couple questions. I know my computer is infected with Win32/nuqel.E and I think Banker fox.A (but not 100% positive)

I did read the sticky *read this before posting* and I have posted before. But as you may already know, the nuqel.E seems to enjoy infecting / disabling almost any application that I might want to run so installing the necessary help software might be tough. I do have an external hardrive with some backup stuff on it, and I can use it (and extra comp) if needed to transfer files. However, I'm afraid the virus will infect my hardrive (can it do this?) and what would be the best way to go about getting the necessary software? I think my firefox works, but should I restart / disable my internet everytime I need to install to prevent infection of new applications or files?

Also, if we can manage to stop it from disabling everything I click I wouldn't have a problem doing a complete reformat, I just need to be able to get some files off my comp before I do that.

If we can just kill the entire thing, that would be even better
.

I will be following up on this tomorrow around 5pm. Thank you for your time!!

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Wow things already feel better. BTW <3 Dragons =)

Anyways, here is COMBOFIX LOG:

ComboFix 10-01-19.03 - Jason 01/19/2010 17:26:48.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2919 [GMT -8:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Jason\Local Settings\Application Data\ngvays
c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
c:\windows\system32\bin
c:\windows\system32\bin\brutalchess.exe
c:\windows\system32\bin\freetype6.dll
c:\windows\system32\bin\jpeg.dll
c:\windows\system32\bin\libpng12.dll
c:\windows\system32\bin\libtiff.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
c:\windows\system32\bin\SDL.dll
c:\windows\system32\bin\SDL_image.dll
c:\windows\system32\bin\zlib1.dll
c:\windows\system32\ICON.ico

