Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojan's & Viruses


  • This topic is locked This topic is locked
8 replies to this topic

#1 jasonpg

jasonpg

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 10 December 2008 - 05:25 AM

Hey,
After reading forum after forum and attempting a number of removals the time is starting to clock up without much to show for it. I would appreciate working through the issues in a structured way with expert guidance.
I have 2 pc's linked through an ADSL router - one I am posting here with and another I have disconnected in an effort to isolate its issues. I would like to tackle the isolated machine first. It is an AMD 64 x dual core pc 5200++ 2.7GhZ running MS windows HE 2002 SP3. It has Norton AV 2009 and Spyware doctor V6.0.0.386.

In essence I was visiting a number of PC AV sites and was alerted my Spydoctor of a site requesting access and if i wanted to block (yellow popup alert) and shortly after of a threat (red popup alert). I confirmed block and also went to investigate Norton which was then no longer available. I then ran virus scan after scan with spydoctor and it kept picking up Trojan-Downloader.popuper and Trojan.DNS_changer time and time again. Just after it removed it each time the alert would pop back up again so I started searching web sites for info. I also used the Norton removal tool and reloaded Norton 2009 and updated. I was able to do this and run a Norton scan time after time as it kept finding W32.SillyDC, Trojan.Flush, IEDefender, Trojan-Downloader.Zlob.G and recently Backdoor.tidserv!inf. I would typically have the system restore disabled prior to each scan. I have read all the symantec instructions on these issues and apply the removal instructions to the letter. I have used ATF cleaner, MBAM and Kaspersky scanner at various times.
This has become very frustarting and akin to being in quicksand.

Not sure if a related issue though I can not find the boot.ini file on that machine - I have followed many guides to attempt to locate though without luck.

Appreciate some help.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:13 PM

Posted 10 December 2008 - 09:12 AM

Hi jasonpg,

Let's start with a MBAM scan. Please update and post a fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 10 December 2008 - 04:20 PM

Hey Rigel,
Thanks for your response - I have posted the most recent MBAM log first and then a past one for your reference -

Malwarebytes' Anti-Malware 1.31
Database version: 1483
Windows 5.1.2600 Service Pack 3

11/12/2008 6:42:42 AM
mbam-log-2008-12-11 (06-42-42).txt

Scan type: Full Scan (G:\|)
Objects scanned: 98979
Time elapsed: 21 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Previous -

Malwarebytes' Anti-Malware 1.31
Database version: 1474
Windows 5.1.2600 Service Pack 3

8/12/2008 7:00:22 PM
mbam-log-2008-12-08 (19-00-22).txt

Scan type: Full Scan (G:\|)
Objects scanned: 95548
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.6;85.255.112.20 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1a35b483-7106-461b-9741-e39d0bc61c40}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.6;85.255.112.20 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.6;85.255.112.20 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1a35b483-7106-461b-9741-e39d0bc61c40}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.6;85.255.112.20 -> Delete on reboot.

Folders Infected:
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\Log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\Settings (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

Files Infected:
G:\WINDOWS\system32\msqpdxmtpekrxx.dll (Trojan.Agent) -> Delete on reboot.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\rs.dat (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\Log\2008 Dec 07 - 09_49_19 PM_999.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\Log\2008 Dec 07 - 11_15_58 PM_500.log (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\Documents and Settings\JasonPG\Application Data\AntispywareBot\Settings\ScanResults.pie (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
G:\WINDOWS\system32\msqpdxyaqunpur.dll (Trojan.Agent) -> Delete on reboot.
G:\WINDOWS\system32\drivers\msqpdxmxfeoitu.sys (Trojan.Agent) -> Quarantined and deleted successfully.
G:\WINDOWS\Tasks\AntispywareBot Scheduled Scan.job (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:13 PM

Posted 10 December 2008 - 06:57 PM

The infection from your earlier MBAM scan is a very pesky one.

Please run the following procedures....

Lets see if anything is left out there.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Next...
Please download SmitfraudFix

Disconnect your computer from the internet by unplugging your network cable from your router.
Double-click SmitfraudFix.exe
Select #5 Search and clean DNS Hijack
Please reboot your computer, reconnect your router, and then post the report found at the root of the system drive, usually at C:\rapport.txt
==========================================
3) I recommend changing the password of your router. This type of infection is designed to take over - we are taking back.
==========================================
4) Let's manually reset your DNS.

Open Network Connections by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage network connections.

Right-click the connection that you want to change, and then click Properties. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

To obtain a DNS server address automatically, click Obtain DNS server address automatically, and then click OK.
==========================================
5) Click Start - Run. The Run dialog box will open.
Type cmd in the box and click Enter. A DOS window will open.
Type ipconfig /flushdns <=Note the spacing
Reboot your computer!

Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 11 December 2008 - 08:40 AM

Hi Rigel,
As you asked -

ATF cleaner run - had to save this in a folder and retrieve as it did not appear on desktop when logged in as Administrator - 14MB freed

SAS run - I updated prior to SAFE MODE and verified updates though when in SAFE MODE it suggested I had never updated ?? - log below:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2008 at 09:58 PM

Application Version : 4.23.1006

Core Rules Database Version : 3661
Trace Rules Database Version: 1641

Scan type : Complete Scan
Total Scan Time : 00:47:30

Memory items scanned : 245
Memory threats detected : 0
Registry items scanned : 4639
Registry threats detected : 0
File items scanned : 13801
File threats detected : 0

Upon closing an SAS alert appeared asking if I wanted to block a homepage change to some MS site - I blocked



SmitfraudFix (SF) run - a Norton popup appeared advising detection of IEDefender upon starting SF

