Starbuck

Hi borojamie The only problem with running scans and fixes in a PE environment is that we can't see any 'Processes' that will run with Windows. If there's a malicious process, we can't detect it. This maybe what's happening here. Without being able to get a scan done whilst Windows is running we could end up going around in circles. It's odd that we clear out all the bad files we can see, but the problem continues. Just to point one thing out to you: Running FAT32 is very unsecure nowadays. If you did decide to go with a reformat/re-install .... make sure that you reformat the system to NTFS. it's a lot more secure and will give you a lot of added security features.

Hi thingameejig, This is actually related to 'Internet Security 2010'. This is why sometimes we recommend a reformat/re-install .... there isn't a single program that will find every bad file/folder, we have to use so many. The programs we use all search in different ways, that's why some programs find things and some miss things. In another thread i'm working on, someone else was having connection problems ( they were on BT as well) seems they checked with BT and it turns out that BT are upgrading their system at the moment and some small problems are bound to occur.

Hi borojamie Nice work :) Now try the previous instructions for ComboFix. Let's see if we can get that to run. I'm working away for the next 2 days, so won't be able to answer as much.

Hi borojamie yep, make sure that :Otl is on the first line. Let's give this new fix a try and if we get nowhere.... we can always fall back on that. Just take what is necessary and also make sure you scan everything before putting it back on. I've re-written the fix (slightly different this time) Give it a try, i'll also add an attachment if it makes things easier for you. Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C :Otl O21 - SSODL: kedilizos - {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - C:\WINDOWS\system32\jukabama.dll () O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\System32\jozavuyo.dll File not found O22 - SharedTaskScheduler: {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - mujuzedij - C:\WINDOWS\system32\jukabama.dll () :Files C:\WINDOWS\System32\lowsec C:\WINDOWS\System32\pulasiya.dll C:\WINDOWS\System32\jozavuyo.dll C:\WINDOWS\system32\jukabama.dll C:\WINDOWS\system32\sdra64.exe C:\WINDOWS\System32\rireluho C:\WINDOWS\System32\nynw.wmo C:\WINDOWS\tasks\twkotokz.job C:\WINDOWS\System32\jukabama.dll C:\WINDOWS\System32\polekove.dll C:\WINDOWS\System32\nudeleze.dll C:\WINDOWS\System32\dijanumo.dll C:\WINDOWS\System32\kiyerili.dll C:\WINDOWS\System32\hzriuq C:\WINDOWS\System32\guwinoda.dll C:\WINDOWS\System32\begajetu.dll C:\WINDOWS\System32\nupuyuho.dll C:\WINDOWS\System32\jwespw C:\WINDOWS\System32\svae.jpg C:\WINDOWS\System32\kayugibu.dll C:\WINDOWS\System32\hofohulu.dll C:\WINDOWS\System32\bebufizu.dll C:\WINDOWS\System32\zuseyubu.dll C:\WINDOWS\System32\dasulelo.dll C:\WINDOWS\System32\wipotazi.dll C:\WINDOWS\System32\rogavove.dll C:\WINDOWS\System32\funebaro.dll C:\WINDOWS\System32\bavopipi.dll C:\WINDOWS\System32\sudimiyi.dll C:\WINDOWS\System32\bahezefi.dll C:\WINDOWS\System32\zenemala.dll C:\WINDOWS\System32\rireluho C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845 C:\WINDOWS\xobglu16.dll :Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "appinit_dlls"="" :Commands [purity] [emptytemp] [Reboot] Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file fix.txt Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time ) Thanks fix.txt

Hi borojamie Because the first part of the last fix didn't run correctly, the malware has re-spawned. I'll go through everything and write a fresh fix. Back later.

http://fc08.deviantart.net/fs44/f/2009/125/8/d/Washing_Machine_Tard_by_DrM94.gif

Hi Tcdewe If the suggestions posted by Jelly Bean don't solve the problem, follow this step: Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. Thanks

Sorry my mistake, i thought you had MBAM installed. That's what happens when you work too many logs at once. Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Let me have the report after the scan. Thanks

Re-run Otlpe again only this time just click on 'Scan' .... don't run a fix. Let me have the report that comes up. Thanks.

this would nornally happen if you forgot to add the : before Otl in the fix. As you can run the OS , try this: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

I've moved your thread to this forum so that we can get some more detailed information. Please follow the steps below. Step 1 Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. Step 2 Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab: Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: MBAM scan report Both reports from OTL Thanks.