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 01:20 . 2010-01-20 01:20 -------- d-----w- c:\program files\Common Files\Java
2010-01-19 10:09 . 2010-01-19 10:09 -------- d-----w- c:\users\Jason\Local Settings\Application Data\Threat Expert
2010-01-19 10:04 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-19 10:04 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-19 10:04 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-19 10:04 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-19 10:04 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-19 10:04 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2010-01-19 09:56 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-19 09:56 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-19 09:56 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-19 09:56 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-19 09:56 . 2010-01-19 10:07 -------- d-----w- c:\program files\Spyware Doctor
2010-01-19 09:56 . 2010-01-19 10:05 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-19 09:56 . 2010-01-19 09:56 -------- d-----w- c:\users\Jason\Application Data\PC Tools
2010-01-19 09:56 . 2010-01-19 09:56 -------- d-----w- c:\users\All Users\Application Data\PC Tools
2010-01-18 22:03 . 2001-08-18 05:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-01-18 22:03 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-01-18 22:03 . 2001-08-18 05:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-01-18 22:03 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-01-18 22:03 . 2001-08-17 21:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-01-18 22:03 . 2001-08-17 21:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-01-18 22:03 . 2008-04-14 13:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-01-18 22:03 . 2008-04-14 13:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-01-18 21:56 . 2010-01-18 21:56 -------- d-----w- c:\program files\Softnyx
2009-12-29 05:20 . 2009-12-29 05:20 -------- d-----w- c:\program files\Common Files\DirectX
2009-12-29 05:10 . 2009-12-29 05:10 -------- d-----w- C:\AeriaGames
2009-12-29 02:56 . 2009-12-29 05:10 -------- d-----w- c:\program files\Grand Fantasia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 01:26 . 2009-09-19 03:38 17488 ----a-w- c:\windows\gdrv.sys
2010-01-20 01:26 . 2009-12-15 07:31 -------- d---a-w- c:\users\All Users\Application Data\TEMP
2010-01-19 09:20 . 2009-09-19 15:10 28848 ----a-w- c:\users\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 09:14 . 2009-09-19 07:37 -------- d-----w- c:\program files\Common Files\MS Office
2010-01-16 10:23 . 2009-09-19 14:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-29 01:27 . 2009-09-20 19:08 681 ----a-w- c:\users\Jason\aionmemo_2b22 658.dat
2009-12-29 01:27 . 2009-09-20 19:08 681 ----a-w- c:\users\\Jason\aionmemo_2b22 658.dat
2009-12-25 21:20 . 2009-09-24 08:38 -------- d-----w- c:\users\Jason\Application Data\Apple Computer
2009-12-25 20:12 . 2009-09-24 08:33 -------- d-----w- c:\users\All Users\Application Data\Apple
2009-12-19 05:41 . 2009-12-18 03:42 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-15 08:06 . 2009-12-15 07:31 -------- d-----w- c:\program files\Fraps
2009-12-13 03:56 . 2009-09-19 05:01 -------- d-----w- c:\program files\Warcraft III
2009-12-13 03:52 . 2009-09-19 05:03 71657 ----a-w- c:\windows\War3Unin.dat
2009-12-11 02:40 . 2009-12-11 02:40 -------- d-----w- c:\users\Jason\Application Data\GameRanger
2009-12-11 02:14 . 2009-12-11 02:14 376320 ----a-r- c:\users\Jason\Application Data\Microsoft\Installer\{52B65911-1559-4ED5-9461-46957FDD48CD}\Icon52B659113.exe
2009-12-11 02:09 . 2009-12-11 02:09 -------- d-----w- c:\program files\2K Games
2009-12-11 02:08 . 2009-12-11 02:08 1212080 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\GameRanger.exe
2009-12-10 23:31 . 2009-12-10 23:31 -------- d-----w- c:\program files\DIFX
2009-12-10 23:31 . 2009-09-19 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-10 23:16 . 2009-12-10 23:16 -------- d-----w- c:\program files\PowerISO
2009-12-10 21:28 . 2009-12-10 21:28 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-10 21:28 . 2009-12-10 21:28 -------- d-----w- c:\users\All Users\Application Data\DAEMON Tools Lite
2009-12-10 21:28 . 2009-12-10 21:28 -------- d-----w- c:\users\Jason\Application Data\DAEMON Tools Lite
2009-12-10 21:21 . 2009-11-27 10:55 -------- d-----w- c:\users\Jason\Application Data\uTorrent
2009-12-09 03:23 . 2009-12-05 22:23 -------- d-----w- c:\program files\World of Warcraft
2009-12-08 21:26 . 2009-12-08 21:26 155312 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\Data\GameRanger.dll
2009-12-08 21:26 . 2009-12-08 21:26 48816 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\Data\GameRangerLaunch.dll
2009-12-07 05:33 . 2009-12-07 05:26 -------- d-----w- c:\users\All Users\Application Data\Blizzard Entertainment
2009-12-06 10:37 . 2009-12-06 10:37 -------- d-----w- c:\program files\Goodnight Timer
2009-12-06 00:06 . 2009-12-06 00:06 -------- d-----w- c:\users\All Users\Application Data\Blizzard
2009-12-05 22:23 . 2009-12-05 22:23 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-30 09:34 . 2009-11-30 09:33 -------- d-----w- c:\users\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-30 09:34 . 2009-11-30 09:33 -------- d-----w- c:\program files\iTunes
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\iPod
2009-11-30 09:33 . 2009-09-24 08:33 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\Bonjour
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\QuickTime
2009-11-30 09:33 . 2009-09-24 08:33 -------- d-----w- c:\users\All Users\Application Data\Apple Computer
2009-11-27 10:55 . 2009-11-27 10:55 -------- d-----w- c:\program files\uTorrent
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 06:34 . 2009-11-17 06:34 89962 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\Uninstall.exe
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\users\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-12 08:32 . 2009-09-19 14:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-29 07:45 . 2009-04-29 14:19 841216 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2009-04-29 14:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2009-04-29 14:18 17408 ----a-w- c:\windows\system32\corpol.dll
.

------- Sigcheck -------

[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\syscache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltimateServices"="c:\windows\system32\ultsvcs.exe" [2009-02-06 297889]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\users\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-3 40960]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/19/2010 1:56 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/19/2010 2:04 AM 112592]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/19/2009 7:24 AM 68136]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/10/2009 1:28 PM 691696]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.winxpu.info
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jason\Application Data\Mozilla\Firefox\Profiles\wrast0my.default\
FF - component: c:\users\Jason\Application Data\Mozilla\Firefox\Profiles\wrast0my.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
HKCU-Run-fdnhjtrk - c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-fdnhjtrk - c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wdigest.dll
.
Completion time: 2010-01-19 17:31:18
ComboFix-quarantined-files.txt 2010-01-20 01:31

Pre-Run: 310,711,226,368 bytes free
Post-Run: 311,206,166,528 bytes free

- - End Of File - - 77BE84007A17B98944537BC4FDC0E8EF

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

ComboFix 10-01-19.03 - Jason 01/19/2010 17:26:48.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2919 [GMT -8:00]
Running from: c:\users\Jason\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\users\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Jason\Local Settings\Application Data\ngvays
c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
c:\windows\system32\bin
c:\windows\system32\bin\brutalchess.exe
c:\windows\system32\bin\freetype6.dll
c:\windows\system32\bin\jpeg.dll
c:\windows\system32\bin\libpng12.dll
c:\windows\system32\bin\libtiff.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
c:\windows\system32\bin\SDL.dll
c:\windows\system32\bin\SDL_image.dll
c:\windows\system32\bin\zlib1.dll
c:\windows\system32\ICON.ico

