RtkBtMnt.exe virus - Unable to remove Help Needed!

Hi,

Thanks for your reply and all the help. Hope I haven’t been too quick in responding to your early PM as I have already deleted most of the files/programs in question before I read your reply.

This is what I have done so far:-

C:\bit downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe
C:\Users\Tony\Downloads\KMS Activator for Microsoft Office 2010 Applications x86 x64 Multilingual-FIXISO~DiBYA\mini-KMS_Activator_v1.053.exe

Neither of these items have ever been used by me so I deleted them immediately

C:\Pendrive data\Utilitys\WGA_v19400\WGA_v1.9.40.0_crack.exe

I have deleted this one as well as again I have never used it.

C:\Users\Tony\AppData\Local\Temp\wfpdisable.exe

This one really did worry me as it was in the Temp folder and an exe file, so I deleted it immediately. So far, there is no sign of it returning.

C:\Downloads\SpywareRemovalToolkit_Setup.exe

This one was a spyware removal toolkit that I downloaded from a website a while ago. Again as it was on the list I deleted it.

C:\Downloads\7 zip\7zip.uk02.exe

This one was downloaded from the product’s website so don’t really understand why it was listed. However, never found any use for it so it has been deleted.

C:\Downloads\Nero 9\Nero-9.4.12.3d_free.exe

This one really did confuse me as this was a free download from the Nero site itself. Anyway, I tend to use CDBurnerXP as this is a free program and I think better. So once again this item has been deleted.

C:\Windows\System32\APISlice.dll

This last one I wanted to check with you before I did anything with it. I am user an Acer machine and I have seen a lot of comments about this file on the net. Lots of people are saying that this file is used by Acer so I wanted to be sure about deleting it before I do anything with it? Please can you confirm that I should delete it?

I have re-scanned with Eset and here are the results.
C:\Windows\System32\APISlice.dll Win32/DllInject.D application

Just the one file, that I am not sure about removing. What do you think about this one?

Best Wishes, Tony

C:\Windows\System32\APISlice.dll Win32/DllInject.D application was submitted to for an online identification. It came back clean at that time, making it a False Positive. But I'd like you to submit it again for a more current accessment. If it tells you it's already been scanned, click on 'new scan.;

Please go to Virus Total for ID::

VirusTotal

• At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to the following file:
  C:\Windows\System32\APISlice.dll
  
• Click "Open".
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply together with a new
  HijackThis log.

Hi,

I have send the file in question for testing and these are the results. Is this correct?

File name:
APISlice.dll
Submission date:
2011-02-01 19:51:58 (UTC)
Current status:
queued queued analysing finished
Result:
9/ 43 (20.9%)

Antivirus Version Last update Result
AhnLab-V3 2011.01.27.01 2011.01.27 -
AntiVir 7.11.2.50 2011.02.01 -
Antiy-AVL 2.0.3.7 2011.01.28 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2011.02.01 -
Avast5 5.0.677.0 2011.02.01 -
AVG 10.0.0.1190 2011.02.01 -
BitDefender 7.2 2011.02.01 -
CAT-QuickHeal 11.00 2011.02.01 -
ClamAV 0.96.4.0 2011.02.01 -
Commtouch 5.2.11.5 2011.02.01 -
Comodo 7559 2011.01.31 -
DrWeb 5.0.2.03300 2011.02.01 -
Emsisoft 5.1.0.2 2011.02.01 Trojan-PSW.Win32.Agent.uyr!A2
eSafe 7.0.17.0 2011.02.01 -
eTrust-Vet 36.1.8135 2011.02.01 -
F-Prot 4.6.2.117 2011.02.01 -
F-Secure 9.0.16160.0 2011.02.01 -
Fortinet 4.2.254.0 2011.02.01 -
GData 21 2011.02.01 -
Ikarus T3.1.1.97.0 2011.02.01 -
Jiangmin 13.0.900 2011.02.01 Trojan/PSW.Agent.nbp
K7AntiVirus 9.80.3713 2011.02.01 -
Kaspersky 7.0.0.125 2011.02.01 -
McAfee 5.400.0.1158 2011.02.01 Artemis!51A6CD592A4E
McAfee-GW-Edition 2010.1C 2011.02.01 Artemis!51A6CD592A4E
Microsoft 1.6502 2011.02.01 -
NOD32 5838 2011.02.01 Win32/DllInject.D
Norman 6.06.12 2011.02.01 -
nProtect 2011-01-27.01 2011.02.01 Trojan-PWS/W32.Agent.73728.Z
Panda 10.0.3.5 2011.02.01 -
PCTools 7.0.3.5 2011.01.31 -
Prevx 3.0 2011.02.01 -
Rising 23.43.01.08 2011.02.01 -
Sophos 4.61.0 2011.02.01 -
SUPERAntiSpyware 4.40.0.1006 2011.02.01 -
Symantec 20101.3.0.103 2011.02.01 -
TheHacker 6.7.0.1.122 2011.01.30 Trojan/PSW.Agent.uyr
TrendMicro 9.120.0.1004 2011.02.01 -
TrendMicro-HouseCall 9.120.0.1004 2011.02.01 -
VBA32 3.12.14.3 2011.02.01 TrojanPSW.Agent.uyr
VIPRE 8277 2011.02.01 -
ViRobot 2011.2.1.4285 2011.02.01 -
VirusBuster 13.6.176.0 2011.02.01 -
MD5: 51a6cd592a4e49ce90c5dcfb00a58d39
SHA1: bc83c63bdbb9654015e21e81be725e0ba15a03b7
SHA256: 4577f4338a6be0034cb2ba73347c0786294d3f916d6beda98c120be2b3e5ea5a
File size: 73728 bytes
Scan date: 2011-02-01 19:51:58 (UTC)

