Persistent virus, Ramnit A and C, I need help!!!

SystemLook 04.09.10 by jpshortstuff
Log created at 16:52 on 20/11/2010 by Natty
Administrator - Elevation successful

No Context: Code:

========== filefind ==========

Searching for "*desktoplayer*"
C:\Qoobox\Quarantine\C\Program Files\Microsoft\_DesktopLayer_.exe.zip --a---- 49424 bytes [00:43 19/10/2010] [13:00 09/11/2010] 4047C00887AB8F3278B57990CB54C219

Searching for "scecli.dll"
C:\WINDOWS\ERDNT\cache\scecli.dll --a---- 180224 bytes [14:00 18/10/2010] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll --a---- 180224 bytes [01:07 04/08/2004] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\dllcache\scecli.dll --a--c- 180224 bytes [01:07 04/08/2004] [01:07 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\ERDNT\cache\netlogon.dll --a---- 407040 bytes [14:00 18/10/2010] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll --a---- 407040 bytes [01:07 04/08/2004] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c- 407040 bytes [01:07 04/08/2004] [01:07 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\ERDNT\cache\eventlog.dll --a---- 55808 bytes [14:00 18/10/2010] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a---- 55808 bytes [01:07 04/08/2004] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c- 55808 bytes [01:07 04/08/2004] [01:07 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

Searching for "winlogon.exe"
C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 502272 bytes [14:00 18/10/2010] [01:07 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [01:07 04/08/2004] [01:07 04/08/2004] 93469F95485FA06E5D8BEB8D18AE309C
C:\WINDOWS\system32\dllcache\winlogon.exe --a---- 502272 bytes [01:07 04/08/2004] [01:07 04/08/2004] 93469F95485FA06E5D8BEB8D18AE309C

Searching for "comres.dll"
C:\WINDOWS\system32\comres.dll --a---- 792064 bytes [01:07 04/08/2004] [01:07 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\system32\dllcache\comres.dll --a--c- 792064 bytes [01:07 04/08/2004] [01:07 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310

Searching for "crypt32.dll"
C:\WINDOWS\system32\crypt32.dll --a---- 597504 bytes [01:07 04/08/2004] [01:07 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\system32\dllcache\crypt32.dll --a--c- 597504 bytes [01:07 04/08/2004] [01:07 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18

Searching for "gpedit.dll"
C:\WINDOWS\system32\gpedit.dll --a--c- 566784 bytes [01:07 04/08/2004] [01:07 04/08/2004] C4EE648B2474D84CF081C3FE0DC578DA
C:\WINDOWS\system32\dllcache\gpedit.dll --a--c- 566784 bytes [01:07 04/08/2004] [01:07 04/08/2004] C4EE648B2474D84CF081C3FE0DC578DA

Searching for "rundll32.exe"
C:\WINDOWS\system32\rundll32.exe --a---- 33280 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c- 33280 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF

Searching for "sfc.dll"
C:\WINDOWS\ERDNT\cache\sfc.dll --a---- 5120 bytes [14:00 18/10/2010] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\system32\sfc.dll --a---- 5120 bytes [01:07 04/08/2004] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\system32\dllcache\sfc.dll --a--c- 5120 bytes [01:07 04/08/2004] [01:07 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E

Searching for "svchost.exe"
C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [14:00 18/10/2010] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [01:07 04/08/2004] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\dllcache\svchost.exe --a--c- 14336 bytes [01:07 04/08/2004] [01:07 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

Searching for "cngaudit.dll"
No files found.

Searching for "beep.sys"
C:\WINDOWS\ERDNT\cache\beep.sys --a---- 4224 bytes [14:00 18/10/2010] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\dllcache\beep.sys --a--c- 4224 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9
C:\WINDOWS\system32\drivers\beep.sys --a---- 4224 bytes [01:07 04/08/2004] [01:07 04/08/2004] DA1F27D85E0D1525F6621372E7B685E9

Searching for "wscntfy.exe"
C:\WINDOWS\ERDNT\cache\wscntfy.exe --a---- 13824 bytes [14:00 18/10/2010] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\system32\wscntfy.exe --a--c- 13824 bytes [01:07 04/08/2004] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297
C:\WINDOWS\system32\dllcache\wscntfy.exe --a--c- 13824 bytes [01:07 04/08/2004] [01:07 04/08/2004] 49911DD39E023BB6C45E4E436CFBD297

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a---- 95360 bytes [14:00 18/10/2010] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys --a---- 95360 bytes [01:07 04/08/2004] [22:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-= EOF =-

Many of your system drivers and important system files are infected.