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 01:20 . 2010-01-20 01:20 -------- d-----w- c:\program files\Common Files\Java
2010-01-19 10:09 . 2010-01-19 10:09 -------- d-----w- c:\users\Jason\Local Settings\Application Data\Threat Expert
2010-01-19 10:04 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-19 10:04 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-19 10:04 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-19 10:04 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-19 10:04 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-19 10:04 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2010-01-19 09:56 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-19 09:56 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-19 09:56 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-19 09:56 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-01-19 09:56 . 2010-01-19 10:07 -------- d-----w- c:\program files\Spyware Doctor
2010-01-19 09:56 . 2010-01-19 10:05 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-19 09:56 . 2010-01-19 09:56 -------- d-----w- c:\users\Jason\Application Data\PC Tools
2010-01-19 09:56 . 2010-01-19 09:56 -------- d-----w- c:\users\All Users\Application Data\PC Tools
2010-01-18 22:03 . 2001-08-18 05:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-01-18 22:03 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-01-18 22:03 . 2001-08-18 05:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-01-18 22:03 . 2001-08-18 05:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-01-18 22:03 . 2001-08-17 21:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-01-18 22:03 . 2001-08-17 21:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-01-18 22:03 . 2001-08-17 21:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-01-18 22:03 . 2008-04-14 13:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-01-18 22:03 . 2008-04-14 13:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-01-18 21:56 . 2010-01-18 21:56 -------- d-----w- c:\program files\Softnyx
2009-12-29 05:20 . 2009-12-29 05:20 -------- d-----w- c:\program files\Common Files\DirectX
2009-12-29 05:10 . 2009-12-29 05:10 -------- d-----w- C:\AeriaGames
2009-12-29 02:56 . 2009-12-29 05:10 -------- d-----w- c:\program files\Grand Fantasia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 01:26 . 2009-09-19 03:38 17488 ----a-w- c:\windows\gdrv.sys
2010-01-20 01:26 . 2009-12-15 07:31 -------- d---a-w- c:\users\All Users\Application Data\TEMP
2010-01-19 09:20 . 2009-09-19 15:10 28848 ----a-w- c:\users\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-19 09:14 . 2009-09-19 07:37 -------- d-----w- c:\program files\Common Files\MS Office
2010-01-16 10:23 . 2009-09-19 14:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-29 01:27 . 2009-09-20 19:08 681 ----a-w- c:\users\Jason\aionmemo_2b22 658.dat
2009-12-29 01:27 . 2009-09-20 19:08 681 ----a-w- c:\users\\Jason\aionmemo_2b22 658.dat
2009-12-25 21:20 . 2009-09-24 08:38 -------- d-----w- c:\users\Jason\Application Data\Apple Computer
2009-12-25 20:12 . 2009-09-24 08:33 -------- d-----w- c:\users\All Users\Application Data\Apple
2009-12-19 05:41 . 2009-12-18 03:42 -------- d-----w- c:\program files\Heroes of Newerth
2009-12-15 08:06 . 2009-12-15 07:31 -------- d-----w- c:\program files\Fraps
2009-12-13 03:56 . 2009-09-19 05:01 -------- d-----w- c:\program files\Warcraft III
2009-12-13 03:52 . 2009-09-19 05:03 71657 ----a-w- c:\windows\War3Unin.dat
2009-12-11 02:40 . 2009-12-11 02:40 -------- d-----w- c:\users\Jason\Application Data\GameRanger
2009-12-11 02:14 . 2009-12-11 02:14 376320 ----a-r- c:\users\Jason\Application Data\Microsoft\Installer\{52B65911-1559-4ED5-9461-46957FDD48CD}\Icon52B659113.exe
2009-12-11 02:09 . 2009-12-11 02:09 -------- d-----w- c:\program files\2K Games
2009-12-11 02:08 . 2009-12-11 02:08 1212080 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\GameRanger.exe
2009-12-10 23:31 . 2009-12-10 23:31 -------- d-----w- c:\program files\DIFX
2009-12-10 23:31 . 2009-09-19 03:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-10 23:16 . 2009-12-10 23:16 -------- d-----w- c:\program files\PowerISO
2009-12-10 21:28 . 2009-12-10 21:28 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-10 21:28 . 2009-12-10 21:28 -------- d-----w- c:\users\All Users\Application Data\DAEMON Tools Lite
2009-12-10 21:28 . 2009-12-10 21:28 -------- d-----w- c:\users\Jason\Application Data\DAEMON Tools Lite
2009-12-10 21:21 . 2009-11-27 10:55 -------- d-----w- c:\users\Jason\Application Data\uTorrent
2009-12-09 03:23 . 2009-12-05 22:23 -------- d-----w- c:\program files\World of Warcraft
2009-12-08 21:26 . 2009-12-08 21:26 155312 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\Data\GameRanger.dll
2009-12-08 21:26 . 2009-12-08 21:26 48816 ----a-w- c:\users\Jason\Application Data\GameRanger\GameRanger\Data\GameRangerLaunch.dll
2009-12-07 05:33 . 2009-12-07 05:26 -------- d-----w- c:\users\All Users\Application Data\Blizzard Entertainment
2009-12-06 10:37 . 2009-12-06 10:37 -------- d-----w- c:\program files\Goodnight Timer
2009-12-06 00:06 . 2009-12-06 00:06 -------- d-----w- c:\users\All Users\Application Data\Blizzard
2009-12-05 22:23 . 2009-12-05 22:23 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-30 09:34 . 2009-11-30 09:33 -------- d-----w- c:\users\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-30 09:34 . 2009-11-30 09:33 -------- d-----w- c:\program files\iTunes
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\iPod
2009-11-30 09:33 . 2009-09-24 08:33 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\Bonjour
2009-11-30 09:33 . 2009-11-30 09:33 -------- d-----w- c:\program files\QuickTime
2009-11-30 09:33 . 2009-09-24 08:33 -------- d-----w- c:\users\All Users\Application Data\Apple Computer
2009-11-27 10:55 . 2009-11-27 10:55 -------- d-----w- c:\program files\uTorrent
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 06:34 . 2009-11-17 06:34 89962 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\Uninstall.exe
2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\users\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-12 08:32 . 2009-09-19 14:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-29 07:45 . 2009-04-29 14:19 841216 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2009-04-29 14:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2009-04-29 14:18 17408 ----a-w- c:\windows\system32\corpol.dll
.

