Starbuck

Welcome Nessie, I've replied to your other thread.

Hi Nessie, I've moved your thread here because i can't see that it's a processor problem. Let's give the system a good clean out and see if things improve. Step 1 Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Step 2 Download Puran Disc Defragmenter Save it to your 'Desktop'. Run the program. From the main 'Puran Defrag' screen, click on the 'C' drive to highlight it. (normally your main drive) Then click on 'Defrag'. This program is faster than the built in Windows Defrag and is more efficient. Try not to use the m/c while the defrag is running. Let me know if the system runs any faster afterward these 2 steps. We'll take it from there then.

http://fc06.deviantart.com/fs27/f/2008/184/4/2/Happy_Birthday_Flag_by_Chaosbrazer.gif Plastic Nev Hope you have a great day. http://fc05.deviantart.net/fs12/i/2006/290/6/5/_party__by_LeoLeonardo.gif

Nope and if i ever did..... i wouldn't believe it. :eek:

Exactly Nev, Like you say, we laugh at the way it's written.... but someone that doesn't understand English so well?? and a lot of them could well live in England. That is by no means a racist remark... but i know of people that are English and they can speak English but not read it properly. These are the people that are vulnerable.

Hi stuart and welcome to FPCH. It's great to see you here. Everyone is friendly, so if you have any questions.... ask away.

Now this wouldn’t be some kind of rip off spam would it? You've won the sum of NINE HUNDRED AND FIFTY THOUSAND POUND (£950,000.00) from the UK GOLF INTERNET emails Lottery Edition 2010 TO RECEIVE AND CLAIM YOUR PAYMENT OF PRIZE The English seems a bit shaky. :rolleyes: You are therefore advised to send the following information to our claims agent(Mr.Piland woods) to facilitate the remittance of your winning prize to you at once from the UK GOLF INTERNET EMAILS LOTTERY. They want the kind of information that scammers usually want: 1. Full name............ 2. Country.............. 3. Contact Address........ 4. Telephone Number....... 5. Marital Status......... 6. Occupation............. 7. Company.............. 8. Age.................... They don’t really have a company Internet presence. Their “site” is a LinkedIn account. http://img.photobucket.com/albums/v708/starbuck50/Golf_20Lottery_203_thumb.jpg You can also view our lottery site : http://uk.linkedin.com/in/internetgolflottery They are “fully special” and they “glob round the world” – yea, that sounds REAL legitimate. :) http://img.photobucket.com/albums/v708/starbuck50/Golf_20Lottery_201_thumb.jpg The writer doesn’t seem to know that in English you capitalize last names. Mr.Piland woods. (VERIFICATION DEPARTMENT MANAGER) And “Mr.Piland woods” does business from a hotmail email address?? Email: golf_internet222@hotmail.com LOTTERY VERIFICATION DEPARTMENT MANAGER Google Maps and Street View reveal that their company headquarters is a billboard advertising the “Sex in the City” movie. :eek: http://img.photobucket.com/albums/v708/starbuck50/Golf_20Lottery_204_thumb.jpg GOLF INTERNET EMAIL LOTTERY 2010 21 Craven Park, Harlesden London NW20, United Kingdom. Batch number: 12/25/0340 Ref number: MSN-L/200-26845 You have been warned! source: Sunbelt Blog: "Attention: Lottery Winner,"

Hi Buckman and welcome to FPCH. The main problem with Google would seem to be that although the infection may have been removed.... your Hosts file needs resetting. Let's clean up some reg entries and get the Hosts file replaced. Then we'll get an online scan done to see if there's any leftovers. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found. O4 - HKLM..\Run: [NWEReboot] File not found O4 - HKLM..\Run: [nwiz] File not found O4 - HKLM..\Run: [userFaultCheck] File not found O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab (Reg Error: Key error.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Reg Error: Key error.) O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 I'd like you to do an ESET OnlineScan You may find it beneficial to close your resident AV program before running the scan. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt In your next reply, please submit: Otl fix report Eset scan report also let me know how the system is running now. Thanks.

