Starbuck

Hi igrek001 If you managed to download Combofix, try this: Please reboot your computer in Safe Mode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; You will need to use the 'keyboard arrow keys' to navigate on this menu. * Select the first option, to run Windows in Safe Mode, then press "Enter". * Then choose your usual account. This should stop most AV's from running. Now run Combofix. Don't worry too much about the recovery console for the time being, we can address that later. Let's see if we can get a scan done first. Thanks.

Hi shawnh That's fine, no problem Gooredfix took care of one bad extension, let's clean up a bit more then we'll get another scan done: Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :OTL PRC - C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe () O4 - HKCU..\Run: [TOY5KNQ8OC] C:\Documents and Settings\Kathy\Local Settings\Temp\Tjl.exe () [2010/03/07 09:51:07 | 000,000,282 | -H-- | C] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job [2010/03/08 17:39:48 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Kathy\Application Data\SystemProc [2010/03/09 01:44:12 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job :commands [emptytemp] [purity] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. Step 2 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. In your next reply, please submit: OTL report that comes up after the fix Combofix.txt Thanks.

i need the rest of the report Judy, if you have a problem adding it ( and the extra.txt) add as an attachment.

It's only recently i managed to get hold of a pair of red/cyan glasses. So am now catching up with what i've been missing. Nice work http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif

Hi Jamie, If there were restore points, it could have been our 'saving grace'.... but sadly :( The big problem we have is that all the programs we could use to uncover the problems here, are all programs designed to run on 'Windows OS'. When it comes to a PE environment .... we are stuck. After looking at everything again, i think we're going to have to go with the recovery method. At least this will get you up and running again. Don't forget you will have to get all your Windows updates again! But as soon as you have done that, i recommend you follow the previous instructions on how to convert to NTFS. It is a one way convert.... you can't go back to Fat32 afterwards. But it's a lot more secure and all new systems run NTFS now any way. Sorry it's come to this, i don't like giving up..... but the fact we can't get in to the Windows OS is hampering our progress. Let me know how things go and if you encounter any problems... i'll be here. I've been asked in the past what programs i recommend if a reinstall has to be done, this is what i normally say: A good Anti-Virus protector: Here's a few good 'free' programs. Avira AntiVir Avast free AVG Free Bitdefender Free MS Security Essentials ... see note* Only install one of these. Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. A 3rd party Firewall: Some free firewalls are: Online Armor Free Outpost Firewall Free Sunbelt Personal Firewall Only install one of these Firewalls. A resident Anti-Malware scanner: Installing Windows Defender and activating it's 'Realtime Protection' will help to keep the nasties away. Scan regularly with a 'Stand Alone' Anti-Malware scanner: Installing another scanner that you can run once or twice a week is always beneficial. Something like: Malwarebytes Anti-Malware SUPERAntiSypware Remember to update these programs each time before running. You can install more than one of these if you only run them as stand alone programs. Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using and installing SpywareBlaster Keep your system clean of temp files etc, using a 'Cleaner': Cleaners are programs that will help to clean out your: Windows temp files Current user temp files Cookies Temporary Internet flies Browser history Recycle bin Etc....... In other words.... all the crap that you accumalate over the course of your browsing and day to day usage of your pc. Programs like: TFC by OldTimer CCleaner ATF Cleaner Obviously this is not a complete list of programs available, plus i've stuck to 'Free' programs. If you want 'Paid for' programs... you will have a greater choice. Hope this gives you some idea. Pete

this statement is usually a sign of a bagle worm infection. This can be a right pig, so let's see if we can break it's hold enough to remove it. Step 1 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall If Combofix won't run.... try renaming it with a .com extension. Thanks

Hi shawnh 2 things for you: Step 1 Please download GooredFix from one of the locations below and save it to your Desktop Download Mirror #1 Download Mirror #2 Ensure all Firefox windows are closed. To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista). When prompted to run the scan, click Yes. GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt). Step 2 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Gooredfix.txt and both reports from OTL Thanks.

Yes there was a lot of entries. The Kiwee and Web search entries were removed in post #36 and confirmed in post #37. I deliberately didn't remove party poker because Judy had stated that she used these. Although not stated here... Judy did PM me and say that Limewire had been removed. I'd like to find out what link you are using to download msn messenger, is it this one: Messenger - Windows Live If it's not.... try the link i've provided. Let's get another OTL scan done using the instructions below. Double click on OTL.exe to run it. Under Extra Registry section, select Use SafeList. Don't check the boxes beside 'LOP Check' and 'Purity Check' this time. Click on Run Scan at the top left hand corner. When done, two Notepad files will open. Please post the contents of these 2 Notepad files in your next reply. Thanks

Hi igrek001 Because your problem is almost definately malware related, i'm going to move your thread to the malware removal forum. We'll continue there. Thanks