SF log this time

SmitFraudFix v2.381

Scan done at 22:13:47.31, Thu 11/12/2008
Run from G:\Documents and Settings\JasonPG\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

HKLM\SYSTEM\CS2\Services\Tcpip\..\{1A35B483-7106-461B-9741-E39D0BC61C40}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254

DNS After Fix

HKLM\SYSTEM\CS2\Services\Tcpip\..\{1A35B483-7106-461B-9741-E39D0BC61C40}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


SF log previously (Just so you have the full background - I had attempted this previously though with poor structure of sequences):


SmitFraudFix v2.381

Scan done at 19:27:59.42, Tue 09/12/2008
Run from G:\Documents and Settings\JasonPG\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

G:\Program Files\Google\googletoolbar1.dll Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1A35B483-7106-461B-9741-E39D0BC61C40}: DhcpNameServer=192.168.1.254


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




Router pw changed successfully (from default pw)



DNS manually reset - I think your directions were for Vista - I went to properties - Internet Protocol TCP/IP and chkd auto DNS selected - for each connection

DNS flushed successfully


A couple of other notes :
I exited SAFE MODE prior to running SF
There were a quite a few windows XP updates loaded tonight - I hadnt seen any for a while previously
Each reboot I get an 'invalid boot.ini' message and then it goes on to boot OK
I also always get a Daemon Tools Lite error message advising Initializtion Error 2 This program ........ Kernel Debugger must be deactivated
Thinking back - I started noticing small changes 2 weeks ago - i.e. needed to double click selections, programs running a little slower etc



Regards

* Also, after peforming all the above steps and writing this post I ran Spyware doctor out of curiosity and it picked up WORM.AUTORUN.AJ - I note this a keylogger program - is there any issues with updating the router password?

Edited by jasonpg, 11 December 2008 - 08:57 AM.


#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:13 PM

Posted 11 December 2008 - 01:22 PM

It wouldn't hurt to change it again, but before you do that... I would update and rerun Spyware Doctor and see if it removed the infection.

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.


Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 jasonpg

jasonpg
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 12 December 2008 - 05:15 AM

Hey Rigel,
I should have mentioned spyware doctor removed WORM.AUTORUN.AJ at the time of notification.

Moving forward - Scan log as requested -

Scanning Report
Friday, December 12, 2008 16:51:48 - 19:05:40
Computer name: JASONG
Scanning type: Scan system for malware, rootkits
Target: G:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32757
System: 3188
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
G:\PAGEFILE.SYS
G:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
G:\WINDOWS\SYSTEM32\CONFIG\SAM
G:\WINDOWS\SYSTEM32\CONFIG\SECURITY
G:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
G:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
G:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
G:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
G:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2008-12-12
F-Secure AVP: 7.0.171, 2008-12-12
F-Secure Pegasus: 1.20.0, 2008-11-10
F-Secure Blacklight: 2.4.1093
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics


Only notes:
Norton popups during above scan advised (note: g is my HDD):
- @16:38 = 'Medium secuirty risk' = 'Unauthorised access blocked' = 'Actor - g:\windows\system32\mrt.exe' = 'Target - G:\Program Files\Norton Antivirus\Norton Antivirus\Engine\16.1.0.33\ccSvcHst.exe'
- @16:55, 16:56,16:57, 18:45 and 18:46 (24hr time format relative to scan start time) - 'IEDefender detected' & status as 'removed' in all cases
- @19:41 = 'Medium secuirty risk' = 'Unauthorised access blocked' = 'Actor - g:\windows\explorer.exe' = 'Target - G:\Program Files\Norton Antivirus\Norton Antivirus\Engine\16.1.0.33\MCUl32.exe'
- general reminder that an unresolved risk of 'Backdoor.Tidserv!inf' remained stating it was 'not safe to remove' and a 'manual remove is required' - I had used the Symatec instructions to remove previously though this consists of a 'system restore off', 'update definitions' and 'run a full system scan' - all done countless times
- call it ironic but after the windows XP security patches (x4) yesterday, there was a malcious software removal program update for XP today from MS

* I have added this one last thing - I am typing this final comment (only) on my older pc (PC2) because on PC1 (newer machine) - IE kept stalling, not responding, failing to close windows and when opening new IE windows just a blank white page with homepage address - www.google.com.au.
(PC2 has a mapped drive to PC1 for your info)

Edited by jasonpg, 12 December 2008 - 05:48 AM.


#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:05:13 PM

Posted 12 December 2008 - 09:45 AM

One note about System Restore:

Disabling System Restore as the first step when attempting to clean a system or when scanning for malware is not advisable. Unfortunately, some anti-virus vendors still recommend doing this before attempting malware removal and many folks follow that advice. This is really not a good practice when dealing with infected computer systems. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. If an incident renders your system problematic or unbootable, you can use System Restore to return it to a previous working state. Without a restore point to fall back on, you are left with a limited means of restoring your system to a usable condition. Disabling this feature could mean having to perform a repair install (or reformat in worst case scenarios) if you're unable to fix any problems which System Restore may be able to correct. Although System Restore is not always 100% guaranteed to work all the time, it at least gives you another option before resorting to more drastic measures.

"System Restore and malware removal - what is best practice?"
"Should I purge all my restore point BEFORE removing infection?"

I think it is time to transfer you to the HJT team. This team uses avanced tools that have to be run under the supervision of a specialist. Please follow this guide beginning at step (6). Post a log to the HJT forum and one of the team members will work through cleaning the rest of this infection.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:13 PM

Posted 12 December 2008 - 04:29 PM

Hello jasonpg,

Now that you have posted your log here: http://www.bleepingcomputer.com/forums/t/186093/multiple-viruses/ please do NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users