I'm getting told different things and want to learn/virus prob.

[jpagefan456]

Hello, First post, I hope this is the correct forum. I started getting blue screen crashes very often about 4 days ago on my Sony laptop. Examples of what info I caught on the blue screens before shut down were "bad pool caller", "bad pool header", and this scary one, "A driver has overrun a stack based buffer......this could cause malicious....", then my computer goes dark.

I called IYogi (have a contract) and they told me my Windows 7 program was corrupted and I needed a Windows 7 disc to reload. I called Sony Vaio people and they said they can't send me disc, but for 100 dollars they will put my laptop back to factory. I don't want to lose everything though I have on it now. Comp USA where I bought it said, same cost 100 dollars, and they will wipe it and sell me Total Defender (sp.?)

Here's the thing. I'm not super computer smart, but can and am willing to learn. I googled myself. I ran myself the Malwarebytes Anti Malware (not the Pro one) and did a quick scan. I got back 2 Trojan Virus's under the category of File and one under Memory with a code of C:/ svchost and the word exe. Clicked remove and it looked as though it did, but when I ran quick scan again, there they were again.

I believe I may even know the virus names, (both called winrcmde) as I am getting weird audio in my speakers with ads, interviews, etc intermittently. If I open my audio mixer I see 2 extra columns there listed as winrcmde at the top of each one next too my 2 normal audio mixers. Then, sometimes they are not there too.

My apology for the lengthy post. I read a few posts here and wonder if I should use the TDSSKiller that was talked about? Do I buy that or can I download it from here? I may be in over my head but I want to learn myself and hope with a little guidance perhaps I can correct this and avoid having my computer wiped of everything. Thank-you so much for any advice or help. Jayne

PS Two weeks ago, my computer was lagging and IE kept going down. Not sure if this is relevant but Iyogi found as I saw them work on my system remotely 5 virus's. I was shocked. Two were Trojan and one was called happili, the others couldn't catch name. I mention this in case it is in indicator of a bigger overall vulnerabilty in my system. Had the Sony 16 months, and until this month, never a problem!

[Maurice Naggar]

Hello jpagefan456,

Do not do anything on your own. If you will follow my guide, we may be able to make some headway.

I am assuming your Windows 7 is usable.

Tell me just who is Yiogi ??

Do as much as you can of the following.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

To show all files:

• Go to your Desktop
• Double-Click the Computer icon.
  
• From the menu options, Select Tools, then Folder Options.
  
• Next click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders and drives.
  
• Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Step 4

Please read carefully and follow these steps.

• Delete the prior copies of TDSSKILLER.zip & TDSSKILLER.exe that you may have.
  
• Download TDSSKiller and save it to your Desktop.
  
• If on Windows 7 or Vista, RIGHT-Click on TDSSKiller.exe and select Run As Administrator to run the application.
  If on Windows XP, double-click to start.
  
• Click on "Change parameters" and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Then press Start Scan

When the scan is done, it will display a summary screen.

• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Step 5

Create a new folder on your C drive, name it ARK ===> C:\\ARK

Go Here and click the "Download EXE" button & Save the file to ARK folder

RIGHT-click the exe and select Run As Administrator to launch the program. (If you get an immediate message about rootkit activity, ignore and proceed with instructuions please)

Click on the Rootkit/Malware Tab &

then, on the far right side, untick the Registry box,

then click Scan.

Scan progress will be shown at bottom of the program screen. Have "infinite" patience while it runs.

Once the scan is done, press the Copy button, then open NOTEPAD, Paste to it, and Save the file as Gmer.log in your ARK folder.

Attach the results here in your reply.

Step 6

RE-Enable your antivirus program.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar. Click the icon (for Vista, or Windows 7 Right click the icon and Run as Administrator) to start the program.
  
• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
• Follow the onscreen instructions inside of the command window.
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
Then copy/paste the following into your post (in order):

• the contents of aswMBR report;
  
• the contents of TDSSKILLER log;
  
• the contents of GMER log;
  
• the contents of OTL.txt;
  
• the contents of Extras.txt ; and
  
• the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[jpagefan456]

Thank- you Mr. Naggar for the prompt reply. I am excited there may be a fix to this blue screen situation. I may have unintentionally misled you into thinking I have some computer knowledge on the tech side and honestly I am a beginner, learning as I go. Thankfully, your directions are very precise and detailed. If I am careful I don't see any reason I can't do this by taking my time and following your instructions to the letter. By the way, I won't be offended in the least if you think this takes someone with more expertise than myself to do, or if I need to pay for a repair person. But would like to give it a go myself first, how else am I ever going to learn?

I'll need to wait until later in the day or tomorrow when I can do the steps without any interuption. What will happen if it crashes during any of the steps/processes you have listed? Would I restart and start back at the beginning? I don't have the list in front of me, guess I can cross that bridge when I come to it.

To answer your questions, I can use the computer for sometimes 10 minutes only, at other times it's okay for 3 or 4 hours before the crash and dump. Usually I can get at least a good hour or more out of it. It's so randomized, very aggravating.

I neglected to say in previous post that I run this laptop exclusively off of Wireless Network here at my house. Our other computers are all on Hard Lan (sp?) lines but this one is Wireless off the router. Does that make any difference (maybe more in how I got the virus's to begin with I'm thinking).

Finally, IYogi is a tech support company that my husband paid for a 2 year contract to fix my computer remotely through their Bomgar servers in India. They offered no attempt at a fix for this, only told me to buy a new Windows 7 program since mine was corrupted, which they conveniently sell for 251.00 (!) Also when I googled I found out that due to recent misconduct of IYogi, the CEO of Avast has dropped them as a support. Got a little off topic there, but fyi in case anyone else brings up IYogi.

Thanks again for the information and I will certainly post back later with what I hope are good results.

Jayne

[Maurice Naggar]

Make sure the laptop/notebook is connected to wall-electric power or to a UPS system. We do not want it to go into hibernate or sleep while you run the tools.

If you can, also turn off any screensavers. We (again) do not want notebook to go to sleep or hibernate.

One more thing, make sure there is good air circulation around the notebook.

I sure hope you do not run into a hitch. Generally speaking, if you have a question, STOP, post your question and wait for a reply.

I may suggest you get your husband to ask for a refund on the balance of the IYogi deal. Should be do-able if you had paid by credit card.

[Maurice Naggar]

Would you kindly provide me a status update. Are you still with me? Do you need more help? Do you need more time?

If I do not hear back in 3 days, I will close this.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

[Maurice Naggar]

Re-opened per member request. Do as much as possible of the items & tools I previously itemezied. As much as possible.

and post the logs for review.

IF you will be away for some significant time, let me know in advance. I usually close my topics by 4 days if I do not get a response.

[jpagefan456]

Hello Maurice, here is the latest. Before beginning the steps you outlined, I decided to call IYogi since I paid 300 dollars for a 2 year contract and figured why not give them a shot? I sat here and watched exactly what he did. I had the Malwarebytes screen I ran showing the Virus's 2 @ svc.host.exe. He did a search and went to a site called Softonic. com. Then, he downloaded a program called Tojan Remover 6.8.3. It ran and stopped dead on a file that said "File Alert..."Suspicious entry..This appears to be malicious Malware >> C/Windows/svchost.exe. A big hugh stop on the run. So the tech ran whatever fixes that entailed and assured me this Trojan Remover took care of my winscrmde problem on my audio.

But not 5 minutes after hanging up, I hear ads blaring through my headset. Unbelievable. I watched this program Trojan Remover 6.8.3 run, it looked like it did it's job. But it didn't.

