You have a Trojan that is installed without your permission:
Trojan.Ruins.B, Trojan.Win32.Agent.afi
MicroBillSys is a program used for processing payments for websites, typically sites with adult content. The program displays bills in the form of pop-ups that cover a large portion of the screen and demand payment.
Add. Description MicroBillSys has no uninstaller and does not appear in the Control Panel's Add/Remove applet. The files are installed in a system folder, typically System32 in Windows XP. The processes mbssm32.exe and mbsrm32.exe appear to guard each other and cannot be terminated by normal means. MicroBillSys modifies the Windows registry to ensure that its processes start each time Windows boots up. MicroBillSys has been installed by dubious means without user knowledge and consent in some cases. The website sexxxpassport.com uses MicroBillSys for payment, but the the behavior of the software is not fully disclosed and no EULA is displayed during installation. MicroBillSys processes frequently attempt to contact auth.MicroBillSys.com using port 1003.
Try using these programs when the procedure below instructs. Be sure they are updated prior to doing the procedure. You can use other programs like your Antivirus or Antispyware you have on your computer.
Download and Update Ewido (now called the AVG Antispyware). Do not run:
http://www.ewido.net/en/download/...
AVG Anti-Rootkit
http://www.grisoft.com/doc/download-free...
TEMPORARILY SHOW HIDDEN FILES AND FOLDERS.
1. Click Start, and then click Control Panel.
2. Click Appearance and Themes, and then click Folder Options.
3. On the View tab, under Hidden files and folders, click "Show hidden files and folders", and clear(uncheck) the "Hide protected operating system files" check box.
IMPORTANT: Files are hidden by Windows for a very good reason. It is not wise to experiment with these files. Unfortunately, to successfully remove modern spyware we must turn this protection off temporarily. Please turn the protection back on when you have finished cleaning your system.
EMPTY INTERNET EXPLORER BROWSER CACHE:
1. On the Internet Explorer Tools menu, click Internet Options.
2. On the General tab, in the Temporary Internet Files section, click the Delete Files button. Select the Delete all offline content check box in the confirmation dialogue box that appears, click OK. Click OK again.
RESTART IN SAFE MODE:
To do this you need to hold down or repeatedly tap the F8 key while the computer is booting (when the computer is displaying a black screen with white text). When the boot menu appears, use your keyboard arrows to select "Safe Mode."
Safe Mode can look quite ugly. The color may look bad, and all of your desktop icons will be very large. This is normal.
START THE SCAN WITH YOUR PROGRAM(S).
When the scan and removal are completed REBOOT COMPUTER. This will restart you in normal mode.
RESET HIDDEN FILES AND FOLDERS.
The RESTORE POINTS may be infected with the Malware and cannot be used. Delete the old one(s) and make a new one.
CLEAR OLD RESTORE POINT(S). HERE'S HOW:
1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, click System, and then click on the System Restore tab.
3. Select the Turn Off System Restore check box, click Apply, then restart your computer.
4. Return to the System Restore Tab and turn System Restore back on.
TO SET A NEW RESTORE POINT:
1. Click the Start button.
2. Point to Programs, then navigate to Accessories, then System Tools, then click System Restore.
3. Choose Create a restore point, and then click Next.
4. In the Restore point description box, type a name for your restore point, and then click Next.
5. Click OK.
NOTE: If you are using Windows XP Service Pack 2 (SP2) and are unable to access the Internet after removing Malware, there is a command that may fix the problem. It works by resetting the winsock catalogue. Click on Start, then Run and type CMD in the box. Click OK. Type "netsh winsock reset" (no quotes)into the DOS window that appears.
