Starbuck

yes, follow these instructions: Click on the MSSE icon in the taskbar. then click open. Click on the Settings tab. click on Real-time protection ( left hand side) Untick ... turn on real-time protection (recommended) click on save changes I see that TDSSKiller has started to remove and replace items. Let's see what CF will follow up with.

Take your time and then let me know how you want to proceed.

I would very much doubt it. These infections are designed to infect 'Windows' operating systems. But, on saying that... If your online banking passwords have been compromised from the Windows m/c, those accounts will be compromised which ever system you use to access them. It will be the actual accounts that have been compromised. So by changing the passwords for those accounts, should be ok. Obviously check the accounts for any unusual debits etc though. But the Linux system should be fairly immune to these infections. Does that make sense?

Hi asmoeone, Thanks for the report. That's some pretty nasty stuff there. Because of the 'backdoor' trojans found, I feel it's only fair to give you this warning: It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. For more information read ....Here If you choose to format and reinstall read...... Here Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again. If you do decide to carry on with the cleaning process, please follow these steps: Step 1 Download TDSSKiller and save it to your Desktop. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. Click on Start >> Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Step 2 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. In your next reply, please submit: TDSSKiller.txt Combofix.txt Thanks.

Hi dazzac, Cardiff? ... just along the motorway from me. You don't say if you have MalwareBytes AntiMalware installed... i'll assume not and give you full instructions. Step 1 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Note: If you already have MBAM installed, please update it and run a scan. Step 2 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: MBAM scan report Both reports from OTL (if they are too big to post, please add them as attachments) Thanks.

Cheers Goku http://fc09.deviantart.net/fs21/f/2007/266/0/d/0d779334b6dc59bd.gif Hi asmoeone, I'd like to see what MalwareBytes removed. I'm obviously concerned about this: It's better to see the devil before he sees you. ;) Restart MalwareBytes Click on the logs tab. The log reports will be date stamped. Double click on the report that removed the infections. It'll open in 'Notepad'. Now copy and paste the report in to a reply here. Thanks.

Hi Nessie, How are things now? Do you still require help?

Sony has issued a recall for its F11 and CW2 series notebook PCs and is offering a firmware update to fix an overheating problem. According to the company’s notice today: “In rare instances, these notebook computers may overheat due to a potential malfunction of the internal temperature management system, resulting in deformation of the product's keyboard or external casing, and a potential burn hazard to consumers.” The FAQ in the notification said: “Certain units within the VPCF11 and VPCCW2 notebook series are affected by this potential overheating issue. Sony recommends that all units in the VPCF11 and VPCCW2 series be updated with the firmware download.” Source: Sunbelt Blog: Burn hazard: Sony recalls VAIO F11 and CW2 Series

Hi Sam, That's what we like to hear. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif Your friend owes you a drink for the work you have put in. ;) Let's remove the tools we've used and finish the cleaning process. Step 1 Please double-click OTL.exe to run it. You should see a CleanUp! button, press that button, http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png This will remove any programs we have asked you to download along with there associated folders.. plus itself. Note: MBAM will not be removed Step 2 Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Click on Start... Control Panel... System and Maintenance... System Click on System Protection in the left-hand task list. Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section. When you uncheck a disk you will be presented with a screen. You should click on the Turn System Protection Off button. Click Apply and then OK. Reboot your computer. Now: Click on Start... Control Panel... System and Maintenance... System Click on System Protection in the left-hand task list. Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section. Click Apply and then OK. Your System restore will now be active again... starting with a new restore point. To find out how you may have been infected....read this topic: So how did i get infected? Not all of the following information will be applicable to you, but it's still best to read it all. Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Use an AntiVirus Software Avira AntiVir ....installation guide Here Avast free Bitdefender Free MS Security Essentials ... see note* ...installation guide Here Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. Only install one AntiVirus program [*]Update your AntiVirus Software regularly [*]Use a 3rd party Firewall Online Armor Free ZoneAlarm ...Important note below Outpost Firewall Free Sunbelt Personal Firewall NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option. Only install one software Firewall Some 3rd party Firewalls will turn off the windows firewall when they are installed. It's always best to check that the Windows Firewall is turned off: How to turn off Windows Firewall: Start ... Control Panel ...click on 'Classic View'. now select Windows Firewall. When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. [*] Use an alternative browser: Some excellent alternatives to MS Internet Explorer are: Firefox For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Btw: you don't have to make a contribution. Opera They offer better security, more stability, and better speed. [*]Keep a backup of your registry Keeping a regular backup of your registry will help when something goes wrong. Use a program like: Erunt A full tutorial on how to set up and use Erunt can be found here: Erunt tutorial [*]Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc. Programs like: CCleaner TFC by OldTimer ATF Cleaner [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Glad I was able to help. Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif

