dowloader menace

Unknown

After I start the computer, when I switch on the broadband modem and get connected to internet, automatically a highspeed download/upload starts. I am unable to know what is happening. On virus scan 'dowmloader' worm was found and it was removed. But that does not stop the download/upload activity which consumes the full bandwidth. How to identify which application is doing this and how to stop that? Can somebody help me to find a cure to this please?

Veka

Hi sairam49,

That sounds tricky, but let's see what we can do. Welcome to Icrontic.

Step 1:

At first, download HJTInstall to your Desktop.

• Double click HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Step 2:

After that, please scan your compu with the Kaspersky Online Scanner (Internet Explorer only)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step 3:

Please post the contents of the HijackThis and the Kaspersky logs. Thank you.

sairam49

I have NAV on my system. Can I still use Kaspersky online scanner? Please advice.
Thanks a lot for the help.
Sairam

Veka

Yea, you can.

sairam49

I followed your instructions and generated logs of HijackThis and Kaspersky. I am posting contents here. Kaspersky found more than 70 viruses on c-drive where as the NAV I have could find only two and could remove one on a scan run later on c-drive.
Can you please give me the procedure for removal of this menace.
Thanking you,
Sairam

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:59 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
N:\spyware removal\downloader menace\hijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: (no name) - {CDBE5296-452A-4C54-89A8-E8AADEF293C2} - C:\WINDOWS\system32\iaspolcye.dll (file missing)
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - d:\Program Files\BitGrabber\TorrentManager.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{64877DEC-856C-49C9-9DAF-B7436DFDE9B7}: NameServer = 202.144.105.4,202.144.10.50
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 4967 bytes

---

---

KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 7:59:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 625556

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan Statistics:
Total number of scanned objects: 33193
Number of viruses found: 26
Number of infected objects: 74
Number of suspicious objects: 0
Duration of the scan process: 01:41:40

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008031220080313\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\nkv2.sys Infected: Rootkit.Win32.Agent.ael skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\AppCert\prx99f.dll Infected: SpamTool.Win32.Agent.fw skipped
C:\WINDOWS\system32\AppCert\prx99g.dll Infected: SpamTool.Win32.Agent.fw skipped
C:\WINDOWS\system32\glock32.exe Infected: Trojan-Downloader.Win32.Tiny.acp skipped
C:\WINDOWS\system32\WLCtrl32.dll Infected: Trojan-Downloader.Win32.Agent.kif skipped
C:\WINDOWS\Temp\BN38.tmp Infected: Trojan-Spy.Win32.Agent.bll skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\051C0000.VBN Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\051C0001.VBN Infected: Email-Worm.Win32.Zhelatin.cx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01DC0000.VBN Infected: Worm.Win32.VB.el skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06C80000.VBN Infected: Worm.Win32.VB.el skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01740000.VBN Infected: Trojan-Downloader.Win32.INService.bl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\076C0000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN/data.rar/patch.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Small.exx skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN/data.rar Infected: Trojan-Downloader.Win32.Small.hyt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN RarSFX: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07800000.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08100000.VBN Infected: Trojan-Downloader.Win32.AutoIt.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0000.VBN Infected: Backdoor.Win32.PcClient.wi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BEC0001.VBN Infected: Backdoor.Win32.PcClient.wi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780002.VBN Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A900000.VBN Infected: Trojan-Downloader.Win32.Diehard.dr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940000.VBN Infected: Trojan-Downloader.Win32.Agent.dpe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A940001.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880000.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\075C0001.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A80000.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C40000.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07780001.VBN Infected: Trojan-Dropper.Win32.Agent.eii skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07840000.VBN Infected: Trojan-Dropper.Win32.Agent.drt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN Infected: Email-Worm.Win32.Agent.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07FC0000.VBN Infected: Trojan.Win32.Agent.eub skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08400000.VBN Infected: Trojan-Downloader.Win32.Agent.hkb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08400001.VBN Infected: Trojan-Downloader.Win32.Agent.hkb skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\srikanth 1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\srikanth 1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\srikanth 1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\srikanth 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\srikanth 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\srikanth 1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\srikanth 1\Local Settings\Temporary Internet Files\Content.IE5\LW8FHLK9\bind[1].htm Object is locked skipped
C:\Documents and Settings\srikanth 1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sriram.PER\Local Settings\Temporary Internet Files\Content.IE5\UZ0PAFMP\hotelsinmysore[1].htm Infected: Trojan-Downloader.JS.Psyme.me skipped
C:\System Volume Information\_restore{3E926ECA-535D-4481-A1B0-163BA2F37FB6}\RP12\A0004009.dll Infected: Trojan.Win32.Pakes.cdw skipped
C:\System Volume Information\_restore{3E926ECA-535D-4481-A1B0-163BA2F37FB6}\RP12\A0004010.exe Infected: Trojan-Downloader.Win32.Diehard.dx skipped
C:\System Volume Information\_restore{3E926ECA-535D-4481-A1B0-163BA2F37FB6}\RP12\A0004011.dll Infected: Trojan-Spy.Win32.Agent.bms skipped