Delete your copy of ComboFix and download a new one.

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to desktoplayer.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\desktoplayer.exe" /killall
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  
  *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.
  
  With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Done.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the codebox below into it:
  

  killall::
  
  folder::
  c:\documents and settings\Natty\Application Data\Ygin
  c:\documents and settings\Natty\Application Data\Ixexri
  c:\documents and settings\Natty\Application Data\Mofyu
  c:\documents and settings\Natty\Application Data\Yhciuv
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "%windir%\\system32\\drivers\\svchost.exe"=-
  
  FileLook::
  c:\windows\system32\drivers\svchost.exe
  
  Snapshot::
  
  Reboot::

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

Here is my log.

Please go to: VirusTotal

• Click the Browse button and search for the following file: c:\windows\system32\sfcfiles.dll
  
• Click Open
  
• Then click Send File
  
• Please be patient while the file is scanned.
  
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply.

File name: sfcfiles.dll
Submission date: 2010-12-09 01:38:08 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)

Antivirus Version Last Update Result
AhnLab-V3 2010.12.09.00 2010.12.08 -
AntiVir 7.10.14.228 2010.12.08 -
Antiy-AVL 2.0.3.7 2010.12.08 -
Avast 4.8.1351.0 2010.12.08 -
Avast5 5.0.677.0 2010.12.08 -
AVG 9.0.0.851 2010.12.08 -
BitDefender 7.2 2010.12.09 -
CAT-QuickHeal 11.00 2010.12.08 -
ClamAV 0.96.4.0 2010.12.09 -
Command 5.2.11.5 2010.12.08 -
Comodo 6996 2010.12.09 -
DrWeb 5.0.2.03300 2010.12.09 -
Emsisoft 5.1.0.1 2010.12.08 -
eSafe 7.0.17.0 2010.12.07 -
eTrust-Vet 36.1.8027 2010.12.08 -
F-Prot 4.6.2.117 2010.12.08 -
F-Secure 9.0.16160.0 2010.12.09 -
Fortinet 4.2.254.0 2010.12.08 -
GData 21 2010.12.09 -
Ikarus T3.1.1.90.0 2010.12.08 -
Jiangmin 13.0.900 2010.12.08 -
K7AntiVirus 9.71.3191 2010.12.08 -
Kaspersky 7.0.0.125 2010.12.09 -
McAfee 5.400.0.1158 2010.12.09 -
McAfee-GW-Edition 2010.1C 2010.12.09 -
Microsoft 1.6402 2010.12.08 -
NOD32 5686 2010.12.08 -
Norman 6.06.12 2010.12.08 -
nProtect 2010-12-08.02 2010.12.08 -
Panda 10.0.2.7 2010.12.08 -
PCTools 7.0.3.5 2010.12.09 -
Prevx 3.0 2010.12.09 -
Rising 22.77.01.08 2010.12.08 -
Sophos 4.60.0 2010.12.09 -
SUPERAntiSpyware 4.40.0.1006 2010.12.09 -
Symantec 20101.2.0.161 2010.12.08 -
TheHacker 6.7.0.1.097 2010.12.08 -
TrendMicro 9.120.0.1004 2010.12.08 -
TrendMicro-HouseCall 9.120.0.1004 2010.12.09 -
VBA32 3.12.14.2 2010.12.08 -
VIPRE 7568 2010.12.09 -
ViRobot 2010.12.8.4191 2010.12.08 -
VirusBuster 13.6.82.0 2010.12.08 -