Seventeen critical vulnerabilities fixed Adobe has released new versions of its Reader and Acrobat products, addressing a flurry of critical vulnerabilities that could lead to arbitrary code execution. One of the flaws has been actively exploited in the wild since the beginning of the month. Out of the seventeen vulnerabilities mentioned in the security bulletin accompanying this release, only one affects the UNIX versions of the products. Code execution in case of successful exploitation has been demonstrated for eleven of them, while the last one is described primarily as a denial of service issue. The most dangerous vulnerability fixed in this release was identified as CVE-2010-1297 and reported as a zero-day on June 4. The flaw is located in the component handling the playback of SWFs embedded in PDF documents and also patched in Flash Player 10.1.53.64. "Adobe recommends users of Adobe Reader 9.3.2 and earlier versions for Windows, Macintosh and UNIX to update to Adobe Reader 9.3.3. (For Adobe Reader users on Windows and Macintosh, who cannot update to Adobe Reader 9.3.3, Adobe has provided the Adobe Reader 8.2.3 update.) Adobe recommends users of Adobe Acrobat 9.3.2 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.3. Adobe recommends users of Adobe Acrobat 8.2.2 and earlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.3," the security bulletin reads. The Adobe Reader 9.3.3 and 8.2.3 updates for Windows can be downloaded from here. The Adobe Reader 9.3.3 update for Mac can be downloaded from here. The Adobe Reader 9.3.3 update for UNIX can be downloaded from here. Source: Security Updates Available for Adobe Reader - Seventeen critical vulnerabilities fixed - Softpedia

Unauthorized email change lure still used in spam campaigns One of the latest email spams to impersonate Twitter tries to trick users into opening a malicious attachment by passing it as an invitation to the micro blogging service. Meanwhile, Twitter email change scams are still going around and send unsuspecting victims to websites packed with exploits. Security researchers from Vietnamese antivirus vendor Bkis warn of a malware distribution campaign sending out emails that masquerade as official communications from Twitter. The rogue messages have spoofed headers to look as if originating from invitations@twitter.com and claim to be automated invitations sent at a friend's request. http://img.photobucket.com/albums/v708/starbuck50/Blog%20pics/twitterscam.png "Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing? To join or to see who invited you, check the attachment," the spam reads. The attachment is called "Invitation Card.zip" and contains a computer worm detected by Bkis as W32.Ziktwitters.Worm. "This virus [...] downloads a lot of other malwares including FakeAV and constantly distributes advertising emails as well as phishing emails to other users," Nguyen Cong Cuong, senior security researcher at Bkis, explains. The author of this particular malware also seems to have a sense of humor. The researcher points out the decryption code used in the executable is ironically Google's informal motto "Don't be evil". According to a recent report, one such scam claims the email address associated with the Twitter account has been changed in order to lure users. http://img.photobucket.com/albums/v708/starbuck50/Blog%20pics/twitterscam1.png The spammed linked, which is spoofed to appear as pointing to a resource on twitter.com, actually redirects victims to a page loading an exploit cocktail. Before being attacked, the user is subjected to several tests to determine his browser, as well as the version of other potentially vulnerable software installed on his computer, like Java, Flash Player or Adobe Reader. Source: Twitter Invitation Email Scam Spreads Malware Downloader - Unauthorized email change lure still used in spam campaigns - Softpedia

One makes its way on the Daily Mail website Security researchers warn that with all the FIFA World Cup fever going on, crybercrooks can use related YouTube videos to direct visitors to scam websites. One such video, promoting a fake Facebook account hacking tool ended up embedded in a Daily Mail article. Even if you are not a soccer fan, you are likely to have heard that the world's most viewed sporting event, the FIFA World Cup is currently taking place in South Africa. The competition is already in the knock-out stages and the first two quarter finalists, Germany and Argentina, have been decided over the weekend. England lost 4 - 1 to Germany on Sunday and was knocked out of the competition in a controversial match, where the referee failed to validate a perfectly good goal scored by Frank Lampard. In an online article covering the error, the Daily Mail embedded a YouTube video of the goal's replay from apparently a random YouTube source. As the said video starts playing, an annotation pops up reading "Want to know how to hack Facebook accounts? Click Here." According to Sunbelt researcher Christopher Boyd, who looked into the incident, clicking on the link took users to another video hosted on the same YouTube channel. This secondary video directed viewers to a blogspot site containing instructions on how to use an alleged Facebook account hacking tool, but downloading the program required users to take a survey. "Yes, it's one of those surveys where you sign up to nonsense in return for something that probably wasn't worth the time you put into it. More often than not, you'll find you've signed your life away to marketers and also downloaded an infection file," the researcher explains. The secondary video linking to the scam has since been removed after being reported by numerous users to YouTube, but the incident stands as an example of how cybercriminals attract victims for their various scams. Source: YouTube World Cup Videos Used to Promote Scams - One makes its way on the Daily Mail website - Softpedia