Can you help me uunderstand why this is such a problem? I know I'm going to get to the bottom of it eventually but this is a professional company who's job it is to remove all virus's. Very frustrating. Anyway, after I call them back to let them know what they did was a total failure, I will come back to those instructions you gave me and take a closer look with my husband. I guess learning as I go here, I was interested in your opinion on this softtonic Trojan remover 6.8.3 program. Thanks for your patience and I will return to check the thread shortly. Jayne

[jpagefan456]

Sorry, didn't see an edit feature to note above the Virus that won't go away has the name winrscmde. It shows up randomly but I'd say 80 percent of the time in my audio mixer as the mysterious 3rd column. Jayne

[Maurice Naggar]

PLEASE put aside your audio.

If you will get & run the tools I outlined, we can make some headway.

If you are working currently with this Iyogi, tell me so, and I will get out of this loop.

If you want me to continue, stop using Iyogi, and do the items I had long ago outlined, so I can have the logs for review and study.

[Maurice Naggar]

P.S.

IYogi has a poor reputation on Web of Trust http://www.mywot.com...ecard/iyogi.com

[jpagefan456]

PLEASE put aside your audio.

If you will get & run the tools I outlined, we can make some headway.

If you are working currently with this IYogi, tell me so, and I will get out of this loop.

If you want me to continue, stop using Iyogi, and do the items I had long ago outlined, so I can have the logs for review and study.

Hello, I am very new to all this. This is the first malicious virus I've had and am trying to fix it, plus understand how the heck it got in and what it does. I spoke of IYogi thinking perhaps you would be interested in the Softtonic Trojan Killer 683 program they ran. In hindsight, that was dumb given I'm sure you know all the programs out there. Honest mistake on my part. You are not in a loop with them as I decided to cut them off as a provider.

Regarding your comment that I disregard the audio, I thought that was my only problem. Could you educate me on what we are really looking at here?

Thanks very much for your patience. Today is the holiday of course, but I will run the program(s) you have listed as soon as I can. I can get to it later today or tomorrow. I do have a family comittment today.

Hope you are enjoying the holiday. Jayne.

[jpagefan456]

Wow, I am finding out a lot just perusing the site here! Just read a post about Malware and in there was a suggestion to check your User Account Control. I found that and there was a vertical bar which was set to "Never notify". I don't know if that may be how some malware snuck in, but I moved that bar to the highest setting immediately "Always Notify." I think I'm starting to catch on.........

[Maurice Naggar]

The control to notify on this forum has nothing to do with any malware sneaking in. That is for notifying you when someone replies.

I thought you had posted here looking for help on malware. I am saying, audio should be the least of your concern at this time.

I must see logs before I can make a decent opinion on your malware status. Kindly provide those logs for review.

[jpagefan456]

You know there is no need to be so harsh in your replies.

I said more than once I am here to learn as indicated in the title of this thread.

I may not be as fast as everyone else, but trust me I can learn like anyone else.

PLEASE put aside your audio.

Perhaps I should have told you that Music is the primary reason I use my laptop. Not for Word or Processing or a job, but for listening to my DVD,CD, Album, music. That's why I invested in a $200 set of Able Planet headsets. Because for me, Music is everything and the computer is my stereo, therefore with no music, then the computer means very little to me. You can't imagine how ticked off I am to have random advertising blaring in at a high volume during music. THAT is why it is hard to put "aside your audio."

I thought you had posted here looking for help on malware. I am saying, audio should be the least of your concern at this time.

Having no clue what else Malware does until I do some more reading the audio is my main concern as for reasons already stated.

The control to notify on this forum has nothing to do with any malware sneaking in. That is for notifying you when someone replies.

I am well aware of what Forum Notifications are and that is not what I said. Read it again. What I did do was read a link you posted about ways to protect your computer from Malware. Here it is to refresh your memory.

http://forums.malwar...howtopic=104379

From your topic....""No "inside help," no hack can take place. In Vista and Windows 7 keep UAC (User Account control) turned on. This will prevent the malcious code from writing to and executing from the system32directory."