------- Sigcheck -------

[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\drivers\tcpip.sys
[-] 2008-10-20 . 402B5152110F91E4C096200501737EA6 . 361600 . . [5.1.2600.9999] . . c:\windows\system32\syscache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-10-08 21:18 77824 ----a-w- c:\users\Jason\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltimateServices"="c:\windows\system32\ultsvcs.exe" [2009-02-06 297889]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

c:\users\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-3 40960]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 09:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-11-02 08:38 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [1/19/2010 1:56 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/19/2010 2:04 AM 112592]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [9/19/2009 7:24 AM 68136]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/10/2009 1:28 PM 691696]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 12:22 PM 34064]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.winxpu.info
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jason\Application Data\Mozilla\Firefox\Profiles\wrast0my.default\
FF - component: c:\users\Jason\Application Data\Mozilla\Firefox\Profiles\wrast0my.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
HKCU-Run-fdnhjtrk - c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-fdnhjtrk - c:\users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wdigest.dll
.
Completion time: 2010-01-19 17:31:18
ComboFix-quarantined-files.txt 2010-01-20 01:31

Pre-Run: 310,711,226,368 bytes free
Post-Run: 311,206,166,528 bytes free

- - End Of File - - 77BE84007A17B98944537BC4FDC0E8EF

You do not have a Malwarebytes log?

Hmm, odd, I ran malawarebytes and a log appeared in notepad. I saved it as logmalawarebytes on my desktop. When I check this file it seems to be the combofix log. Not sure how this happened.

I searched my hardrive for "log" and "mala" to check for a default log save. I guess I missed it somehow =(.

What would you like me to do next?

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Oh yay! After following your instructions, I was able to see that it does copy the log in its default folder.

So here is my first log 1-19-10:

Malwarebytes' Anti-Malware 1.44
Database version: 3601
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/19/2010 8:01:42 PM
mbam-log-2010-01-19 (20-01-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164684
Time elapsed: 16 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Users\Jason\Local Settings\Application Data\ngvays\jbimsysguard.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8305AE5E-232A-4BDA-8FCF-F826F6005208}\RP3\A0002383.sys (Malware.Trace) -> Quarantined and deleted successfully.


==========================================================================================================

My second log from right now (1-20-10):

Malwarebytes' Anti-Malware 1.44
Database version: 3606
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/20/2010 4:58:45 PM
mbam-log-2010-01-20 (16-58-45).txt

Scan type: Quick Scan
Objects scanned: 107192
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good. Time to cleanup.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Okay!

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Java Auto Updater
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Thanks much DragonMaster Jay! You guys keep up the good work! I've told so many people about you =D

Thanks, and you're welcome.