Post Malware

[ScreamingEagle]

Hi all!

I have just spent more than a month trying to clean my pc of a " remote " exploit. I realize now that it was on my system for more than 7-9 months. It affected two desktops and three laptops, ( apparently due to a weak password )

The reason I am here posting is that most or all scanner engines I was refferred to didn't find anything.

I finally think that it is resolved as I am not seeing the activity on the network or hard drive. What really supprised me was that it repeatedly returned on a system that was a new install.

I bought a new hard drive, flashed the bios (new mem stick - program downloaded from library ) took out the wireless card, isolated from the internet, formated the drive using the install disk, installed the OS and then the antivirus (avast-free) and then connected to the internet.

I believe that there are many people that have or still have the same malware that I had. I have posted many times as violated and violated 5/2011 at microsofts "answers.microsoft.com" and was given several helpfull suggestions, all not curing the issue.

I watched in real time the changes that occurred to my system (printer driver missing or corrupt, usb hub disabled while using, monitor going blank, several user accounts being made with special privledges (viewed using event viewer and using resource monitor) and had my password changed while I was using antimalware software to try and remove or find. I was never able to identify the source of the malware, only hopefully remove.

I am now wondering if there is a way to verify that my system is clean. Is a program " OTL " ok to look for items of suspect on a 64 bit OS or can someone list what they would do at this point in time.

Thank-You for your time

PS I have taken pictures of some of the items I identified but me being only a novice ( not knowing what to look for ) some are more than likely normal processes. I know some are not!icnic:

 

[Golden]

Hi,

Can you give more details about the malware you are referring too? What software did you use to try and clean your system?

Regards,
Golden

 

[carwiz]

Definitely sounds like remote access malware. Probably why it didn't show up with scanners. The service for it might be named as a Windows service. One thing you might make sure is disabled is Remote Desktop. Also make sure Windows Firewall is turn on.

 

[ScreamingEagle]

Re-install #30!

It is amazing the effort spent trying to get a clean system

Is it possible that someone can help me verify that the install I now have is not exploited in some way as I am almost to the point of trying mac or giving up.

In this day and age, is the reason that the system is always compromised due to having to connect to the internet and update. Is it then that the malware comes back knowing mac address of all of my hardware?

Please respond with any steps that could help to make sure that I am using a system that is not now compromised

Thanks in advance

System msi main board p55-gd65 with a intel I5 processor, 2 - 2 gig ddr3 ram, win 7 ult x64, all updates, ( trying ult. instead of pro x64 ), Seagate st310000528as, (firmware cc46), ATI Radeon 5750 (1meg ddr3), kaspersky 2011 antivirus retail edition installed and scanned system to include all vulnerability and browser config issues and corrected prior to install of OS and updates.

To answer your question, I have used superantimalware, malwarebytes, microsoft safetyscanner and microsoft security essentials, direct scans from norton, avg, dell, kaspersky, and one website suggested a program called "EmsisoftAntiMalware" which I used in my last install (win 7 pro x64 ) and using a cd to copy some scanners that program found a issue that said a program was "hidden install" just putting the cd in prior to selecting any programs from the disk. I did quarantine it and send it to that particular company for analysis. Here is a copy of the screen shot... see attached! Also note that it is in the process of changing!!!

I notice that any time I put a cd or dvd into the drive, It always lists a item to be written to disk " desktop.ini " and I can delete it, but if I try to drag it to my desktop it disappears. Is this normal. I don't know why this file always tries to go to the cd or dvd. Is it possible that it also "silently" is writing to flash drives "HPA" areas as I have purchased two new one's and am now wondering if they are compromised as well. I have read that some of the malware can write itself to that particular area and then transfer itself to other machines......

+++ Kaspersky just notified that it quarantined a "high" unknown threat and now I cannot send it to them as I don't have an email program associated to perform the requested send action +++
Help with this also please?

Any more questions or any suggestions would be greatly appreciated!

 

[marsmimar]

There was an earlier thread on a new rootkit infection that hoses the master boot record. Microsoft suggests fixing the MBR and then restoring the machine to a pre-infected state. Don't know if this is what you're experiencing but maybe the MBR needs to be repaired.

http://www.sevenforums.com/security...equires-windows-reinstall-says-microsoft.html

 

[tomcott]

Also, did you scan in safemode, try Malwarebytes + MSE in conjunction with safe mode, it boots windows with as few services as possible running so you can generally get the little blighters that hide well!
Cheers,
Tom

 

[ScreamingEagle]

Little "bleep bleeps"

I have tried all avenues that have been sent my way from 6+ sites.
I have asked the manufacturer of the hard drives if they are aware of the ability of malware infecting the HPA area of hard drives as nobody has given an answer other than some websites saying it is a real possibility.

Did anyone look at the screen shot that I uploaded? Is it normal to locate a file that is in the process of changing. (look at the highlighted line)

I would like someone to suggest a program for use and possibly someone in the know to look at it and tell me what your opinion is of that file's report. I understand that most programs dealing with this are for a 32 bit OS, but apparently some experts are able to digest the logs or files on a 64 bit system.

Is this a possibility on this site?

Thanks for the replies!!!

 

[pparks1]

I don't think this user has something in their MBR, as they have purchased a new hard drive and reinstalled the operating system on the box.

