Sorry for the delay. Had to go off-island to pick up my wife from the Seattle airport.
These are all Python files:
MOD - [2012/11/26 22:51:53 | 001,024,024 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\windows._cacheinvalidation.pyd
MOD - [2012/11/26 22:51:53 | 000,792,576 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._gdi_.pyd
MOD - [2012/11/26 22:51:53 | 000,731,136 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._misc_.pyd
MOD - [2012/11/26 22:51:53 | 000,645,120 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_ssl.pyd
MOD - [2012/11/26 22:51:53 | 000,571,392 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pysqlite2._sqlite.pyd
MOD - [2012/11/26 22:51:53 | 000,354,304 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pythoncom26.dll
MOD - [2012/11/26 22:51:53 | 000,263,168 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32com.shell.shell.pyd
MOD - [2012/11/26 22:51:53 | 000,110,592 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32security.pyd
MOD - [2012/11/26 22:51:53 | 000,110,592 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\PyWinTypes26.dll
MOD - [2012/11/26 22:51:53 | 000,096,256 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32api.pyd
MOD - [2012/11/26 22:51:53 | 000,086,016 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_elementtree.pyd
MOD - [2012/11/26 22:51:53 | 000,073,728 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_ctypes.pyd
MOD - [2012/11/26 22:51:53 | 000,070,656 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._html2.pyd
MOD - [2012/11/26 22:51:53 | 000,040,448 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_socket.pyd
MOD - [2012/11/26 22:51:53 | 000,023,040 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32ts.pyd
MOD - [2012/11/26 22:51:53 | 000,017,920 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32profile.pyd
MOD - [2012/11/26 22:51:53 | 000,011,776 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32crypt.pyd
MOD - [2012/11/26 22:51:49 | 000,022,528 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32pdh.pyd
MOD - [2012/11/26 22:51:47 | 001,169,408 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._core_.pyd
MOD - [2012/11/26 22:51:47 | 000,036,352 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32process.pyd
MOD - [2012/11/26 22:51:46 | 000,807,424 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._windows_.pyd
MOD - [2012/11/26 22:51:46 | 000,311,808 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\_hashlib.pyd
MOD - [2012/11/26 22:51:46 | 000,121,856 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._wizard.pyd
MOD - [2012/11/26 22:51:44 | 000,111,104 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32file.pyd
MOD - [2012/11/26 22:51:43 | 000,039,424 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32inet.pyd
MOD - [2012/11/26 22:51:41 | 001,056,256 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\wx._controls_.pyd
MOD - [2012/11/26 22:51:41 | 000,585,728 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\unicodedata.pyd
MOD - [2012/11/26 22:51:41 | 000,153,088 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\pyexpat.pyd
MOD - [2012/11/26 22:51:41 | 000,017,920 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\win32event.pyd
MOD - [2012/11/26 22:51:41 | 000,011,776 | ---- | M] () -- C:\Users\Anuj\AppData\Local\Temp\_MEI23322\select.pyd
Supposedly part of Google Drive.
Python is just a programing language and not inherently evil. It appears that the files in kernels are also written in Python but I think it's just a coincidence.
All files in C:\kernels are part of the malware so they and the folder itself can all be deleted.
That should remove the last of the infection that we can see.
Unless you see other problems I think we are done and can clean up
Copy the following:
Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.
That will get the last of the malware off the system.
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.
OTL has a cleanup tab but DO NOT USE IT!. There are reports that it leaves the PC unbootable. Instead just delete OTL.exe and the folder c:\_OTL.
To hide hidden files again:
Vista or Win7
# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
To help keep your programs up-to-date you should download and run the UpdateChecker: http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/
Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.http://www.crystalidea.com/speedyfox
. You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com
before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html
for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Special note on Java. If you have Java installed it must be 7 update 9 or newer. All old versions must be removed.
These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.
Make sure Windows Updates is turned and that it works. Go to Control panel, Windows Updates and see if it works. http://support.microsoft.com/kb/294871
You definitely need to have KB2744842. This patches a major flaw in IE.
My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)