Starbuck

Site reaches agreement with Child Exploitation and Online Protection Centre. Facebook has agreed to the placing of an alert button on users' profile pages following months of discussions with the Child Exploitation and Online Protection Centre (CEOP). The button, which Facebook had resisted for some time, can be used by young people to report inappropriate behaviour on the social networking site. CEOP said that Facebook users of all ages, but particularly those aged between 13 and 18, will benefit from the button, which links to help and information from CEOP. "Our dialogue with Facebook about adopting the ClickCEOP button is well documented, but today is a good day for child protection," said CEOP chief executive Jim Gamble. "By adding this application, Facebook users will have direct access to all the services that sit behind our ClickCEOP button which should provide reassurance to every parent with teenagers on the site." Pressure on Facebook to introduce greater protection for its younger users increased earlier this year when it emerged that murdered teenager Ashleigh Hall had met her killer on the site. Source: Facebook finally adds panic button - V3.co.uk - formerly vnunet.com

Hi CJ, I've split your post away from the other thread. It's much easier to answer in your own thread and stops confusion. It's becoming more common for legit sites to be targeted by the bad guys. It sounds as if this has happened here. It's hard to say without getting info from the infected pc, but these would be the instructions for AV soft ( it should work for most of these ransomware infections. Step 1 Please reboot your computer in Safe Mode with Networking by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the option, to run Windows in Safe Mode with Networking, then press "Enter". * Then choose your usual account. Step 2 Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options Click on the Connections tab Click on the Lan Settings button Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen Then press the OK button to close the Internet Options screen. Internet Explorer should now work. Or you can use Firefox to complete the next few steps. Step 3 Please download: Rkill and save it to your Desktop. Run the tool by clicking on it. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Soft when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus Soft . If the malware is persistant, you may have to RKill a number of times. When it has finished, the black window will automatically close and you can continue with the next step. Note Please do not reboot your system until you have completed the following step, or the Malware will restart itself: Step 4 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Let me know how things go.

Thanks for the assistance Goku Hi iceburg, You haven't said what OS you are using, or what you have run to try and combat this. Let's see if we can get some extra info here: Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in bold below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. If the reports are too large to post, add them as attachments. Thanks

Hi again, It would seem that you probably had a trial version of 'Norton' on the system and this has now been removed in favor of Avast. There's still a few Norton leftovers, so we'll remove those. The registry needs a little tidying up and your Java is out of date. So, let's begin: Step 1 Please go to the add/remove feature and remove the following program: LiveUpdate (Symantec Corporation) Step 2 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl PRC - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation) SRV - (LiveUpdate) -- c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE (Symantec Corporation) SRV - (Automatic LiveUpdate Scheduler) -- c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation) DRV:64bit: - (SymIMMP) -- C:\Windows\SysNative\DRIVERS\SymIM.sys File not found DRV:64bit: - (SymIM) -- C:\Windows\SysNative\DRIVERS\SymIM.sys File not found FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr @mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\firefox\ O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\system32\NvCpl.DLL File not found O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\system32\NvMcTray.DLL File not found O4 - HKLM..\Run: [] File not found O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.) O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games-uk.pogo.com/online2/pog...ploader_v5.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: CabBuilder http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab (Reg Error: Key error.) O33 - MountPoints2\{d3f7e38d-1eee-11df-b7fc-001e68cbff03}\Shell - "" = AutoRun O33 - MountPoints2\{d3f7e38d-1eee-11df-b7fc-001e68cbff03}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found O33 - MountPoints2\H\Shell - "" = AutoRun O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found [2010/07/10 12:40:06 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\smhbbmgnl [2010/07/01 09:27:58 | 000,020,480 | ---- | M] () -- C:\Users\owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini @Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:B623B5B8 :commands [emptytemp] [purity] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 3 Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 21 and save it to your desktop. Scroll down to where it says "JDK 6 Update 21 (JDK or JRE). Click the "Download JRE" button to the right. select 'Windows x64' from the Platform down arrow. Read the License Agreement and then check the box that says: "Accept License Agreement". Click Continue. The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. Java™ 6 Update 13 Java™ 6 Update 2 Java™ 6 Update 7 Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. In your next reply, please submit: Otl fix report and let me know of any problems with the system Thanks.

I'd still run OTL and post the reports if i were you. It wouldn't hurt to have a quick check done.