Hi Sam, http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif Let's update the Java and Adobe Reader, then we'll get a defrag done. Step 1 Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click 'Select'. Then click Remove Older Versions. Accept any prompts. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. Step 2 Click this link to get the latest version of Adobe Reader If you get asked if you want to also install 'Free McAfee® Security Scan Plus (optional)' Untick the option and don't allow it. Step 3 Download Puran Disc Defragmenter Save it to your 'Desktop'. Run the program. From the main 'Puran Defrag' screen, click on the 'C' drive to highlight it. (if this is your main drive) Then click on 'Defrag'. This program is faster than the built in Windows Defrag and is more efficient. Try not to use the m/c while the defrag is running. Let me know how things are running after this. Thanks.

Seems fate was trying to tell you something. A reinstall would be the better option for you. Sorry i couldn't have given you better news. Good luck with the reinstall. Many thanks for your donation, it really does make a difference. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif

Hi Sam, at first glance it would seem that your friend has been very lucky. We have a bit of cleaning to do and some updating, but nothing too serious at this point. But we'll double check everything and give the system a good clean up. Step 1 Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes. You can enable it again after you're clean. Open Spybot and click on 'Mode' then click 'Advanced Mode'. Click on 'Tools' in bottom left hand corner. Click on the 'System Startup' icon. Uncheck 'Teatimer' box and/or uncheck 'Resident'. Then, check next to the computer clock to see if the icon for Spybot is still there. If it is, right click it and choose 'exit Spybot-S&D Resident'. Reboot the computer. Optional Spybot and Ad-Aware are not the programs they once were. Once we get the AV problem sorted and make sure that MBAM and Win Defender are up to date..... these programs aren't really needed. Feel free to remove them. Step 2 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found O4 - HKCU..\Run: [] File not found O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O33 - MountPoints2\{0c49b472-1504-11dd-9ac9-cc92d864c0a1}\Shell - "" = AutoRun O33 - MountPoints2\{0c49b472-1504-11dd-9ac9-cc92d864c0a1}\Shell\AutoRun\command - "" = H:\setup.exe -- [2006/10/28 07:30:48 | 000,463,152 | R--- | M] (Microsoft Corporation) O33 - MountPoints2\{0c49b472-1504-11dd-9ac9-cc92d864c0a1}\Shell\configure\command - "" = H:\setup.exe -- [2006/10/28 07:30:48 | 000,463,152 | R--- | M] (Microsoft Corporation) O33 - MountPoints2\{0c49b472-1504-11dd-9ac9-cc92d864c0a1}\Shell\install\command - "" = H:\setup.exe -- [2006/10/28 07:30:48 | 000,463,152 | R--- | M] (Microsoft Corporation) O33 - MountPoints2\{42d10ac6-f900-11dc-abae-0013774cc337}\Shell - "" = AutoRun O33 - MountPoints2\{42d10ac6-f900-11dc-abae-0013774cc337}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found O33 - MountPoints2\{459de227-168f-11dd-bb8f-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{459de227-168f-11dd-bb8f-806e6f6e6963}\Shell\AutoRun\command - "" = E:\StartVM****e.exe -- File not found O33 - MountPoints2\{459de270-168f-11dd-bb8f-de3dc9dc74ab}\Shell - "" = AutoRun O33 - MountPoints2\{459de270-168f-11dd-bb8f-de3dc9dc74ab}\Shell\AutoRun\command - "" = E:\StartVM****e.exe -- File not found O33 - MountPoints2\{5a5ea4e2-b5c2-11de-8a93-fd305a620dcc}\Shell - "" = AutoRun O33 - MountPoints2\{5a5ea4e2-b5c2-11de-8a93-fd305a620dcc}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found O33 - MountPoints2\{dbe1a70e-1e64-11dd-b4d1-f61d2f7f4ba1}\Shell - "" = AutoRun O33 - MountPoints2\{dbe1a70e-1e64-11dd-b4d1-f61d2f7f4ba1}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 3 I no longer recommend AVG as an Anti Virus program. As it's definitions are out of date, i'd take this opportunity to remove it and install a better program. Remove AVG using the add/remove feature within Vista. Then run the AVG removal tool: This will make sure all traces have gone. To remove AVG go to: http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe download to your desktop. then double click to start the uninstaller. Step 4 Install one of the following Anti Virus programs, once installed let it run a full scan and let me know if it finds anything: Avira AntiVir ....installation guide Here MS Security Essentials ... see note* ...installation guide Here Avast free Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. There is more to do, but this will give us a good start. In your next reply, please submit: OTL fix report Thanks.

