• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
4. Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
5. Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
6. If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
7. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
   NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
8. Please reply to this thread. Do not start a new topic.

One or more of the identified infections is a backdoor trojan. Such a piece of malware allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the Internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. It would be wise to contact those same financial institutions to apprise them of your situation. To protect your information that may have been compromised, I recommend reading this reference: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?.

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read this reference very carefully: When should I re-format? How should I reinstall?.
If you choose to format and reinstall, see this link for instructions: Reformat Hard Drive FAQ for Windows 95/98/Me/XP.

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat. If you do make that decision, I will do my best to help you disinfect your PC, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.
Below are some more links that could help you decide what to do.

Security Management - May 2004:
Help: I Got Hacked. Now What Do I Do?

Security Management - July 2004:
Help: I Got Hacked. Now What Do I Do? Part II

• They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious flash ads that install viruses, trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

• Viewpoint Manager (Remove Only)
• Viewpoint Media Player
• Viewpoint Toolbar

1. Please download ComboFix from any of the links below and save it to your Desktop.
   Download ComboFix (ComboFix.exe) - #1
   Download ComboFix (ComboFix.exe) - #2
   Download ComboFix (ComboFix.exe) - #3
2. VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
3. Double-click ComboFix.exe and follow the prompts.
   
   As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
4. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed." Please continue as follows:
5. Click Yes to allow ComboFix to continue scanning for malware.
   NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
6. When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt); post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

• C:\ComboFix.txt
• a new DDS log

QUOTE(Cryogen476 @ Jul 14 2009, 12:11 AM)

1. Please download SystemLook from one of the links below and save it to your Desktop.
   Download SystemLook (SystemLook.exe) - Mirror #1
   Download SystemLook (SystemLook.exe) - Mirror #2
2. Close all applications and windows so that you have nothing open and are at your Desktop.
3. Double-click SystemLook.exe to run SystemLook.
4. Copy the entire contents inside the CODE box below into the box provided:
   
   CODE
   :dir
   c:\documents and settings\All Users\Application Data\91844206 /s
   c:\documents and settings\All Users\Application Data\11834214 /s
   
   :filefind
   grpconv.exe
5. Click the Look button to start the scan.
   When finished, a Notepad window will open with the results of the scan.
6. Please post the entire contents of the created log in your next reply.
   NOTE: The log can be found on your Desktop entitled SystemLook.txt.

1. Close any open browsers/windows.
2. VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
3. Click Start > Run and in the box that opens type Notepad and press Enter.
4. Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
   
   CODE
   DDS::
   uStart Page = hxxp://www.toggle.com/en/index.php?rvs=hompag&d=79919289
   
   Driver::
   hyittokh
   
   Folder::
   c:\documents and settings\Rohin\Application Data\uTorrent
   
   File::
   c:\windows\system32\rn.tmp
   c:\windows\system32\taskmgrþ.exe
   c:\windows\system32\drivers\hyittokh.sys
   
   Registry::
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
   "%windir%\\system32\\sessmgr.exe"=-
   "c:\\Documents and Settings\\Rohin\\My Documents\\DL\\utorrent.exe"=-
   "c:\\WINDOWS\\system32\\cmd.exe"=-
   "c:\\WINDOWS\\system32\\wuauclt.exe"=-
   "c:\\WINDOWS\\system32\\taskmgr.exe"=-
   "c:\\WINDOWS\\system32\\drwtsn32.exe"=-
   "c:\\WINDOWS\\system32\\dwwin.exe"=-
   "c:\\WINDOWS\\system32\\netsh.exe"=-
   WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
5. Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
6. 
   Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
   NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
7. When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.

• the SystemLook.txt log file (located on the Desktop)
• C:\ComboFix.txt
• the DDS.txt and Attach.txt log files

1. Have you installed the Serv-U FTP Server program yourself and do you use it?
2. Do you know to what this shortcut points: c:\program files\Shortcut to white.lnk. Please navigate to C:\Program Files and right-click the Schortcut to white.lnk file. Please tell me what's listed there.

QUOTE(Cryogen476 @ Jul 15 2009, 07:16 PM)

QUOTE(Trend Micro)
Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.
REFERENCE: Trend Micro - CRCK_KEYGEN.BB


QUOTE(Trend Micro)
...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
REFERENCE: Crack Sites Distribute VIRUX and FakeAV | Malware Blog | Trend Micro.

1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your Desktop:
   • Go to http://java.sun.com/javase/downloads/index.jsp.
   • Scroll down to where it says "Java SE Runtime Environment (JRE) JRE 6 Update 14".
   • Click the Download button to the right.
   • Select your Platform: "Windows".
   • Select your Language: "Multi-language".
   • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6u14 with JavaFX1 License Agreement".
   • Click Continue and the page will refresh.
   • Click on the link to download the Windows Offline Installation and save the file to your Desktop.
2. Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
3. Go to Start > Control Panel, double-click Add or Remove Programs and uninstall all older versions of Java (by clicking the Remove or Change/Remove button next to each item and following the on-screen instructions for the Java uninstaller):
   J2SE Runtime Environment 5.0 Update 10
   J2SE Runtime Environment 5.0 Update 6
   J2SE Runtime Environment 5.0 Update 9
   Java™ 6 Update 2
   Java™ 6 Update 3
   Java™ SE Runtime Environment 6 Update 1
4. Reboot your computer once all Java components are removed.
5. From your Desktop, double-click the jre-6u14-windows-i586-p.exe file.
6. Follow the on-screen instructions to install the latest Java version.