---

Veka

Hi sairam49,

There are bad malware there; luckily most of them are in Norton quarantine. Before we deal with infected files on your computer, I'd like to warn about BitRoll. BitRoll is not safe BitTorrent client as it installs malware. For more information, click here. I recommend to uninstall BitRoll immediately.

I don't see a firewall running on your system. Please make sure the Windows built in firewall is on.


After that, please do the followings...

You may want to print out these instructions or save them as a text file with Notepad to your desktop.

Step 1:

Download these to your Desktop

• ATF Cleaner
• OTMoveIt2
• SUPERAntiSpyware

Step 2:

Run ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 3:

Please do a system scan with HijackThis. Check the boxes next to all the entries listed below:

O2 - BHO: (no name) - {CDBE5296-452A-4C54-89A8-E8AADEF293C2} - C:\WINDOWS\system32\iaspolcye.dll (file missing)
O20 - Winlogon Notify: LogCrypt - LogCrypt.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Close HiJackThis.

Step 4:

• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  C:\WINDOWS\system32\drivers\nkv2.sys
  C:\WINDOWS\system32\AppCert\prx99f.dll
  C:\WINDOWS\system32\AppCert\prx99g.dll
  C:\WINDOWS\system32\glock32.exe
  C:\WINDOWS\system32\WLCtrl32.dll
  C:\WINDOWS\Temp\BN38.tmp
  C:\Documents and Settings\Sriram.PER\Local Settings\Temporary Internet Files\Content.IE5\UZ0PAFMP\hotelsinmysore[1].htm
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 5:

Finally, scan your computer with SUPERAntiSpyware

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Step 6:

Please post the SUPERAntiSpyware log, along with a new HijackThis.

sairam49

Dear Vekarppe,
I will check about the firewall and put it on. I will do as per your instructions, and come back to you with the postings.
Thanks for great help,
regards,
Sairam

sairam49

Dear Vekarppe,
I did further checks as per your instructions and I present them here. Before that I would like to inform you that I have installed and cleaned virus using Kaspersky, since in the first online check lot og virus was found.

I used ATF Cleaner. I did a system scan with HijackThis. Checked the boxes next to all the entries listed and fixed them. Then I ran OTMoveIt2, copied the file paths and asked for movement. It's log file is appended here. It did not find files to move because of prior cleanup by Kaspersky probably.
Then I scanned the computer with SUPERAntiSpyware. It's log file is added here.
Finally I have run HijackThis, and I am posting it's log file.
After all this, the problem has gone from my pc and I only hope that it does not reappear. What is your further advice? I request you to givr me tips to keep my pc healthy in future. I once again thank you for all the help given.