Hi thingameejig Catchme isn't a trojan,it's part of one our cleaning tools .... but some programs may flag it as such because of how it works. GASF Internet security 2010 these are interesting though. GASF is associated with the TDSS rootkit, which is designed to steal information. I suspect that this may have been removed by one of your security programs prier to us checking. Combofix is very good at detecting this rootkit, but didn't find anything. It maybe that there's a registry entry still laying around somewhere. This is the problem with these types of rootkits. If we had seen this in the reports we would normally have recommended a reformat/reinstall to make sure it was removed completely. There is a tool designed specifically to search for this, it wouldn't hurt to run that. Internet security 2010 is a rouge program, but none of the scans detected it ... maybe this is just registry remnants again. Like i say these may have been removed by one of your security programs and may have just left a few orphan entries in the registry. Let's take a look to be on the safe side. Step 1 Download TDSSKiller and save it to your Desktop. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. Click on Start >> Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Step 2 Please update MBAM and run another scan: Start MBAM Click on the Update tab >> click Search for Updates If it says that MBAM needs to close to update it... let it close and then restart it. On restart >> click the Scan button. Don't forget: Let me have both reports and we'll check that everything has gone. Thanks.

It all depends .... do you actually use those programs? I only ever keep what i need to use. And only you know what you actually need.

Hi thingameejig There was no actual Keylogger showing in the reports, maybe it was just a program that shows signs of working like a keylogger. Sounds odd i know, but i actually use a couple. The main program i use for storing/copying and pasting my canned speeches is sometimes thrown up as a keylogger, but it's not....but it has the ability to use keyboard shortcuts. You did have a couple of problems, but they have now been sorted. we beat Eset to these as we had already reset your hosts file. :) No, each system has to be treated differently. Never use the same fix for another system. Feel free to start a new thread for the other systems and we'll be glad to take a look for you. If your system seems to be running ok, we'll finish off the cleaning. so....... everything ok now?