This is what I was talking about The User Account Control Panel in my computer which I never looked at. It has a column and a slider for whether you want to be Never Notified of changes etc. or Always Notified. I changed that from Never to Always. Thought that was a good first step.

Thanks again for your help and am working on the instructions the first chance I get.

Geez, does anyone smile around here? Jayne

[Maurice Naggar]

If I sounded harsh, that was not the intent.

I am here to help you remove malware infection, that was the presumption when you started this topic.

When I said, set aside the audio issue, that is to say, it takes a second seat to "removing malware" which is the main focus.

P.S.S. You actually set UAC way too high. Take it down 1 setting.

Edited July 5, 2012 by Maurice Naggar

[jpagefan456]

If I sounded harsh, that was not the intent.

I am here to help you remove malware infection, that was the presumption when you started this topic.

When I said, set aside the audio issue, that is to say, it takes a second seat to "removing malware" which is the main focus.

P.S.S. You actually set UAC way too high. Take it down 1 setting.

Hello Maurice, I am still here with the thread, but I will need to wait until this weekend Saturday or Sunday ot do the steps/procedures for the report when my spouse can be here to assist me. It will go faster that way since he is more familiar with the Notepad features and printing/sending docs, etc.

May I ask that you keep the thread active through the weekend? I'd appreciate it. I can't wait to get to the bottom of this mess.

Thank-you and also thanks for the tip about thr UAC slider! I lowered it by one, like you suggested.

.........Jayne

[Maurice Naggar]

OK. Yes.

Just so you know, you can post a log-report when you get done with a particular step.

You do not have to wait until the end of all. You can reply separately as you get a report done.

[jpagefan456]

Dear Maurice, you can go ahead and close the topic now. I waited for my husband who does have limited time but did look at your instructions as he promised me a few minutes ago. He was not confident he could run everything properly and expressed a secondary concern over logs that are copy/paste from my computer onto a public forum. So, what am I to do?

He has already ordered a brand new Windows 7 O/S Premium Home Edition from Amazon to be delivered Tuesday. So, I will have to wipe everything out. The SOB hackers win because they found someone (me) who is not well versed on computers and doesn't know a quarantine from a run time error or java script and now I have to start from square one.

It is an utterly defeated feeling. I really like this site. There is a lot to learn, but this site is very intimidating to new computer users. I feel like an idiot reading many of threads and not understanding many of the terms and solutions bandied about like it's everyday talk.I will definitely look at some of the threads and maybe pick up a few basic things that way for the future.

I thought I saw some sort of advanced consumer premium help offered here at a cost. That's what I should have asked you about. Pay someone to go in and remotely look at my computer and fix it, end of problem. I picked a lousy company in IYogi, 300 dollars down the drain, but you would think there would be a market for others to do this remote fixing of computers too?

I will say it is all interesting, even if it is far too advanced for me to comprehend at the moment. I surf Ebay, Amazon, and Facebook, maybe a little You/tube. That's it. Not exactly a million places for virus's to sneak in but guess I screwed up somewhere. Live and learn.

Thanks for all your time and all you suggested/posted. If I have some questions about computers, I'll remember this site, obviously some extremely smart computer techs here. Best to you, Jayne

[Maurice Naggar]

I am sorry to hear that you have decided to wipe the system. It is very sad because this one can be salvaged. You have a license for Windows on this pc and there was no need to buy another.

I don't understand the concern about the logs. They won't contain your personal address or data that could really identify you.

I'd recommend ComputerHaven forums as a good place for you to learn http://computerhaven...forum/index.php

BTW, do not think that Facebook is a totally safe website, since they get their share of infection vectors.

Let me suggest, if you have a MBAM license, you contact the help desk at support@malwarebytes.org

Safer practices & malware prevention

• Have a hardware router between the incoming internet-modem and your computer.
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
  Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp
  or Paragon Backup & Recovery http://www.paragon-s...e/download.html
  
• Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• See Six tips to help you stay safer online
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  

Best to you.