---

File/Folder C:\WINDOWS\system32\drivers\nkv2.sys not found.
File/Folder C:\WINDOWS\system32\AppCert\prx99f.dll not found.
File/Folder C:\WINDOWS\system32\AppCert\prx99g.dll not found.
File/Folder C:\WINDOWS\system32\glock32.exe not found.
File/Folder C:\WINDOWS\system32\WLCtrl32.dll not found.
File/Folder C:\WINDOWS\Temp\BN38.tmp not found.
File/Folder C:\Documents and Settings\Sriram.PER\Local Settings\Temporary Internet Files\Content.IE5\UZ0PAFMP\hotelsinmysore[1].htm not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03152008_181458

---

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/15/2008 at 08:12 PM
Application Version : 4.0.1154
Core Rules Database Version : 3412
Trace Rules Database Version: 1404
Scan type : Complete Scan
Total Scan Time : 01:33:48
Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 6210
Registry threats detected : 0
File items scanned : 25013
File threats detected : 1
Trojan.VXGame-Gen
C:\WINDOWS\SYSTEM32\DLH9JKD1Q8.EXE

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:17 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
N:\spyware removal\downloader menace\download menace1\hijackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: WebManager Class - {D5792AA9-D373-4039-8670-2CDAB6A71F15} - d:\Program Files\BitGrabber\TorrentManager.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64877DEC-856C-49C9-9DAF-B7436DFDE9B7}: NameServer = 202.144.105.4,202.144.10.50
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 5094 bytes

---

Thanks,
Sairam

Veka

Hi sairam49,

That's good to hear! Very well done.

Step 1:

SUPERAntiSpyware found one trojan:

C:\WINDOWS\SYSTEM32\DLH9JKD1Q8.EXE

Please find and remove this file, if it's present (remember empty the trash can after deleting).

Step 2:

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
• Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".
• Click the "Download" button to the right.
• Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Step 3:

I don't see a firewall running.

It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built into Windows. It doesn't block everything that may try to get in, it doesn't block anything at all outbound, and the entire firewall is written to the registry. Since most malware accesses the registry and can disable the Windows firewall, it's preferable to install one of these excellent third party solutions:

Comodo
Zone Alarm
Sunbelt Kerio PF

Step 4:

Next we remove all used tools.

• Double-click OTMoveIt2.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

---

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Clean up System Restore

You can find instructions on how to disable and enable System Restore from these guides:

Disable And Enable System Restore
Windows XP System Restore Guide

Make Your Internet Explorer More Secure

This can be done by following these simple instructions:

• From within Internet Explorer click on the tools menu and then click on Options
• Click once on the "Security" tab
• Click once on the "Internet" icon so it becomes highlighted
• Click once on the Custom Level button.
  • Change the "Download signed ActiveX" controls to Prompt
  • Change the "Download unsigned ActiveX" controls to Disable
  • Change the "Initialize and script ActiveX controls" not marked as safe to Disable
  • Change the "Launching programs and files in an IFRAME" to Prompt
  • Change the "Navigate sub-frames across different domains" to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Note that Internet Explorer is not the most secure browser. There are safer (and better) alternatives available like Opera and Firefox.

Keep Your System Up to date

It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update site regularly.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

Additional Utilities and Tips to Enhance Your Safety

• MVPS Hosts file --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Comodo BOCLEAN --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
• Winpatrol --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software

Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:

• How to prevent Malware by miekiemoes
• So How Did I Get Infected In First Place by Tony Klein
• Ten Commandments for Your Computer Sanity by BitDefender

Happy surfing and stay clean!

sairam49

Dear Vekarppe,
I saw your prompt reply. I will take print of this and follow the instructions and will come back to you soon. Windows security center tells me that the firewall is enabled. However I will put one of the firewalls you recommended.
Thanks for the timely help, I am able to work on the pc now without problem. I will follow the hints from you to keep my computer clean.
regards,
Sairam

Veka

You're welcome, sairam49. Glad I could help.

sairam49

Dear Vekarppe,

I could not get Comodo BOCLEAN, because on download 1KB file comes and it is not useful for installation. Is there any other alternate site from where I can download it? Can you please suggest.
Regards,
Sairam

Veka

Yea there is. Please try this one

http://www.majorgeeks.com/Comodo_BOClean_Anti-Malware_d5616.html

If you do not have any more questions or problems, this thread will be archived.

sairam49

Dear Vekarppe,

I could download Comodo BOC after logging in as Administrator.
You have totally helped me in solving my download menace problem. I think that I have no further questions. I thank once again for the good help from you.
Regards,
Sairam

Veka

Thank you