Hi helpless in miami, If Internet Explorer is not working, it sounds like the malware has changed the proxy settings: Step 1 Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options Click on the Connections tab Click on the Lan Settings button Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen Then press the OK button to close the Internet Options screen. See if Internet Explorer works now. Step 2 Let's take a good look at your system: Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in bold below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. Thanks

Hi neversez and welcome to ExtremeTech.support - Free PC Help. There are quite a few different variants of this type of malware: AntiVirus7 AntiVirus Soft Antivirus Suite Cleanup AntiVirus Personal Anti Malware Center Security AntiVirus Win Antispyware Center From the description it sounds like one of these: AntiVirus Soft Antivirus Suite Both of these will change the proxy settings to stop you from using the internet.... unless you pay for their product. (which we don't want to do) So let's go with that assumption: Step 1 Please reboot your computer in Safe Mode with Networking by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the option, to run Windows in Safe Mode with Networking, then press "Enter". * Then choose your usual account. Step 2 Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options Click on the Connections tab Click on the Lan Settings button Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen Then press the OK button to close the Internet Options screen. Internet Explorer should now work. Or you can use Firefox to complete the next few steps. Step 3 Please download: Rkill and save it to your Desktop. Run the tool by clicking on it. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Soft when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus Soft . If the malware is persistant, you may have to RKill a number of times. When it has finished, the black window will automatically close and you can continue with the next step. Note Please do not reboot your system until you have completed the following step, or the Malware will restart itself: Step 4 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Let me have the MBAM report and let me know of any problems you encounter. Thanks

Ok, please try running Combofix in safe mode then.

Hi dazzac, There could be a number of reasons for this. Can you remember at what point did Combofix crash? Can you remember the 'stage n/o'? Was combofix at the stage of preparing the report? Were you running any other programs? Did you click on the screen at any time once the program was running? Had you stopped your resident Anti Virus? Have you tried running it again since the problem? ... if not try running it in Safe mode. ( i see you have Daemon Tools running, this has been known to cause problems in the past)

Might be worth checking to see how often Thunderbird is checking for your mail: Tools -> Account Settings -> -> Server Settings, "Check for new messages every ___ minutes." If it's checking too often, you may experience these problems.

Strange..... this question was asked 8 months ago here: How many computers can you legally install windows 7 on? - Yahoo! Answers and the question is exactly the same.... word for word! :confused:

Propagates through spam in direct messages Security researchers from Trend Micro warn that a new version of the infamous Koobface worm is spreading on Facebook via direct messages. The spam lures users onto a malicious website by claiming that someone posted a video of them on YouTube. Koobface is the father of all social networking worms and one of the most longest-running computer worms in general. Originally developed for MySpace, the worm has now separate versions for most social networks including Facebook, Twitter, hi5, Bebo or Friendster. Koobface steals login credentials from its victims in order to propagate itself by spamming all of their social networking friends. The worm's spam campaigns are characterized by complex social engineering, usually involving a Flash Player upgrade or special video codec lure. The latest version reported by Trend Micro is no different in this respect. The spam messages read "Someobdy upload a vdieo wtih you on utbue. you shuold see" followed by a link of the form http://www.facebook.com/l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/. The misspelling of the words is intentional and has been done to evade Facebook's automatic spam filters. The technique is based on the fact that humans read words as a whole and is only necessary for the first and last letters to be in correct order for the brain to deduct a particular word. The link is also a well thought trick and leverages the fact that people only tend to read the beginning of the links they click on. To exploit this it redirects the malicious URL through Facebook's preview page, which causes the link to start with Willkommen bei Facebook. Clicking on the link take users to a page displaying an image mimicking the YouTube player with a pop-up box that asks for a Flash Player update. Clicking anywhere on the image prompts the download of a malicious executable file detected by Trend Micro as WORM_KOOBFACE.IC. Source: New Koobface Campaign Spotted on Facebook - Propagates through spam in direct messages - Softpedia

Hi dazzac, Can you take a look here: C:\_OTL\MovedFiles and see if the OTL fix report is there, if so please post the whole report. Thanks.

Hi dazzac, There's nothing actually bad showing in the reports, but there are some entries that are 'open to debate': We'll run a small fix and then take a closer look: These entries.... O2 - BHO: (SWWBHO) - {6BFBC258-01EC-4d21-9E73-085E2F73EFDD} - C:\Program Files\Cashback Alerter\CA.dll File not found O2 - BHO: (MHTBPos00 Class) - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Family Toolbar\tbcore3.dll () O3 - HKLM\..\Toolbar: (Family Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Family Toolbar\tbcore3.dll () O3 - HKCU\..\Toolbar\WebBrowser: (Family Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Family Toolbar\tbcore3.dll () relate to: MyHeritage.com Family / Celebrity Toolbar - a Softomate/Besttoolbars Toolbar variant - Softomate customizes toolbars to customers needs. The dll files for their toolbars can contain some spyware/adware functionality, although not all of the toolbars use this. Your choice. i've added the 1st one to the fix because part of the BHO is missing, so it won't work properly anyway. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (SWWBHO) - {6BFBC258-01EC-4d21-9E73-085E2F73EFDD} - C:\Program Files\Cashback Alerter\CA.dll File not found O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:C5CE2DF6 :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. In your next reply, please submit: Otl fix report Combofix.txt Thanks.