1. Close any open browsers/windows.
2. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
3. Click Start > Run and in the box that opens type Notepad and press Enter.
4. Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
   
   CODE
   DDS::
   TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
   
   Driver::
   Viewpoint Manager Service
   
   Folder::
   c:\documents and settings\All Users\Application Data\91844206
   c:\documents and settings\All Users\Application Data\11834214
   c:\program files\viewpoint
   c:\program files\common files\viewpoint
   c:\documents and settings\All Users\Application Data\Viewpoint
   
   Registry::
   [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
   "c:\\WINDOWS\\system32\\dpvsetup.exe"=-
   
   FCopy::
   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\grpconv.exe | c:\windows\system32\grpconv.exe
   WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
5. Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
6. 
   Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
   NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
7. When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.

1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows.
2. Please go to VirSCAN.org: http://virscan.org/.
3. When the VirSCAN.org page has finished loading, click the Browse... button at the top and navigate to the following file if it is present and click Submit:
   c:\windows\system32\grpconv.exe
4. Please be patient as the file will be scanned.
5. Please post back the results of the scan in your next post.
   
   NOTE: In case VirSCAN.org is busy, try the same at Jotti's malware scan (http://virusscan.jotti.org/) or VirusTotal.com (http://www.virustotal.com/).

Please download ATF Cleaner by Atribune and save it to your Desktop.
Download ATF Cleaner (ATF-Cleaner.exe)

Perform a cleanup as follows:

• Double-click ATF-Cleaner.exe to run the program.
• Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
• Click on the Empty Selected button.

If you use the Mozilla Firefox browser:

• Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
• Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser:

• Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
• Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click the Exit button on the Main menu to close the program.
For technical support, double-click the e-mail address located at the bottom of each menu.

1. Please visit the Kaspersky Online Scanner website.
2. Click on the Accept button and install any components it needs.
   The program will install and then begin downloading the latest definition files. NOTE: It takes a while, so please be patient and let it finish.
3. After the files have been downloaded, on the left side of the page click the Settings button and make sure all checkboxes are checked.
4. On the left side of the page under the "Scan" section select My Computer.
   The program will start and scan your system. NOTE: The scan will take a while, so be patient and let it run.
5. Once the scan is complete, click on View scan report.
6. Now, click on the Save Report as button.
7. Change the "Files of Type" dropdown box to "Text Files" in order to save the scan results as a text file.
8. Enter a memorable filename.
9. Save the file to your Desktop.
10. Copy and paste that information in your next post.

• C:\ComboFix.txt
• the VirSCAN scan results
• the Kaspersky Online Scanner report
• a fresh DDS.txt log file

1. Close any open browsers/windows so that you have nothing open and are at your Desktop.
2. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
3. Go to Start -> Run... and in the "Open:" box that opens type Notepad and press Enter.
4. Copy the entire contents inside the CODE box below into Notepad (do NOT copy the word "CODE"!) - don't use any other text editor than Notepad or the script will fail.
   CODE
   http://www.bleepingcomputer.com/forums/topic237845.html
   
   Collect::[25]
   C:\WINDOWS\pss\realshed.exeStartup
   
   File::
   c:\documents and settings\Rohin\Start Menu\Programs\Startup\realshed.exe
   
   Registry::
   [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Rohin^Start Menu^Programs^Startup^realshed.exe]
   WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
5. Go to File -> Save and save as CFScript.txt in the same location as ComboFix.exe.
6. Referring to the picture below, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
   
   NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
7. When finished, ComboFix shall produce a log for you at C:\ComboFix.txt. Please post the entire contents of that report in your next reply for further review.
8. The ComboFix log will open along with a message box - do NOT be alarmed: with the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the Internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

1. Download Malwarebytes' Anti-Malware (MbAM) from one of the download links below and save it to your Desktop.
   • Download MbAM
   • Download MbAM - alternate download link #1
   • Download MbAM - alternate download link #2
   IMPORTANT: MbAM may "make changes to the registry" as part of its disinfection routine. If using other security programs that detect registry changes (i.e., Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
2. Make sure you are connected to the Internet.
3. Double-click on mbam-setup.exe to install the application.
4. When the installation begins, follow the prompts and do not make any changes to default settings.
5. When installation has finished, make sure you leave both of these checked:
   • Update Malwarebytes' Anti-Malware
   • Launch Malwarebytes' Anti-Malware
6. Click Finish.
   MBAM will automatically start and you will be asked to update the program before performing a scan.
7. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
   NOTE: If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
8. On the Scanner tab, make sure the "Perform quick scan" option is selected; then click on the Scan button.
9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
   The scan will begin and "Scan in progress (Scan type: Quick Scan)" will show at the top. It may take some time to complete, so please be patient.
10. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.
11. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
12. Make sure that everything is checked, and click Remove Selected.
    When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.
13. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
14. Exit MbAM when done.
    
    NOTE: If MbAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MbAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into Safe Mode) will prevent MbAM from removing all the malware.

• C:\ComboFix.txt
• the MbAM report
• a new DDS.txt log