Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Trojan infection


  • Please log in to reply
16 replies to this topic

#1 dw1973

dw1973

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 05:22 AM

Hi All

I'm looking at a friends PC which has a number of trojans and virii on it. He was running McAfee but this has expired, although it is still installed. His OS is WinXP MCE with SP3.

Tried to uninstall McAfee but the trojan blocked the window opening.

My first step was to try to install Avast on it but the trojan keeps blocking it. I tried changing the filename and extension but same problem.

I managed to install and run CCleaner.

Initially, Folder Options in Explorer and Task Manager were also disabled, but managed to get these back.

After a bit of googling about this problem I managed to run SuperAntiSpyware which removed a number of baddies. I tried to install Malwarebytes but again it was blocked. I changed the filename and extension, still no install.

I've also run Combofix, which again removed some stuff, as did MG Tools. I've also run Spybot S&D which removed a couple of things but nothing major.

I downloaded and run a few tools from Symantec (FXSasser, FixXrupter, FixVirut, FixBrisvA, FixDwndp, NortonSecurityScan) but these have found nothing.

I've downloaded Avira Anti-Virus but again this won't install.

I've also tried to run HijackThis but like the others, the window flashes up but then disappears before anything can be clicked.

Tried to run the Kaspersky Web Scanner but the trojan closes the browser window as soon as I click the link from google.

Any help/tools advice would be appreciated.

Edited by dw1973, 30 March 2009 - 05:28 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 08:55 AM

http://www.malwareremoval.com/tutorials/safemodeboot.php

Can you access safe mode?
Chewy

No. Try not. Do... or do not. There is no try.

#3 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 09:55 AM

Hi DaChew

yes, most of the scanning I've done has been in safe mode. The PC tends to reboot in a Sasser-type manner otherwise, which was one of the reasons I ran FxSasser.

Since my last post I've also run Dr.Web as well, which again removed some bad stuff but the problem still remains.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 10:01 AM

When McAfee was locked up during an bad infection, I have had to boot into safe mode and run the McAfee uninstaller before I could really work in normal mode to remove malware

http://www.majorgeeks.com/McAfee_Consumer_...Tool_d5420.html
Chewy

No. Try not. Do... or do not. There is no try.

#5 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 10:21 AM

Thanks, am runing that now. I assume I need to reboot once itis complete?

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 10:29 AM

Yes reboot

Let's see what else is running after a reboot

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Running processexplorer, under file, save as will create a log, post it here
Chewy

No. Try not. Do... or do not. There is no try.

#7 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 10:40 AM

Have downloaded Process Explorer but it won't run.

The window flashes up for a millisecond then disappears :thumbsup:

Tried both normal and safe mode.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 10:43 AM

Rename it

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

It's being blocked
Chewy

No. Try not. Do... or do not. There is no try.

#9 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 10:48 AM

Have just tried changing the name (didn't work) and changing the extension as well (to .pif), also didn't work.

Have done the Folder Options changes too.

By the way, I'm running it from the desktop. Should it have its own folder in C:?

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 11:04 AM

try dw.bat or dw.com

procexp.exe is the name of the file that needs to be renamed
Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 11:08 AM

If we can't get processexplorer to run try running a rootkit scan

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#12 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 11:16 AM

Still the same problem in safe mode and normal mode for process explorer

Gmer scan running now

Thanks for your help by the way :thumbsup:

Edited by dw1973, 30 March 2009 - 11:20 AM.


#13 dw1973

dw1973
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 March 2009 - 12:23 PM

It did find a Rootkit, gmer.log below...

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-30 18:19:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76DE87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76DEC10]

Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) ZwCreateKey [0xF7691C8E]
Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF7691D13]
Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) ZwOpenKey [0xF7691C10]
Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF7691999]
Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) IoCreateFile
Code 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2408 80501C40 4 Bytes CALL 645B13B2
PAGE ntkrnlpa.exe!IoCreateFile 8056BB8C 5 Bytes JMP F7691872 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!NtQueryDirectoryFile 8056F0F4 5 Bytes JMP F769199D 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A312 5 Bytes JMP F7691C92 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP F7691D17 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP F7691C14 7d8c51b35f18412ab24b20f8fca9ed98.sys (ckmd/Noves Inc)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Windows Live\Family Safety\fsssvc.exe[312] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0101F7BF C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Family Safety Service/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[1708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00CA2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00CA2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00CA2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1708] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00CA2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2164] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B82F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B82CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B82D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wbem\unsecapp.exe[3120] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B82CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B92F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B92CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B92D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B92CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3524] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\7d8c51b35f18412ab24b20f8fca9ed98.sys (*** hidden *** ) [BOOT] 7d8c51b35f18412ab24b20f8fca9ed98 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@c ®istry_path=\Registry\Machine\System\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=7d8c51b35f18412ab24b20f8fca9ed98&path=system32\7d8c51b35f18412ab24b20f8fca9ed98.sys&wmid=Dcl993&idate=2009-03-29 13:18:33:810&last_download_time=2009-3-29 13:43:15.984&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@Tag 5
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@ImagePath system32\7d8c51b35f18412ab24b20f8fca9ed98.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@DisplayName 7d8c51b35f18412ab24b20f8fca9ed98
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98\security
Reg HKLM\SYSTEM\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98\security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@c ®istry_path=\Registry\Machine\System\CurrentControlSet\Services\7d8c51b35f18412ab24b20f8fca9ed98&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=7d8c51b35f18412ab24b20f8fca9ed98&path=system32\7d8c51b35f18412ab24b20f8fca9ed98.sys&wmid=Dcl993&idate=2009-03-29 13:18:33:810&last_download_time=2009-3-29 13:43:15.984&first_skip=1
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@Tag 5
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@ImagePath system32\7d8c51b35f18412ab24b20f8fca9ed98.sys
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@DisplayName 7d8c51b35f18412ab24b20f8fca9ed98
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98\security
Reg HKLM\SYSTEM\ControlSet003\Services\7d8c51b35f18412ab24b20f8fca9ed98\security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\7d8c51b35f18412ab24b20f8fca9ed98.sys 39936 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\_7d8c51b35f18412ab24b20f8fca9ed98.sys_.vir 39936 bytes executable

---- EOF - GMER 1.0.15 ----

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 30 March 2009 - 04:06 PM

From your symptoms and that rootkit scan it's obvious we are dealing with fairly advanced rootkit/backdoor trojan

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by DaChew, 30 March 2009 - 04:11 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#15 nic1

nic1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:52 AM

Posted 30 March 2009 - 09:36 PM

Hi DaChew and dw1973,

I have a similar problem. My PC had been infected with WinPC Defender. I tried running Malwarebytes but wouldn't load both in Safe or normal mode. My virus protector Norton 360 failed to detect it but did pick up Jaun trojan but can't remove it. I have run process explorer but it failed to enable running Malwarebytes after killing WinPC Defender. I have run DrWeb in safe mode which got rid of WinPC defender and a couple of other things but not the Juan trojan. I still cannot run Malwarebytes in both normal and safe mode.

My google search seems to have been highjacked and will direct me to random shopping sites. The computer also locks up and I can't open task manager or reboot via ctrl/alt/del. Your discussion makes me concerned that I may still have an infection which is blocking my attempts to run programs that will detect it.

Any thoughts?

Cheers

nic1




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users