JSntgRvr

You are welcome. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep nasties from installing on your system. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes. Best wishes!

Please follow these steps: 1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel. 2. Restart your computer (very important). 3. Download and run this utility. mbam-clean.exe 4. It will ask to restart your computer (please allow it to). 5. After the computer restarts, install the latest version from here. mbam-setup.exe Launch the program. Then go to the UPDATE tab if not done during installation and check for updates. Restart the computer again and verify that you can run a quick scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following is checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases [*]Click on My Computer under Scan. [*]Once the scan is complete, it will display the results. Click on View Scan Report. [*]You will see a list of infected items there. Click on Save Report As.... [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. [*]Please post this log in your next reply. Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0. Upgrading Java : Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18. Click the "Download" button to the right. Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.". Click on Continue. Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager.. Close any programs you may have running - especially your web browser. Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java version. Reboot your computer once all Java components are removed. Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586.exe and select "Run as an Administrator.")

Hi, donj. Everything seems clear. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check *Turn off System Restore*. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix. Click START then RUN Now copy and paste J:\ComboFix.exe /Uninstall in the runbox and click OK. Launch OTS and click on the Cleanup button. Follow the prompts. Create a Restore point: Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. How is the computer doing?

Click on Start -> Run... and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. "%userprofile%\desktop\win32kdiag.exe" -f -r Give it enough time to run

Download Win32kDiag.exe from any of the following links to your desktop: http://ad13.geekstogo.com/Win32kDiag.exe http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe http://rootrepeal.psikotick.com/Win32kDiag.exe Run it, it will create a file "Win32kDiag.txt" on the desktop. Post its report in a reply.

Start -> Run, copy and paste the following command and click OK: CMD /C Net Start >"%Userprofile%\desktop\log.txt" A log.txt should appear on your desktop. Post its contents in your next reply.

Please run GMER once again.

Ok, let it finish.

Ha Ha. Is Combofix running?

Will wait for Combofix.

Yes.

I meant, are you able to boot to your desktop in Normal mode? Taskbar and all icons present?

Run (Copy and paste) the following commands at a command prompt and press Enter after each line: Del /q C:\Windows\Explorer.exe Copy /y C:\Explorer.exe C:\Windows C:\Windows\Explorer.exe Let me know if you receive an error message.

Are you back in Normal Mode?

Go to Start ->Run, type CMD and click OK. At the prompt copy and paste the following commands and press Enter after each line: Copy /y C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\ Copy /y C:\WINDOWS\ServicePackFiles\i386\scecli.dll C:\ Exit The fist two commands should return a 1 file copied message. This is important as the next set of instructions wont work if this message is not returned. 1. Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Begin copying here: Files to move: C:\explorer.exe | C:\Windows\explorer.exe C:\scecli.dll | C:\Windows\System32\scecli.dll Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply. If the computer does not restart, please manually restart the computer. Go to Start -> Run, copy and paste the following command (including the quotation marks) and press Enter: "%Userprofile%\desktop\maxlook.exe" -sig That should produce another Maxlook report. Please post its contents in a reply.

You can burn a CD with the Recovery Console. Go to this link for information on how to burn an iso image: Download the rc.iso file. Save it to your desktop. Put a blank CD in your computer’s burner. Follow the instructions on the previous link to burn the rc.iso image to a CD When the disk finishes, eject the CD. Configure the sick computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer. Insert the Image of rc.iso that you burned to CD into your CD-ROM or DVD-ROM drive, and then restart your computer. When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM. You will be prompted with the following options: You will be presented with the following:

I am glad you were able to run GMER. It shows a very special infection. Please follow these steps: You must first verify that you can logon to the Windows Recovery Console. To do so, you must have the Recovery Console installed or use the Windows XP installation cd. How to install and use the Windows XP Recovery Console Next, please download maxlook, saving the file to your desktop. Double click maxlook.exe to run it. Note - you must run it only once! As instructed when the tool runs, restart the computer and logon to the Recovery Console. Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C batch look.bat You will see 1 file copied many times then return to the x:\windows> prompt. Type Exit to restart your computer then logon in normal mode. Please run maxlook.exe again now. Note - you must run it only once! It will produce looklog.txt on the desktop and open it. Please post the results here.

Copy the entire contents of the Quote Box below to Notepad. Name the file as Fix.bat Change the Save as Type to All Files and Save it on the desktop Once saved, double click on the Fix.bat file. Restart the computer. Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste. Click the red Run Fix button. A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply. Run OTL once again. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. OTL should now start. Change the following settings Change Drivers to All Change Standard Registry to All Under File Scans, change File age to 30 [*]Under the Custom Scan box paste this in /md5start scecli.dll Explorer.exe /md5stop [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL. Please post the contents of these files in your next reply.

Seems the links are unavailable at this time. Lets try other tools meanwhile. Download OTL to your Desktop Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. OTL should now start. Change the following settings Change Drivers to All Change Registry and Extra Registry to All Under File Scans, change File age to 30 [*]Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys /md5stop %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please post the contents of these files in your next reply. Download GMER Rootkit Scanner from here or here. Extract the contents of the zipped file to desktop. Double click GMER.exe. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.. Click the image to enlarge it In the right panel, you will see several boxes that have been checked. Ensure that only the following are CHECKED ... IAT/EAT Devices Processes Threads Drives/Partition other than Systemdrive (typically C:\) [*] Then click the Scan button & wait for it to finish. [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" [*]Save it where you can easily find it, such as your desktop and post its contents in your next reply. **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Restart the computer. Remove Combo-fix and download another copy following the same instructions. If the error is returned, write down the exact message in case we need to contact the developer.

1. Click on the Start menu. 2. Select Run... 3. Type wbemtest and click OK 4. Click on Connect 5. Under NameSpace type in or copy/paste root\SecurityCenter 6. Click on Connect 5. Click on Query 6. Type in or copy/paste SELECT * FROM AntiVirusProduct and click on Apply If there is more than one result, it means there is more than one Antivirus program installed. Double click on each result to view the properties for that Antivirus product. Identify the product(s) installed and DELETE any records for an Antivirus software that is no longer installed.

Is Norton installed?

If Combofix was saved on your desktop as requested, go to Start -> Run, copy the following command (including the quotation marks) and click OK: "%Userprofile%\Desktop\Combo-fix" /killall Let it run.

It is always good to perform an online scan. Here is an alternate scan: Please run the F-Secure Online Scanner For information click Here. Allow the installation of the Add-ons and Accept the License Agreement. Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply.

Thanks. We'll be chatting tomorrow.