Hi, Just thought I'd post about a friend's system tonight, who was having problems connecting to the internet. First thing I noticed was firefox was running through a proxy. Changed the settings for no proxy. Obviously this file had only been on the system for an hour or so, so asked whether the user had logged on to facebook, email and internet banking. On another connection/system (clean), changed internet banking, facebook and email login details. User said things were 'strange' for a week or so, so I didn't have too much faith in a system restore at this moment, otherwise would have done this right away. Ran CCleaner and cleared the temporary internet files. Ran a scan with Hitman Pro. Hitman Pro couldn't connect to the internet, but after running an early warning scoring scan (which doesn't require the internet - that's why Hitman Pro kicks ~ Snipped as per TOS ~, with or without the net ), resolved the proxy issue and deleted the file (from what I recall) called csrss.exe. Thread here on kaspersky forum lists this file. Checked Microsoft Security Essentials, and it had quarantined the backdoor file about an hour earlier. See bleepingcomputer's post here on a similar user's experience. Next step was downloading Malwarebytes, after an update and scan, it removed several trojan agents, and fake AVs as shown in the kaspersky forum post. After a reboot, Hitman Pro and MBAM removed a number of files. Downloaded emsisoft's hijackfree, just to check the port connections, running processes, autoruns, host file etc. Ran an update in hijackfree, but processes, appeared to be ok, from what I could see. Deleted a few unnecessary autoruns, disabled a few programs in services which were set to automatic etc. Downloaded portable superantispyware, and ran the internet fix settings, just to be sure. Always placed a lot of values in SAS, and these hijack reset settings. That is, repairing internet zones, IE settings, and so on. Ran all the repairs which took one minute. Dowloaded prevx safeonline, and it identified a few other files to delete, not related to the backdoor file, but some definite suspicious files related to software which was cracked. The lure of cracked software and the unwanted extras they provide! The addition of prevx meant, hopefully, keystrokes were protected from now on. Ran a few scans and after deleting a few files manually, and using CCleaner again, it came back clean. Mentioned to the user they should be running prevx full/paid. Best $30 you can spend. Then downloaded bleepingcomputer's combofix. Killed MSE and disabled prevx, and let combofix run its scans and reboot. All clear after a subsequent reboot. Finally, downloaded the emsisoft emergency kit and ran a full scan. No suspicious files found. One hour later, nothing more can be found. Hope to run a full scan with malwarebytes, Hitman Pro and prevx tomorrow. Any other suggestions what I should do next, or should have done? Thank you in advance.