Hi Judy, I'd keep SuperAntiSpyware and Malwarebytes Anti Malware. SpyBot is not the program it used to be and isn't effective against the newer malware. Whether you decide to remove it is up to you though. If you do want to remove it, you'll have to disable the 'TeaTimer' first. Open Spybot and click on 'Mode' then click 'Advanced Mode'. Click on 'Tools' in bottom left hand corner. Click on the 'System Startup' icon. Uncheck 'Teatimer' box and/or uncheck 'Resident'. Then, check next to the computer clock to see if the icon for Spybot is still there. If it is, right click it and choose 'exit Spybot-S&D Resident'. Reboot the computer. Then remove Spybot. ----------------- Let's get a fresh scan with Malwarebytes now: Please update MBAM and run another scan: Start MBAM Click on the Update tab >> click Search for Updates If it says that MBAM needs to close to update it... let it close and then restart. On restart >> click the Scan button. Don't forget: Let me have the MBAM scan report in your next reply. Thanks

Hi igrek001, try running this program and post the results: Please download exeHelper to your desktop. If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan) Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ). Thanks

Hi Judy, P2P Warning Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur. Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme. Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use. When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections. You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation. If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you. Step 1 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :Otl PRC - C:\Program Files (x86)\Kiwee Toolbar\2.8.167\kwtbaim.exe (AG Interactive) FF - HKLM\software\mozilla\Firefox\Extensions\\toolbar@ kiwee.com: C:\Program Files (x86)\Kiwee Toolbar\2.8.167\firefox [2010/02/23 01:20:41 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr @mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin File not found O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Kiwee Toolbar) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files (x86)\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll (AG Interactive) O2 - BHO: (Search Assistant) - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll (MTWB) O3 - HKLM\..\Toolbar: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - No CLSID value found. O3 - HKLM\..\Toolbar: (Kiwee Toolbar) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files (x86)\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll (AG Interactive) O3 - HKCU\..\Toolbar\WebBrowser: (Kiwee Toolbar) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files (x86)\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll (AG Interactive) O4 - HKLM..\Run: [KiweeHook] C:\Program Files (x86)\Kiwee Toolbar\2.8.167\kwtbaim.exe (AG Interactive) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O33 - MountPoints2\{167c2893-2e39-11dd-ac34-806e6f6e6963}\Shell - "" = AutoRun O33 - MountPoints2\{167c2893-2e39-11dd-ac34-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Autodisable.exe -- [2005/07/07 18:12:51 | 000,040,960 | R--- | M] () O33 - MountPoints2\{1e3ee03e-a2b4-11dd-8a73-001fc68a00cc}\Shell - "" = AutoRun O33 - MountPoints2\{1e3ee03e-a2b4-11dd-8a73-001fc68a00cc}\Shell\AutoRun\command - "" = M:\LaunchU3.exe -- File not found O33 - MountPoints2\{49bd90a3-c249-11dd-9699-001fc68a00cc}\Shell - "" = AutoRun O33 - MountPoints2\{49bd90a3-c249-11dd-9699-001fc68a00cc}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found O33 - MountPoints2\M\Shell - "" = AutoRun O33 - MountPoints2\M\Shell\AutoRun\command - "" = M:\LaunchU3.exe -- File not found 2010/02/14 22:18:32 | 000,000,000 | ---D | C] -- C:\Users\Judy Holsclaw\AppData\Local\Kiwee Toolbar [2010/02/22 20:58:15 | 000,009,870 | -HS- | M] () -- C:\Users\Judy Holsclaw\AppData\Local\e1wnOl [2008/11/14 23:28:13 | 000,034,304 | ---- | C] () -- C:\Users\Judy Holsclaw\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini @Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:9D718DA3 :commands [emptytemp] [purity] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. Thanks

Hi Jamie, shame there was no restore points to work with, might have saved us a bit of work. I'll go back to the drawing board and see if i can uncover anything.

Hi Judy, Thanks for the explanation. I didn't want to remove anything that was actually legit.....now i know that 'Trojans' is the name of the team. http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif Back soon.

Hi nuley, Step 1 Let's grab a couple of flies for analysis. Close any open browsers. Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C http://extremetech.support/forum/malware-infection-removal/9323-nasty-virus.html#post63781 Collect:: c:\windows\Bmimu.dat c:\windows\Bxelanulamo.bin File:: c:\windows\system32\mlfcache.dat Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file "CFScript.txt" (including the quotes) Save the file to your Desktop The main ComboFix.exe program should be on your Desktop Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon as below. http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif Now please wait for ComboFix to finish running. When Combofix has completed, a box will appear asking you to submit files for further analysis. Please ensure you are connected to the internet and click OK. http://img.photobucket.com/albums/v708/starbuck50/new/cfsub.png In the event that the upload site may be offline, you will see the following message ... http://img.photobucket.com/albums/v708/starbuck50/new/cfsub2.png You can manually submit the files by navigating to: C:\CF-Submit.htm and double clicking to submit the files. Note: ComboFix's log shall pop up only after the upload routine has finished running. Step 2 I'd still recommend running 'exeHelper', it'll help to correct a few things on your system: Please download exeHelper to your desktop. If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan) Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ). Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: New combofix.txt exehelperlog.txt Both reports from OTL. (if they are too big to post, feel free to add them as attachments.) Thanks.