Ok, thanks dazzac, The OTL reports will be a lot more detailed.

Hi asmoeone, Many thanks for the nice comments. The staff here do take a lot of pride in their work and we know that most members will want their computer problems sorted as quickly as possible. All the staff here were once newbies, so we know what it's like to have problems you can't sort out. Yes, we do offer our time for nothing... a lot of this is because of the belief we have in the site and the members. Once again, i'm glad to have been of help and many thanks for the nice comments.

it certainly didn't help. http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif At least you found the problem. Everything looks good now. But like i said before, there's no 100% guarantee with these backdoor trojans. We may have got everything, but we can only remove what we can see in the scans. Let's finish off the cleaning process now: Step 1 Please double-click OTL.exe to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will remove any programs we have asked you to download along with there associated folders.. plus itself. Note: MBAM will not be removed Step 2 Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is: Go to Start > Programs > Accessories > System Tools and click "System Restore". Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Then go to Start > Run and type: Cleanmgr Click "OK". Select the drive for cleaning then click OK (usually 'C' drive) Click the "More Options" Tab. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one. To find out how you may have been infected....read this topic: So how did i get infected? Not all of the following information will be applicable to you, but it's still best to read it all. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Use an AntiVirus Software Avira AntiVir ....installation guide Here Avast free Bitdefender Free MS Security Essentials ... see note* ...installation guide Here Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. Only install one AntiVirus program [*]Update your AntiVirus Software regularly [*]Use a 3rd party Firewall Online Armor Free ZoneAlarm ...Important note below Outpost Firewall Free Sunbelt Personal Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option. Only install one software Firewall Some 3rd party Firewalls will turn off the windows firewall when they are installed. It's always best to check that the Windows Firewall is turned off: How to turn off Windows Firewall: Start ... Control Panel ...click on 'Classic View'. now select Windows Firewall. When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. [*] Use an alternative browser: Some excellent alternatives to MS Internet Explorer are: Firefox For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Btw: you don't have to make a contribution. Opera They offer better security, more stability, and better speed. [*]Keep a backup of your registry Keeping a regular backup of your registry will help when something goes wrong. Use a program like: Erunt A full tutorial on how to set up and use Erunt can be found here: Erunt tutorial [*]Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc. Programs like: CCleaner TFC by OldTimer ATF Cleaner [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif

It can be, but as we were only trying to access a well known good site to get the update.... it would have been ok. I see what they are getting at with the program. Sometimes malware does block MBAM and this will clear out all the mbam entries from the registry. It's not a program i've actually tried, but as i know 'RubbeR DuckY' fairly well and the fact that he started MBAM .... i'd say he knows a thing or 2. :) Let's give it a try: 1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel. 2. Restart your computer (very important). 3. Download and run mbam clean 4. It will ask to restart your computer (please allow it to). 5. After the computer restarts, install the latest version from Malwarebytes Anti-Malware.

Hi asmoeone 12007 error usually means that the download is being blocked by a security program. My guess is that's probably the Firewall ( as we've just started it again) Simple way to test this is to turn off the Firewall and then try the update again. If it works like this, you'll have to add an exception to the firewall rules to allow MBAM.

Ok, thanks dazzac, i'll wait for the reports.

Hi asmoeone, If you can bare with me a little longer. I'd like to double check things. MBAM has been updated 9 times since your last report. Please update MBAM and run another scan: Start MBAM Click on the Update tab http://img.photobucket.com/albums/v708/starbuck50/mbam1.png Click Check for Updates http://img.photobucket.com/albums/v708/starbuck50/mbam2.png If it says that MBAM needs to close to update it... let it close and then restart. Then click the Scan button. Don't forget: If the report comes back clean, we'll finish off the cleaning process. Thanks

Hi, can you tell me if the Windows Firewall will start now.

Hi asmoeone, http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif That's good to hear. This would indicate that you inadvertently clicked the scan button instead of the fix button. Don't worry, you're not the first to do that. :) Please run the OTL fix again, but click the fix button this time. Thanks.

Hi asmoeone, Ok, let's continue: P2P Warning Please note that as long as you're using any form of Peer-to-Peer networking ( Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme. Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use. When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation. If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 I'd like you to do an ESET OnlineScan You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt In your next reply, please submit: OTL fix report Eset scan report Thanks.

Hi asmoeone, Thanks for that. On to the next part now: Step 1 Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C Folder:: c:\documents and settings\Chunky\Application Data\Urydi c:\documents and settings\Chunky\Application Data\Onotzy Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash Step 2 Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: New combofix.txt Both reports from OTL (if they are too big to post, please add them as attachments) Thanks.