Hi borojamie Ok, you don't need me to tell you that your pc is very infected. Some of the files found may well have been trying to steal your details, so it may be in your best interest to think about a reformat and re-install. This fix should knock a big hole in the malware and give us a chance for you to think about things and maybe save what you want from your system. Open Notepad - it must be Notepad, not Wordpad. Copy the text below in the code box by highlighting all the text and pressing Ctrl+C (make sure you include the first lot of : ) :Otl IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Internet Explorer Plugin) - {1DAA3B2E-65DF-4DA6-83C1-50B52ECD0E55} - C:\WINDOWS\System32\duivqwenq8.dll (Rox) O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [bisosonew] C:\WINDOWS\System32\jozavuyo.DLL () O4 - HKLM..\Run: [nonep] C:\Documents and Settings\Jamie Panico\Local Settings\Temp\miu6C.tmp.exe () O4 - HKU\Jamie_Panico_ON_C..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\JAMIEP~1\LOCALS~1\Temp\setup.exe File not found O9 - Extra Button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found O9 - Extra 'Tools' menuitem : PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - Reg Error: Value error. File not found O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.) O20 - AppInit_DLLs: (pulasiya.dll) - C:\WINDOWS\System32\pulasiya.dll () O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\system32\jozavuyo.dll () O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\system32\sdra64.exe (Uzxepyilpoy) O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\system32\jozavuyo.dll () O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\system32\jozavuyo.dll () [2010/02/22 23:22:41 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\duivqwenq8.dll [2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll [2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll [2010/02/18 01:08:47 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec [2010/02/23 23:02:38 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\rireluho [2010/02/23 23:00:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\agtttnsf.job [2010/02/23 17:21:08 | 000,093,184 | -HS- | M] () -- C:\WINDOWS\System32\jozavuyo.dll [2010/02/23 17:21:08 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\kiyerili.dll [2010/02/22 23:22:44 | 000,022,568 | ---- | M] () -- C:\WINDOWS\System32\hzriuq [2010/02/22 23:22:42 | 000,049,664 | ---- | M] () -- C:\WINDOWS\System32\svae.jpg [2010/02/22 19:03:36 | 000,093,696 | -HS- | M] () -- C:\WINDOWS\System32\dorehimo.dll [2010/02/22 19:03:36 | 000,070,656 | -HS- | M] () -- C:\WINDOWS\System32\wobowedi.dll [2010/02/22 19:03:36 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\guwinoda.dll [2010/02/22 07:03:14 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\begajetu.dll [2010/02/22 07:03:14 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\nupuyuho.dll [2010/02/21 20:13:38 | 000,016,241 | ---- | M] () -- C:\WINDOWS\System32\jwespw [2010/02/21 19:05:46 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\kayugibu.dll [2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\pulasiya.dll [2010/02/21 19:05:44 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\hofohulu.dll [2010/02/21 19:05:00 | 000,092,672 | -HS- | M] () -- C:\WINDOWS\System32\zuseyubu.dll [2010/02/21 19:05:00 | 000,053,760 | -HS- | M] () -- C:\WINDOWS\System32\dasulelo.dll [2010/02/21 19:05:00 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\bebufizu.dll [2010/02/21 19:05:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\wipotazi.dll [2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\rogavove.dll [2010/02/18 20:16:32 | 000,002,713 | -HS- | M] () -- C:\WINDOWS\System32\funebaro.dll [2010/02/18 20:16:24 | 000,057,344 | -HS- | M] () -- C:\WINDOWS\System32\bavopipi.dll [2010/02/18 20:16:24 | 000,045,568 | -HS- | M] () -- C:\WINDOWS\System32\sudimiyi.dll [2010/02/18 16:58:06 | 000,039,424 | ---- | M] () -- C:\WINDOWS\System32\bahezefi.dll [2010/02/18 16:58:00 | 000,093,184 | ---- | M] () -- C:\WINDOWS\System32\zenemala.dll [2010/02/16 00:35:46 | 000,210,432 | ---- | M] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/02/18 01:08:33 | 000,005,748 | -HS- | C] () -- C:\Documents and Settings\Jamie Panico\Local Settings\Application Data\Q8T6845 :Files c:\documents and settings\jamie panico\local settings\temp\ygkafmgx.exe c:\documents and settings\jamie panico\local settings\temp\vwwixjz.exe c:\documents and settings\jamie panico\local settings\temp\msinits.exe c:\documents and settings\jamie panico\local settings\temp\c4531278.tmp c:\documents and settings\jamie panico\local settings\temp\e.exe c:\windows\system32\penarutu.dll.tmp c:\windows\system32\bevimahu.dll.tmp c:\windows\system32\perohapi.dll.tmp c:\documents and settings\jamie panico\local settings\temp\mdm.exe c:\documents and settings\jamie panico\local settings\temp\notepad.exe Go to the Notepad window and click Edit >> Paste Then click File >> Save Name the file... fix.txt Save the file to a USB stick. Start OTLPE as you did previously from CD Insert your USB drive with fix.txt on it Start OTLPE Drag and drop fix.txt into the Custom scans and fixes box If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done to normal mode if possible Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Hi borojamie Give me a little time to go through all this and i'll get back to you as soon as i can. Thanks

Hi thingameejig, I see that Combofix has been run twice before, when was it run? Let's get an online scan done and see if there's anything else. I'd like you to do an ESET OnlineScan Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi thingameejig, Step 1 Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following: Java™ 6 Update 3 Java™ 6 Update 5 Java™ 6 Update 7 These are old versions of Java and should have been removed. Don't remove... Java™ 6 Update 18 This is the latest version. Reboot the system when completed. Step 2 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure you include the first lot of : ) :Otl O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O33 - MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell - "" = AutoRun O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found [2010/02/19 21:30:09 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9239D250 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. Step 3 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall In your next reply, please submit: Otl report that comes up after the fix. ComboFix.txt Thanks.

Hi Twiceshy, To save you trying to find this information, i've taken this from your OTL report: You are definitely running XP.

Hi borojamie, Yes, using copy and paste is probably a better way as there's less chance of a mistake. As you're not actually running windows, the malware won't be active, so nothing should be passed to the usb stick.

Hi thingameejig and welcome to Free Pc Help, Unfortunately Hjt isn't as good now as it once was, we need to get a lot more information. Step 1 Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. Step 2 Please download GMER from one of the following locations and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Gmer.Log Both reports from OTL Thanks

I'm not understanding what you mean. Is the offending oblong there before you take the screenshot? if it is.... are you saying that it doesn't show when you take the screenshot?

Hi and welcome BAH chipper See if this helps: http://www.microsoft.com/windowsxp/using/setup/tips/screenshot.mspx But when saving the pic, alter the extension to either png or jpeg/jpg you can then add the pic as an attachment to your post.

What is the make and model of the laptop?

Hi shaun, Sounds like a good plan. http://fc07.deviantart.com/images3/i/2004/146/9/1/Two_thumbs_up.gif No problem at all.