Hi Jamie, Seems both 'Boro' and 'Swansea' weren't up to it today. :( I'm going to have a look over all the reports tomorrow to see if i've missed anything and also to check to see if there's a way around this 'looping'. We can't just throw the towel in after all this work. :cool: Edit: ok, back sooner than i thought. Seems the author of OTLpe has added the possibility of using the restore points to restore the registry hives. Run this custom scan and hopefully will list all your restore points. Also let me know when was the lastime that the system was running perfectly normal. Start OTLpe again. At the top click on 'None'. Under the Custom Scan box paste this in: restorepoints Click on the 'Scan' button. This will only produce a report showing the restorepoints, it won't run a full scan. Let it run and do not interrupt it. It might take some time depending on how many restore points are found.

Hi Judy, You posted just fine, thanks. Don't worry if you can't post or reply straight away.... we're not going anywhere. :) While i go through the report, can you post the extra.txt..... there should be a copy on your desktop. Could you also explain this please: O24 - Desktop WallPaper: C:\Users\Judy Holsclaw\Pictures\trojans 2009 cody\andy cody 6.jpg did you create this folder? Thanks.

Right, it would seem that the malware has effected files with an .exe extension. This is becoming quite common. You could try altering the combofix extension to .com ( it should still run) but failing that Try this: Please download exeHelper to your desktop. If your AV program throws up a warning about the program, ignore the warning. Some AV's flag this program because of how it works... that's all. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt ( Will be created in the directory where you ran exeHelper.com and should open at the end of the scan) Note : If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together ( they will both be in the one file ). Thanks

Hi Judy Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. If they are too large to post, add them as attachments and i'll take it from there. Thanks

Hi nuley Step 1 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Thanks

Hi borojamie in a PE environment only bare minimum drivers are added, that's why a usb stick will work but maybe not your portable HD. Ar right, now i understand the 'Boro' in your username. ;) Living just outside Swansea, we don't talk about Cardiff as a football team! http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif If the F10 method doesn't give you the reformat into NTFS option, it can be done afterwards: XP: Convert Fat32 to NTFS | Windows | Tech-Recipes Let's see if this helps us: Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C :Otl DRV - File not found [Kernel | On_Demand] -- -- (SYMIDSCO) O20 - AppInit_DLLs: (pulasiya.dll) - File not found O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\System32\jozavuyo.dll File not found O20 - AppInit_DLLs: (c:\windows\system32\jukabama.dll) - C:\WINDOWS\System32\jukabama.dll File not found O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found O21 - SSODL: kedilizos - {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - C:\WINDOWS\System32\jukabama.dll File not found O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - mujuzedij - C:\WINDOWS\System32\jukabama.dll File not found [2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll [2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll :commands [emptytemp] Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file fix.txt Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible BTW: a copy of Otl should have been placed on your windows system. If you do get into windows, check for: C:\Otl.exe Fix.txt

IE will always be targeted by the malware guys, simply because they don't like Microsoft. But if it's kept up to date with all the MS updates, it should be ok. Firefox was the preferred browser for a long time, but that now is being targeted.... by the 'Goored' malware. That said, it's still my preferred browser. For added security, add the NoScript extension to this browser: Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. also consider adding: WOT - Safe Browsing Tool Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web. Opera is also an excellent choice. I have all 3 of these installed. Some sites work better in different browsers.

Hi borojamie, Ok, let's see what we have: Rea2Go uses WindowBlinds when creating the PE environment. It's just a skin option that can be set. I haven't seen that message come up any of the times I've run the CD so I'm not sure why it would come up. But, it's nothing to worry about. Our first concern is to always try and clean a m/c, if that isn't possible or it's an inconvenience for the member.... then a reformat/reinstall is the answer. Do you have a 'Windows installation' disc? or is your backup on a partition on the hard drive? Let me have your pc make and model ... and i'll look the info up for you. No problem, i can give you this and other security info when you are ready. Please remember though... All security programs are good up to a point. There isn't a single program that can stop everything. The security vendors can only add definitions for what they have available. The bad guys are getting good at hiding their programs, so it takes the security vendors longer to find out what to block.

Seems fine are the operative words here. Like i said earlier, these files were not present in the original scans, so may have been removed by one of your security programs. If these files had been present in the original scans..... i may well have suggested that you reformat/re-install. With this type of infection, you can never give a 100% clean report and because of this, we can't say that the system is to be trusted. This type of malware can hide away, we may think we've got it all...... but have we? If you use this system for online banking on a regular basis.... i'd say nuke and start again. This would be in the your own best interest.

The big problem i have with IE is that it's a case of WYSIWYG (what you see is what you get). Other browsers can be customized into looking like you want it to ... or doing what you want it to. Some of the addons for Firefox are a godsend in my job.