Hi Sam, let's have a better look at your friends system: Step 1 Download Security Check from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please copy and paste the contents of that document in your next reply. Step 2 Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: checkup.txt Both reports from OTL if the OTL reports are too big to post.... add them as attachments. Thanks.

Hi Mike, first i have to tell you this: Some of the infections in your report are considered backdoor trojans: It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation. Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. For more information read ....Here If you choose to format and reinstall read...... Here Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again. if you wish to proceed, we'll see if this helps. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl SRV - (NMIndexingService) -- File not found SRV - (NBService) -- File not found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (no name) - {F6F4572D-F858-4858-9FD9-B3FB972C60E2}9FD9-B3FB972C60E2} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [GoogleUpdate] C:\WINDOWS\system32\wilogon.exe (NONE) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.) O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found O33 - MountPoints2\{49e3bcc1-42f7-11dd-964a-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{49e3bcc1-42f7-11dd-964a-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{49e3bcc1-42f7-11dd-964a-806d6172696f}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2004/08/04 13:00:00 | 001,314,816 | R--- | M] (Microsoft Corporation) MsConfig - StartUpReg: iTunesHelper - hkey= - key= - Reg Error: Value error. File not found [2010/06/14 07:20:46 | 003,707,422 | ---- | C] () -- C:\Documents and Settings\user\Desktop\13579.exe [2010/05/20 10:54:33 | 000,231,936 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/06/13 20:22:43 | 000,018,944 | ---- | C] (NONE) -- C:\Documents and Settings\user\Application Data\winupd.exe [2010/06/08 12:15:53 | 000,022,528 | ---- | C] (NONE) -- C:\WINDOWS\System32\wilogon.exe [2010/06/08 12:14:16 | 000,003,876 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Cerulean.lic [2010/06/02 10:37:20 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs [2010/06/02 10:37:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 2 Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet. Reboot your computer into SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Use the ENTER key to make your selection. Then choose your normal account. Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. Once the short scan has finished, Click Options > Change settings Choose the "Scan tab" and UNcheck "Heuristic analysis" Back at the main window, click "Select drives" (a red dot will show which drives have been chosen) Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start. When done, a message will be displayed at the bottom advising if any viruses were found. Click "Yes to all" if it asks if you want to cure/move the file. When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) Next, in the Dr.Web CureIt menu on top, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) Note: Some sites don't allow .csv files to be posted. If this is the case here, the report may need to be renamed to Dr.Web.txt in order to post it on the forum. During the scan, a pop-up window may open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner. In your next reply, please submit: OTL fix report Dr Web report Thanks.

Not at all. Obviously something is blocking CF from running correctly. Let's see if we can get a report from this, it may give us a clue. Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. If the reports are too big to post, add them as attachment. Thanks

sometimes it takes awhile before you actually see anything happening. The whole process can take about 10 - 25 mins depending on your system. Just let it carry on and see if anything else happens. If nothing has happened after about 20 mins... let me know.

just click to let it carry on with the scan and it should run ok. Make sure that your Anti Virus program and firewall are disabled as these can sometimes interfere with Combofix. If you are running it in safe mode..... alter this to safe mode with networking to be on the safe side. I'll be around most of today if you have any problems.

Thanks for letting us know that the problem has been solved. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif

Hi Mike, did this screen come up? http://img.photobucket.com/albums/v708/starbuck50/cf1.png If not, then the Recovery Console may already be installed. You'll only see that screen if it needs to be installed. If the screeen did come up ..... did you make sure that you were connected to the internet? It'll need your connection to download it.

Hi Mike, Let's try this then: Try to run it in normal mode, but if it won't run.... run it in safe mode as a last resort. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi Mike, Can you run programs or still use the system to download any programs we may need? If not in normal mode, can you access anything using 'Safe mode with Networking'?

I know what you mean Nev, London is a 5 hour drive for me..... 5 hours for a free ice cream? ... i don't think so.

