Trojans

[DRogers]

Hi

Last week my McAfee antivirus detected and removed 6 Trojans within the space of 2 minutes. Since then my computer crashes within a few minutes of connecting to the internet (IE and Firefox). Can anyone offer any help?

thanks

[Plastic Nev]

Hi and Welcome to Extreme Tech Support - Free PC Help,

I think this question would best be answered in our computer security section. If you reply to the afirmative we will move this post to there.

Nev.

[DRogers]

OK please move the post to the computer security section.

[Starbuck]

Hi DRogers

 

Step 1

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

 

Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

 

Step 3

• Download OTL to your desktop.
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

Now copy the lines in the codebox below.


netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

In your next reply, please submit:

MBAM scan report

Both reports from OTL

 

 

Thanks.

[DRogers]

Hi, thanks for your help, MBAM rpt:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

 

Database version: 3948

 

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

 

03/04/2010 13:22:53

mbam-log-2010-04-03 (13-22-53).txt

 

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 235313

Time elapsed: 2 hour(s), 29 minute(s), 10 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

[DRogers]

OTL reports are too large to send, how do I attach them?

Dave

[DRogers]

OK logfiles now attached

OTL logfile.doc

OTL Extras.doc

[Starbuck]

Hi Dave ,

 

Although i do have 'Word' installed and can open the attachments..... it's very difficult to read them properly.

Please add the reports as .txt files ( notepad files) it's a lot easier to read.

 

Thanks.

[DRogers]

OK now attached as txt files

Extras.Txt

OTL.Txt

[RandyL]

Hi Mr Rogers.

 

I increased the forum character limit so that you might be able to post the entire log on the forum next time. I hope that helps.

[Starbuck]

Hi Dave

 

now attached as txt files

Thanks for that.

 

There's nothing really bad showing in the reports but we'll do a little cleaning and then see if an online scan shows anything.

 

P2P Warning

Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.

P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

 

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

 

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

 

Step 1

Double click on OTL.exe to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:Otl
O4 - HKLM..\Run: []  File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
[2010/03/21 21:22:41 | 000,032,256 | ---- | M] () -- C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
@Alternate Data Stream - 76 bytes -> C:\Users\Dave\Documents\LimeWire:Roxio EMC Stream

:commands
[emptytemp]
[purity]
[EMPTYFLASH]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

if you lose the report, there will be a copy here:

C:\_OTL\MovedFiles

 

Step 2

I'd like you to do an ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
   
  
• Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
   
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  
  • Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer.
    Save it to your desktop.
    
  • Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
    

  [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

  [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.

  [*]Accept any security warnings from your browser.

  [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

  [*]Click the Start button.

  [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

  [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.

  Include the contents of this report in your next reply.

  [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.

  [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

 

In your next reply, please submit:

Otl fix report

Eset scan report

 

 

Thanks.

[DRogers]

Staruck

 

attached is the Otl fix report

 

Unfortunately I cannot run the Eset scan as my computer crashes whenever I try.

 

Dave

[DRogers]

Didnt upload so here it is:

 

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

C:\Windows\Downloaded Program Files\erma.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ not found.

C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.

ADS C:\Users\Dave\Documents\LimeWire:Roxio EMC Stream deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Dave

->Temp folder emptied: 1769039 bytes

->Temporary Internet Files folder emptied: 14696728 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 3578201 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 8384 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 19.00 mb

 

 

[EMPTYFLASH]

 

User: All Users

 

User: Dave

->Flash cache emptied: 0 bytes

 

User: Default

->Flash cache emptied: 0 bytes

 

User: Default User

->Flash cache emptied: 0 bytes

 

User: Public

 

Total Flash Files Cleaned = 0.00 mb

 

 

OTL by OldTimer - Version 3.2.1.0 log created on 04042010_211602

Files\Folders moved on Reboot...

C:\Windows\temp\JET33FA.tmp moved successfully.

File\Folder C:\Windows\temp\mcmsc_2IGcvzXCMsX5eeV not found!

File\Folder C:\Windows\temp\mcmsc_hJWoqVOszfI7CR4 not found!

File\Folder C:\Windows\temp\mcmsc_LsEqjY5fya0heVC not found!

File\Folder C:\Windows\temp\sqlite_1B4QbkYqTVnWTvd not found!

File\Folder C:\Windows\temp\sqlite_g3meNgMTvMiepip not found!

File\Folder C:\Windows\temp\sqlite_P7ZZo6NNTGUJ65Z not found!

File\Folder C:\Windows\temp\sqlite_ybYTFRy6KBiY1jR not found!

Registry entries deleted on Reboot...

[Starbuck]

Hi Dave,

 

Unfortunately I cannot run the Eset scan as my computer crashes whenever I try.

Ok, let's try this then:

 

Step 1

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click 'Select'.
  
• Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

 

Step 2

McAfee can cause allsorts of problems when trying to run scans, let's get it disabled before running Step 3:

 

To disable your McAfee security programs please refer to the clip below.

 

http://img.photobucket.com/albums/v666/sUBs/mcafee_disable.gif

 

Please don't forget to retrace the steps to re-enable McAfee after running the scan.

 

Step 3

Please do an online scan with Kaspersky WebScanner.

Notes

Java must be installed and enabled for the scan to work.

Disable your computer's antivirus program as leaving it active will cause conflicts

• Close ALL programs and windows except for your browser
  Please go to Online Kaspersky Scan and perform an online antivirus scan.
• Read through the Requirements and limitations statement and click on the Accept button.
• You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
• When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
• Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases

  [*] Click on My Computer under Scan on the left. OK any warnings from your protection programs.[*] Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.[*] Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.[*] Click on Save Report As... and change the Files of type to Text file (.txt) [*] Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.[*] Please post this log in your next reply.