With regards to the repeated return on a new install, makes me think a couple of things
#1). Are you using a legit copy of the OS itself? I've seen crap like this on hacked/preactivated copies of the OS. I simply cannot trust a leak, or a cracked version as I don't know what might have been mangled along the way
#2). You have a software package downloaded that you are eventually installing which has been compromised and is introducing the problem to your machine
#3). You have a machine on your local network that is causing damage to a newly installed machine by connected to it via the network and injecting bad stuff. I'd keep new install in different workgroup and with different passwords than any other machine on your network.

With respect to a Be-all-end-all program that could verify you were 100% safe...there isn't one that I know off. If there was, it's what we all would be using.

 

[ScreamingEagle]

Any comment on the screen shot posted?

I agree with your posting trailer. I have used pc computers since the apple II-e days! I am not a programmer or a tech or geek! I am a end user and am at a loss as to how now to proceed.

With this last install, should I now do a scan and post the log?

Have used ubuntu from cd to access the internet for latest drivers but think even this is not safe or trustworthy on my network, ie going to other locations with new hardware and getting the drivers, programs, to check or install on my re-install.

As far as the copy of win 7 I had purchased the win7 pro edition from fry's with hardware for a new build. The win 7 ult. I had purchased with a laptop that is not running ( due to malware changing my passwords and corrupting my system not allowing a restore or image to work) Both are legit copies of win7 with valid product keys. They have both been registered and confirmed with MS ( ie genuine certificate on system page in windows ) As far as other machines, I have all other machines disconnected or batteries pulled and now am connecting directly to the modem via cat5e cable, disconnecting when I am not using the network to access the internet!

Still no response to the screen shot?, or help with a program to check my current install?

 

[Jacee]

Looks like malware to me ... have you reset your router and password?

 

[carwiz]

Download HijackThis from Trend Micro. I would download the executable so you don't have to try and run the installer package. If you do have a smart virus, it might block installs. You can create a shortcut to it to run. When it's run, it needs to be "Run as Administrator". You might also have to mark the file as okay to run since it's coming from another computer.

On the menu that comes up, select "Do a system scan only". It takes less than a minute to run.
Copy and paste the report here. Do NOT check any of the boxes on the left. This will just list all the run-once, startup and service programs for your system.

Yes, the Desktop.ini will appear for CD/DVDs. I think it's used because you've made changes to how files and folders are displayed. I just delete it or not select it for files to be written.

Download HijackThis: HijackThis - Trend Micro USA
This link comes directly from Trend Micro.

If you prefer to follow the link yourself, use this link. The HijackThis download is at the bottom right of the page.
Home & Home Office | Internet Security Software - Trend Micro USA

Otherwise, it's almost impossible to find. You can get it from a number of places including Cnet.com but I prefer to get downloads direct.

 

[carwiz]

Forgot to mention: After you run the scan, in the lower left is button to Save Log. Click that button and choose a place to save it. It will also start Note Pad to view the log. Copy and Paste from Note Pad. The log will look something like this. (Mine shown.)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:12:09 PM, on 6/29/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\WinTV\Ir.exe
C:\Program Files (x86)\FinePixViewer\QuickDCF2.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Intel\Intel Desktop Utilities\iptray.exe
C:\Program Files (x86)\SoundGraph\iMON\iMON.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
D:\Download Tank\Software\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files (x86)\Intel\Intel Desktop Utilities\ipTray.exe"
O4 - HKLM\..\Run: [iMON] C:\Program Files (x86)\SoundGraph\iMON\iMON.exe /startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files (x86)\WinTV\Ir.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files (x86)\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinTV Recording Status..lnk = C:\Program Files (x86)\WinTV\WinTV7\WinTVTray.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Hauppauge WinTV Extender - Hauppauge Computer Works, Inc - C:\Program Files (x86)\WinTV\Extend\WinTVExtender.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\Program Files (x86)\WinTV\TVServer\HauppaugeTVServer.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 6393 bytes

 

[Jacee]

HJT most likely won't show the system32\TEMPfile

 

[ScreamingEagle]

Help
This is kicking my butt
It put a bomb on my task bar

 

[ScreamingEagle]

here it is
I don't know how much longer I will stay on line

 

[ScreamingEagle]

copied and pasted

Logfile of HijackThis v1.99.1
Scan saved at 3:56:25 PM, on 6/29/2011
Platform: Unknown Windows (WinNT 6.01.3505 SP1)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Unknown owner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" -r (file missing)
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe" /service (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

 

[ScreamingEagle]

Impressed?
This is a new install last night

 

[Jacee]

HJT v1.99.1 is way outdated ... the latest version form TrendMicro is v2.0.4
Diagnosis tool: HijackThis v2.0.4 (released 2010/0... - Trend Community

Are you still in need of help? The HJT log doesn't show any malware.

 

[carwiz]

Yeah, where did you get that old download? Crips! No wonder your PC is full of bugs.

The 2.0.5 Beta HJT must have been recalled. That link downloads 2.0.4 also. (The most current version)

 

[Jacee]

TrendMicro's HJT cannot read any 'services' correctly (O23's) in a 64bit OS .... this is a glitch, not the computer's fault!