I must say this Malware is getting out of control. Recently I had the pleasure of working on a system that got infected. Now I thought this would be a 30min job tops. But it ended up being 2 days worth of work. I brought in the usual fellas (hijackthis, superantispyware, malwarebytes, AVG, Avast, Windows process explorer) . I was ready for war at this point, AS each tool found some type of trojan/malware process running. There was one rootkit that was not being detected by my usual fellas except for process explorer. Process explorer can only kill the process and not remove it from your system.

I called in for my backup and manage to get a application call unhackme and wireshark on board. Wireshark is a packet sniffer to see what data is leaving the system as well as request coming in. Watching wireshark I see the system was connecting to a external website without the browser even being open. (This is a WTF moment). So I kill the process that is controlling these connections. Bam it comes righ back in a matter of seconds. So at this point I am sure there is a hidden service running (rootkit) that i can not see. This is where unhackme came in handy. I loaded up unhackme and found the hidden process and was able to stop it from running. Unhackme did a good job at stopping the service but left the rootkit files on the system. I used combofix to completly remove the rootkits files from c:\window\system32\ and c:\window\system32\drivers. Combofix requires some patience

Tools Used
Free AVG
Avast
Malwarebytes
Combofix
SpywareBlaster
unhackme – Free 30 day trial
HiJackThis
Process Explorer
Wireshark portable
SuperAntispyware

Requirement* some knowledge about Windows processes. This is a must so you will not crash the computer and causing your system to not boot. If you are unsure about this, I can be available for remote repair or guidance. There is a fee to have me remote into your system which can be discussed. Feel free to chat with me on IRC network Quakenet channel #mas1 or use our web client

I normally run Hijackthis first to stop some malware apps from running during boottime. Next I would run malwarebytes or superantispyware. Normally these 3 apps would get the job done for most infections. Then install avast for continued support.

I am considering creating a toolkit for download which will include these apps so you will not need to GoogleIT .. stay tuned for that.

How Do I get infected?
Good question
Most infections occur from a website that has been compromised in some way. Google and Bing Search Engines try to scan website that are indexed in there engines. Google will give you a alert ““This site may harm your computer”” please pay attention to this and do not enter the website. Once the notification is removed you should be good to enter. This normally occurs after the site owner has cleaned up the website.

You can also check the status of a website by going to

http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM

changing example.com to the site you are about to visit. or visit stopbadware

Other infections can occur if you install some free games or screensavers. The rule of thumb is if its free and not opensource then dont install it. Also research it online before installing it or ask your Tech Guy/Gal

Lastly , Porn sites, Warez sites(warez was known for a place to get free apps, movies, ebooks, music +) Some community sites cough cough BlackPlanet,myspace,tagged. They use a lot of remote advertising firms which can have a virus embedded into a image loaded on the website. They themselves have limited control over this.

How Come my anit-virus can not remove malware? I spent a lot of money on Norton or mcafee.
Another Good question.
Most commercial Anti-virus application was designed to fight viruses. Malware is not considered a virus as is not modifying existing system files but instead added files to your system. A virus modifies the system files and open backdoors to allow someone to enter into your system without your knowledge. Malware is mostly a advertising scam that tries to force you to certain websites. but these idiots do it in a way where you can’t even surf the internet anymore or slow down your computer. Now some malware can include viruses or rootkits depending on the author.

*be a happy surfer and read before clicking anything**

Mas for Powserve.com

Full Error

The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is already assigned to another adapter Name of adapter. Name of adapter is hidden from the network and Dial-up Connections folder because it is not physically in the computer or is a legacy adapter that is not working. If the same address is assigned to both adapters and they become active, only one of them will use this address. This may result in incorrect system configuration. Do you want to enter a different IP address for this adapter in the list of IP addresses in the advanced dialog box?

Method 1

1. Click Start, click Run, type cmd.exe, and then press ENTER.
2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
3. Type Start DEVMGMT.MSC, and then press ENTER.
4. Click View, and then click Show Hidden Devices.
5. Expand the Network Adapters tree.
6. Right-click the dimmed network adapter, and then click Uninstall.

Method 2

Example :rd /s /q test or rmdir /s /q test

M$ Reference

using explorer you can try highlighting the folder, then hold shift and hit delete. this bypasses the recycle bin

Issue: if you encounter that TortoiseSVN is not working anymore , it could be related to the gdiplus.dll is invalid on your pc. For some reason TortoiseSVN requires the GDI dll to load properly.

This should have been included with the application. But the new version does not include the dll in the bin folder. So far this seems to only effect Windows 2k. The dll is installed by default on Windows xp and above.

Solution :
download and copy the required dll into the %winnt%/system32 folder. You can download this from Microsoft.com

Brown Bear software

error:
Software error: Can’t locate Calendar/CalciumStart.pm in @INC (@INC contains: CalciumDir40/upgrades CalciumDir40/redist …

Solution:
A message like this means that Calcium can’t find its installation directory. The location of the Calcium source code files and data directory are specified in the main Calcium script; some installations will require the full path to the Calcium installation directory here, instead of a relative path. To fix this, edit the main script (Calcium40.pl), and change the line near the top that looks like this:
BEGIN {$Defines::calendar_root = ‘CalciumDir40′}
Replace CalciumDir40 with the full filesystem path to that directory. For example, something like:
BEGIN {$Defines::calendar_root = ‘C:\public\html\cgi-bin\CalciumDir40′}
or maybe
BEGIN {$Defines::calendar_root = ‘/usr/local/apache/cgi-bin/CalciumDir40′}
should help.