Note - enable your antivirus program before browsing away from the Kaspersky site.

 

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad

Click Edit > Select all then Edit > Copy

Reply to this thread and paste (Ctrl+V) the report.

 

Thanks

[DRogers]

Thanks

Completed scan attached

KAVScan-070410.txt

[Starbuck]

Hi Dave,

 

C:\Users\Dave\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\06651DE8-0000089C.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Users\Dave\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\66555A03-00000941.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Users\Dave\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\7C2E34B1-00000915.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1

These are infected emails which you have deleted, but still haven't emptied the 'Deleted Items' folder.

Empty that folder and all will be well.

 

Your malware issue seems to be resolved now.

Let's finish off.

 

Step 1

• Please double-click OTL.exe to run it.
  
• You should see a CleanUp! button, press that button,
   
  http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png
   
  
• This will remove any programs we have asked you to download along with there associated folders.. plus itself.

 

Note:

MBAM will not be removed

 

Step 2

Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

 

Click on Start... Control Panel... System and Maintenance... System

Click on System Protection in the left-hand task list.

Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

 

When you uncheck a disk you will be presented with a screen.

You should click on the Turn System Protection Off button.

Click Apply and then OK.

 

Reboot your computer.

 

Now:

Click on Start... Control Panel... System and Maintenance... System

Click on System Protection in the left-hand task list.

Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

Click Apply and then OK.

 

Your System restore will now be active again... starting with a new restore point.

 

To find out how you may have been infected....read this topic:

So how did i get infected?

 

Not all of the following information will be applicable to you, but it's still best to read it all.

 

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Use an AntiVirus Software
  
  • Avira AntiVir
    
  • Avast free
    
  • Bitdefender Free
    
  • MS Security Essentials ... see note*
    

   

  Note*:

  Upon installation MS Security Essentials will check that your OS is a legal copy.

   

  Only install one AntiVirus program

   

  [*]Update your AntiVirus Software regularly

   

  [*]Use a 3rd party Firewall

  • Online Armor Free
    
  • ZoneAlarm ...Important note below
    
  • Outpost Firewall Free
    
  • Sunbelt Personal Firewall
    

  NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

   

  Only install one software Firewall

   

  Some 3rd party Firewalls will turn off the windows firewall when they are installed.

  It's always best to check that the Windows Firewall is turned off:

   

  How to turn off Windows Firewall:

  Start ... Control Panel ...click on 'Classic View'.

  now select Windows Firewall.

  When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok

   

  [*]Scan regularly with a 'Stand Alone' Anti-Malware scanner:

  Installing another scanner that you can run once or twice a week is always beneficial.

  Something like:

  Malwarebytes Anti-Malware

  SUPERAntiSypware

  Remember to update these programs each time before running.

  You can install more than one of these if you only run them as stand alone programs.

   

  [*] Use an alternative browser:

  Some excellent alternatives to MS Internet Explorer are:

   

  Firefox

  For added security, add the NoScript extension to this browser:

  Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks

  also consider adding:

  WOT - Safe Browsing Tool

   

  Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.

  Btw: you don't have to make a contribution.

   

  Opera

   

  They offer better security, more stability, and better speed.

   

  [*]Keep a backup of your registry

  Keeping a regular backup of your registry will help when something goes wrong.

  Use a program like:

  Erunt

   

  A full tutorial on how to set up and use Erunt can be found here:

  Erunt tutorial

   

  [*]Keep your system clean of temp files etc, using a 'Cleaner':

  Cleaners are programs that will help to clean out your:

  Windows temp files

  Current user temp files

  Cookies

  Temporary Internet flies

  Browser history

  Recycle bin

  Etc.......

  In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.

  Programs like:

  CCleaner

  TFC by OldTimer

  ATF Cleaner

   

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

   

  [*]Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

   

  A tutorial on installing & using this product can be found here:

  Using and installing SpywareBlaster

   

  [*]Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

 

Glad I was able to help.

 

Safe surfing. http://fc08.deviantart.net/fs71/f/2010/033/b/3/Computer_addict__by_Sinister_Starfeesh.gif

[DRogers]

Thanks for your help starbuck, unfortunately the problem is still there. The computer crashes soon after I go online, Any further thoughts?

[Starbuck]

Hi Dave,

 

The scans we ran showed no malware, but there is another scan we can run.

If this comes back clean, i'd say it's either a software or hardware issue.

Let's take a look.

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

 

Link 1

Link 2

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

 

 

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

 

This is an example, you may rename ComboFix to anything you want.

 

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
  For more information read:
  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
   
  Then:
   
  Double click on Combo-Fix.exe & follow the prompts.
   
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
  If running Vista, you may not see these screens
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[DRogers]

unfortunately I dont seem to be able to download it, windows asks for my permission to run it which I give and it then gives me a screen asking me to try again, which I do and the screen appears again.

[Starbuck]

mmm interesting.

Let's see if anything is trying to stop it.....

Try this:

Please download:

Rkill

and save it to your Desktop.

Run the tool by clicking on it.

 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself .

 

If the malware is persistant, you may have to RKill a number of times.

When it has finished, the black window will automatically close and you can continue with the next step.

 

Note

Please do not reboot your system until you have completed the following step, or the Malware will restart itself:

 

Now try and download Combofix and run the scan..... while RKill has the processes/programs stopped.

[DRogers]

OK, downloaded and ran Rkill, tried to install Combofix and the computer repeatedly crashes in the last second of the download.