Additional information

MD5 : 9f960fac5166f8626b9cde4dd9a0eb84
SHA1 : c8b4fcb567d1decc3f0c44c0dddc8479fd01cd2d
SHA256: 444adb57966fad0f0299d3e08d2d3c8525477c3bc39f7d3609f3d1d50e909212
ssdeep: 3072:1b9Ro/7HtFUipn9tVtjRVSLKKWPY+/eRlYw4a75pGgdR5TmVG3cxmFD9yRMNujWw:18/7N
FU8tCm075wg9gG3emF4RMNu
File size : 1580544 bytes
First seen: 2009-07-27 14:33:37
Last seen : 2010-12-09 01:38:08
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name: sfcfiles.dll
internal name: sfcfiles.dll
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x120D
timedatestamp....: 0x41107C20 (Wed Aug 04 06:03:12 2004)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xCBF, 0xE00, 5.88, 26f3f85ddf7d183e3679894901dc54b3
.data, 0x2000, 0x1765B8, 0x176600, 3.27, 6bd241897cebe97665834f6b79fce245
.rsrc, 0x179000, 0x418, 0x600, 2.54, 3602e2d32d16564d93b70db769379042
.reloc, 0x17A000, 0x9E56, 0xA000, 5.76, d5f4de8f8bae56e26c617081b34c746a

[[ 1 import(s) ]]
ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

[[ 1 export(s) ]]
SfcGetFiles

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 3584
CompanyName: Microsoft Corporation
EntryPoint: 0x120d
FileDescription: Windows 2000 System File Checker
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 1544 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
FileVersionNumber: 5.1.2600.2180
ImageVersion: 5.1
InitializedDataSize: 1575936
InternalName: sfcfiles.dll
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: sfcfiles.dll
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.2180
ProductVersionNumber: 5.1.2600.2180
Subsystem: Windows command line
SubsystemVersion: 4.1
TimeStamp: 2004:08:04 08:03:12+02:00
UninitializedDataSize: 0

Now, please re-run ComboFix and post a log.

ComboFix 10-12-20.05 - Natty 2010-12-21 11:41:01.5.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1033.18.1022.695 [GMT -5:00]
Lancé depuis: c:\documents and settings\Natty\Desktop\desktoplayer.exe
* Un nouveau point de restauration a été créé
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-11-21 au 2010-12-21 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans ce laps de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-01-16 . 9F960FAC5166F8626B9CDE4DD9A0EB84 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="d:\logiciel\Divers\RocketDock\RocketDock.exe" [2010-10-17 418181]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-10-14 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-04 99840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-3-7 221247]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\LogiCiel\\Internet\\eMule\\emule.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\LogiCiel\\Internet\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R1 vcdrom;Virtual CD-ROM Device Driver;d:\logiciel\Systeme\VirtualDVD\VCdRom.sys [2009-11-08 8576]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;d:\logiciel\Systeme\Everest\kerneld.wnt [2008-03-06 22640]
.
Contenu du dossier 'Tâches planifiées'

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-10-29 c:\windows\Tasks\DriverCure.job
- d:\logiciel\DriverCure\DriverCure.exe [2009-08-07 19:36]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Natty\Application Data\Mozilla\Firefox\Profiles\5iz7nibw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\logiciel\Internet\Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - d:\logiciel\Internet\Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-21 11:43
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\d:\logiciel\Systeme\Everest\kerneld.wnt"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\msi.dll
.
Heure de fin: 2010-12-21 11:44:36
ComboFix-quarantined-files.txt 2010-12-21 16:44
ComboFix2.txt 2010-11-27 18:23
ComboFix3.txt 2010-11-22 16:21
ComboFix4.txt 2010-10-19 00:45
ComboFix5.txt 2010-12-21 16:39

Avant-CF: 864 837 632 bytes free
Après-CF: 854 503 424 bytes free

- - End Of File - - 347D82CAEAB336392EE960D68D0BB3D4

I see no other malware.

Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
  
• Ran OTC
  
• Ran TFC
  
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

I have completed all 4 tasks.
Here is my log:

Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 3
Out of date Java installed!
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.2.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.13) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

My computer seems to be running ok, but some error messages always pop up when I start it. Do I delete SecurityCheck now?
I was thinking of installing Avira antivirus, do you have any better suggestions?
Thanks a million for your help, it was most useful!
Natty

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: http://www.GeekPolice.net/operating-systems-f20/windows-xp-service-pack-3-information-t16956.htm

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.


Update Adobe Reader

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Update Java

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.


Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  
• Avira Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software.

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Done, done, and done! But a few questions arise:
I cannot download adobe reader for some reason. everytime it says that it deletes permanently from my computer the application I download.
Also, I was wondering if it's ok to have 2 firewalls running (3 including windows), or should I only have one?
And how do I use hpHosts file? Do I have to download something?
Lastly, my avira antivirus is still telling me I have a ramnit virus... so I'm not quite sure we've eradicated it completely! SOS..