Hi,

Thanks for your help.

New HJT log:-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:59:08, on 01/02/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\ShortKeys2\shortkey.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\ProgramData\Mozilla Firefox\firefox.exe
C:\ProgramData\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Tony\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: ShortKeys 2.lnk = C:\Program Files\ShortKeys2\shortkey.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12622 bytes

C:\Windows\System32\APISlice.dll<<<<< Delte it

Eset: C:\Windows\System32\APISlice.dll Win32/DllInject.D application
Viruscan: Trojan-PSW.Win32.Agent.uyr!A2

PWS is password stealer.

I would gess that while you were stealing programs using cracks and keygens, somewhere, one of them infected this file.

Tony, I am not comfortable continuing without benefit of a log from the CK scan. Please rescan and leave a log> here:

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

Hi,

Thanks for your help.

I have deleted the file in question (C:\Windows\System32\APISlice.dll) and re-booted the computer and it doesn't appear to have come back.

I have been following ALL your instructions and here is a CK Scan as requested.

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Can I now assume that all is clear?

Tony

Thanks for your patience. My internet went down Tuesday night and wasn't back up until mid-morning today-Thursday.

Almost finished! How about that repeat of Eset scan? If that's clean, so is your system and I'll have you remove the cleaning tools.

Hi,

Sorry to hear about your Internet and hope all is okay now.

I have just run the Eset scan again and all was clear which is just GREAT!

Here is log bit confirming this:-

# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=25ca0e17fe2c09489036c015508973d2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-05 12:12:23
# local_time=2011-02-05 12:12:23 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 43283410 43283410 0 0
# compatibility_mode=1032 16777213 100 96 62781 40188492 0 0
# compatibility_mode=5892 16776574 100 100 41223586 134430828 0 0
# compatibility_mode=8192 67108863 100 0 745762 745762 0 0
# scanned=427284
# found=0
# cleaned=0
# scan_time=9842

So I assume that all is okay with my system now?

A big thank you for all your help.
Tony

You're welcome! Looks clean to me.
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Stay away for pirating a program. "Free" may sound temping, but you do end up paying because malware will be on the system!

Reopened thread to add safety tips:

Tips for added security and safer browsing:

1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
   This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
   
2. Have layered Security:
   • Antivirus Software(only one):Both of the following programs are free and known to be good:
     [o]Avira Free
     [o]Avast Home
   • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
     [o]Comodo
     [o]Zone Alarm
   • Antispyware: I recommend all of the following:
     [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
   [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
   For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
   IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
   Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
   [o]Replace the Host Files
   MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
   
3. Stay current on updates:
   [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
   [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
   [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
   
4. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   
5. Do regular Maintenance
   Remove Temporary Internet Files regularly:
   [o]ATF Cleaner by Atribune
   OR
   [o]TFC
   Disable and Enable System Restore:
   [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
   
6. Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advisor:
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

Give it a try- http://www.mywot.com/en/download

Hi,

Thanks for all help. I have been working my way through your suggestions.

I have noticed that since I altered the cookies setting, I now have to close my browser in order to sign out from hotmail.

Best Wishes and Thanks again, Tony

Once you get rid of all the original Cookies and reset the Cookies, you can keep the ones you need that had you register and use password:

Use Windows Explorer: Windows key+E> Expand your documents and settings section> Double click on Cookies> keep what you want, delete the others. If you did the reset, you should only have a few.

Check Internet Options through Control Panel or Tools> Advanced tab> Security section> try unchecking 'Empty temporary internet file when browser is closed'> Apply> OK.

I have it checked but have very tight Cookie control. Maybe IE8 is different.

Hi,

Once again a big THANK YOU for all your help.

Tony

You/re welcome.