It is definitely the quickest solution. Good luck with the reinstall.

Malicious link and PDF attachment doubles hackers' chances of taking control of victims' PCs. Symantec Hosted Services (SHS) is warning of yet more targeted World Cup-based malware attacks using increasingly sophisticated methods to infect victims and compromise corporate systems. Tony Millington, malware operations engineer at SHS, explained in a blog post that the firm had intercepted 45 targeted malware emails headed for various Brazilian companies. "This social engineering attack exploits the excitement surrounding the 2010 World Cup in South Africa to prompt recipients to take actions which may compromise their systems and corporate information," he wrote. "One particularly interesting element of this targeted attack is the use of two attack modes: a PDF attachment and a malicious link." The email claims legitimacy by purporting to come from a well known sportswear manufacturer, and includes a malicious PDF attachment and a link back to the server which can result in downloaded malware. This tactic effectively doubles the chance of success for the cyber criminals, Millington explained. "The inclusion of two methods of attack means that, even if the PDF is removed as suspicious by an anti-virus gateway, the malicious link remains in the body of the email and may still be delivered to the recipient," he said. The malware in question is an off-the-shelf information stealing botnet virus called SpyEye, which exploits a PDF flaw to enable hackers to take full control of the infected computer, said SHS. Source: Symantec warns of sophisticated World Cup malware - V3.co.uk - formerly vnunet.com

Hi michel, That wasn't my advice. It's not always the case that a reinstall is the best option. If you don't know what you are doing ... then a reinstall is the best option. But, if you do know what you are doing.... then the best advice is to save the system and carry on.

Microsoft is working to kill a rogue antivirus solution that is spread under a label that’s simply too close for comfort to the company’s own free and legitimate security solution: Microsoft Security Essentials. The software giant first warned of a fake antivirus solution being distributed as Security Essentials 2010 at the start of 2010. Now, the latest release of With the Malicious Software Removal Tool is designed to identify and remove Security Essentials 2010 from compromised PCs. MSRT is a free security solution available from Microsoft that hunts down only a specific list of malware. Rogue security solutions, also called fake AV or scareware, are malicious programs that trick the user into buying useless licenses for non-functioning antivirus programs. While masquerading as legitimate security products, scareware use deceptive tactics to convince users that their machines are infected when it’s not the case, and attempt to scare them into paying for a license to have inexistent threats removed. Security Essentials 2010, which is also being known as Internet Security 2010, is a rogue security program belonging to the Win32/Fakeinit malware family. Hamish O'Dea, from the Microsoft Malware Protection Center, noted that Microsoft expected the attackers behind the rogue solution to start labeling it Security Essentials 2011 soon. “Fakeinit uses the old one-two punch of first trying to convince you that there's malware all over your system, then offering a scanner that can detect and remove it - once you pay. Fakeinit separates these functions into two components. The first component changes the desktop background,” O'Dea stated. “This component also terminates a whole bunch of programs as soon as they run. It doesn't do this to protect itself - the programs it kills include calc.exe, word.exe and freecell.exe - but rather to convince you that you are infected and generally make the machine hard to use in the hope of annoying you into paying for the scanner.” The changed background is a pretty common tactic for rogue AV. Users get stuck with a very threatening wallpaper informing them that their PC is infected with a range of malware. Of course, this is not the case. In order to gain credibility, Fakeinit also comes with a scanner component, designed to report the inexistent threats and to make users pay to have them removed. “If you do decide to pay, you're giving away not just your money, but also some pretty sensitive information including your name, address and credit card details. The page is not secured, meaning these details could be intercepted, but the real question is ‘what else will the makers of Internet Security 2010 do with this information?’ At best, you are likely to be charged more than you expected. Hidden at the bottom of the page, below the ‘proceed payment’ button, are options for a ‘lifetime license’ and ‘firewall and email protection’ that are already selected for you. Together they add another $39.90 to the price. This is another classic rogue trick,” O'Dea added. Microsoft warned that Fakeinit was also downloading Win32/Alureon, a very nasty data-stealing Trojan. Source: Microsoft Killing Microsoft Security Essentials Fake – Security Essentials 2010 - With the Malicious Software Removal Tool - Softpedia