Hi Anything like this? http://img.photobucket.com/albums/v708/starbuck50/avsecurity.png Before we tackle this, i need to point out one small thing..... this relates to malware that can transfer itself using a usb stick. Have you been using any usb sticks? It could be that you are transferring the malware to the pc each time you plug it in. Let's tackle this AV security suite: Step 1 Please reboot your computer in Safe Mode with Networking by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the option, to run Windows in Safe Mode with Networking, then press "Enter". * Then choose your usual account. Step 2 Start Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options Click on the Connections tab Click on the Lan Settings button Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN. Then press the OK button to close this screen Then press the OK button to close the Internet Options screen. Internet Explorer should now work. Or you can use Firefox to complete the next few steps. Step 3 Please download: Rkill and save it to your Desktop. Run the tool by clicking on it. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Soft when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus Soft . If the malware is persistant, you may have to RKill a number of times. When it has finished, the black window will automatically close and you can continue with the next step. Note Please do not reboot your system until you have completed the following step, or the Malware will restart itself: Step 4 If you still have MBAM on your system, update it and run a full scan. If you have removed it, please use these instructions: Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. In your next reply, please submit: MBAM scan report and let me know if the proxy setting was enabled when you checked. Thanks.

Hi Sam, Let's double check everything now. Let's see if these come back clean. Step 1 Please update MBAM and run another scan: Start MBAM Click on the Update tab http://img.photobucket.com/albums/v708/starbuck50/mbam1.png Click Check for Updates http://img.photobucket.com/albums/v708/starbuck50/mbam2.png If it says that MBAM needs to close to update it... let it close and then restart. Then click the Scan button. Don't forget: Step 2 I'd like you to do an ESET OnlineScan You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt In your next reply, please submit: MBAM scan report Eset scan report Thanks.

Hi Buckman, There is definitely something hiding, we could run more scans and try to find out what it is.... But if you need the pc back up and running and don't have much spare time, then by all means go for the reformat/reinstall. It will sort the m/c out once and for all. I'll wait for your reply.

Hi Buckman, any chance you can get a screenshot of the popup?

Hi Sam, please give me an update on how the system is running.

Hi Buckman, We'll do our best, a reformat is always the last resort..... and we haven't got to that yet :) Step 1 Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. this step will help get a better report from the next step. Step 2 Please download GMER from one of the following locations and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Thanks

Hi Buckman, This is what CF removed: It not only removed some files, it also replaced an infected file for you. The report is showing there's a few more things for us to address: Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C File:: c:\program files\temp01 c:\windows\system32\drivers\fwkcquxy.sys Driver:: qxmofyba Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop Let me have the new Combofix.txt after the fix. Thanks The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Hi Sam, Thanks, that dug out some rubbish. Let's cleanup a few other things in the report: Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C File:: c:\programdata\NOS\Adobe_Downloads\arh.exe c:\users\Default\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe Driver:: AFS Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash Let me have the new Combofix.txt after the fix. Thanks.

Hi Sam, Too complicated for me... i'll stick to virus's and malware :) Ok, you did the right thing in asking about this. Mcafee isn't showing in the OTL reports, so it's probably just a registry remnant. CF should still run ok ( as McAfee isn't really there) But there is a removal tool for McAfee products, it may be best to run that .... then we'll know there'll be no conflict. Follow these directions to download the McAfee Removal Tool. 1. Click on the following link to download the MCPR removal tool http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe 2. Click Save and save the file to your desktop 3. Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool. Windows Vista users will have to right-click on the file and select "Run as Administrator" 4. After the removal tool finishes, you should be prompted to restart your computer. 5. Once the computer restarts, your McAfee product should be uninstalled. 6. If for any reason there appears a red X during the uninstall, go to the following location for more advanced uninstall instructions involving the registry. http://tools.mcafeehelp.com/doc.php?siteid=1&docid=419397 Once this tool has been run.... try running CF again.

Hi Sam, Take your time, i'm not going anywhere. :) Well done on the results, what are you studying? No problem, let's update your Java another way. Click Start >> Control Panel. Click on Classic view ( left hand side) Now click on the Java icon. Click the Update tab at the top. Now click on Update Now. Just follow any prompts and the new version will be installed. As you have Version 15 .... the update will remove this when it installs the latest version (20) Ok, let's look a little deeper then: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks

It's no trouble at all Bowler, That's always a big drawback. We are always here if you have any further problems.

Hi Buckman, Thanks for explanation, let's look a little deeper then: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks

Hi Bowler, you don't seem to have a lot of luck with your hosts file do you? Download HostsXpert.zip Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert Double-click HostsXpert.exe to run the program. Click "Make Hosts Writable?" in the upper left corner (Only If available). Click "Restore Microsoft's Hosts file" and then click "OK". Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Run Hijackthis again, click scan, and Put a checkmark next to this item. O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers. Then close all other windows, browsers etc--you should only see HijackThis on your Desktop--and click the Fix Checked button. Reboot your computer to complete the process. Apart from that, everything looks ok.