Is this spyware, virus or OK?

As Boccemon said, that tutorial, while a bit long should fix your problem. If it does NOT please upload a Hijack This logfile.

 

There you go! Nice work. I think your smarter then you give yourself credit for.

Yes, what we really need now to see whats going on is a Hijack This log file. Basically, download it, extract it to its own directory (C:\ProgramFiles\HijackThis for example), press scan, then save log and save as a txt file like hijack.txt. In this thread choose manage attachments and upload it.

If any of this is confusing, just run it and copy and paste it here and I will take care of it from there. Think you can do that?

 

There are a few more problems. The biggest one is:
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe

This is WORM_SDBOT.HU see the below link:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.HU&VSect=T

Kill the below process with Task Manager (CTRL-ALT-DEL):
svchosting.exe

Then fix the above O4 line with HJT. The boot into safe mode and delete
c:\windows\system32\svchosting.exe

Do you use this P2P Networking stuff? I believe it usually comes along with Kazaa. I always remove this. Go to Add/Remove Programs and uninstall it.

Also kill this process:
winmep.exe

Then have HJT fix the following lines:
O4 - HKLM\..\Run: [Windows Firewall Security] winmep.exe
O4 - HKLM\..\RunServices: [Windows Firewall Security] winmep.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Reboot in safe mode and delete
C:\WINDOWS\System32\winmep.exe

 

Yes, the work very hard at deception. It is really mind boggling!

 

Does it say Majorgeeks on that hat?

 

LOL!!


Lori_mom,

Don't let all this distract you. Go back to messages #8 & #9 and perform the steps given.

 

What warnings are you getting?

You did not uninstall P2P Networking as I suggested. Is there a reason for that?

This line is new to your current log:
O17 - HKLM\System\CCS\Services\Tcpip\..\{888BA9D0-DFC3-487C-A438-C554467C471F}: NameServer = 216.248.102.2 216.148.102.1

Where did it come from? Do you recognize the owner of the IP address? Is it you ISP?
216.248.102.2 = [ mail.mepotelco.net ]
OrgName: netINS Inc.
OrgID: IOWA
Address: 312 8th Street
City: Des Moines
StateProv: IA
PostalCode: 50309
Country: US
NetRange: 216.248.64.0 - 216.248.127.255
CIDR: 216.248.64.0/18
NetName: NETINS-BLK6
NetHandle: NET-216-248-64-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.NETINS.NET
NameServer: NS2.NETINS.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-10-26
Updated: 2000-05-01
TechHandle: INS-NOC-ARIN
TechName: netINS Network Operations Center
TechPhone: 1-800-205-1110
TechEmail: noc@netins.net

 

Yes the O17 line is for your ISP. If you take a look at the text I added, the IP address is 216.248.102.2 = [ mail.mepotelco.net ]

So if you removed the P2P Networking stuff you should be clean now. How is everything working?

 

No that should be it but you could take a look at a new HJT log yourself and make sure it is gone.

And you're welcome.