Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.bot, have had Cryptor, Vundo variants and many others


  • This topic is locked This topic is locked
11 replies to this topic

#1 metalmaiden

metalmaiden

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 20 June 2009 - 09:17 AM

Hi there people,
I've been visiting the forum as a lurker recently, now I've decided to ask for help.

I've been trying to get rid of a multitude of problems. I'm using Windows XP, AVGfree and was using IE8, now i use safari, I also have Spybot and Malwarebytes
It started when my son went on to Runescape, an AVG lookalike came on the screen, I scanned and found Trojans, got rid of them. I suspect it may have been the Java exploit as it happened again when he went to Runescape another time.

Since then, always on myspace, I've had WinAv, WinPC antivirus, Antivirus 2009, FakeAlert. I've turned off modem straight away and scanned and found trojan horse.bho.gub, trojanhorse.generic10.aieo, cryptor, trojanhorse.vundo.t, and others.
And I've searched through and deleted the files which were put on my computer at the time of infection (probably not all but I try). I found Malwarebytes picked up heaps of stuff which AVG let go.
I'm using AVGfree, it only stopped one of the fake antiviruses, but let the others all through.

The last time it happened I got complacent and found one of the fake antivirus programs but didn't manually delete it, I assumed AVG would get it but it didn't. So after that I couldn't restart in safemode because it kept restarting until I let it start normally.
By this time I couldn't search files, go into control panel or use command prompt because the computer would restart. All my antivirus programs were disabled and wouldn't update. I renamed Malwarebytes and it worked, and removed a heap of registry key probs but on restart it wouldn't work again. I downloaded Hijack this, but couldn't install it.

So I gave up and sent it in to the computer shop to be cleaned.

$85AU later, I get the computer home and have a peek at what files have been modified since they had my comp.

I found kl.files which they used, is this Kaspersky?
I also found they uninstalled and reinstalled Malwarebytes and did a scan an hour before I picked my computer up. This scan picked up a few things.

This is the log
Malwarebytes' Anti-Malware 1.37
Database version: 2291
Windows 5.1.2600 Service Pack 3

6/17/2009 11:22:42 AM
mbam-log-2009-06-17 (11-22-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 224948
Time elapsed: 46 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.


I'm sort of wondering if I got ripped off by these guys.


More scan results since I got the computer back
Malwarebytes' Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 3

20/06/2009 9:55:35 PM
mbam-log-2009-06-20 (21-55-35).txt

Scan type: Quick Scan
Objects scanned: 147069
Time elapsed: 18 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Malwarebytes' Anti-Malware 1.38
Database version: 2314
Windows 5.1.2600 Service Pack 3

6/20/2009 10:59:54 PM
mbam-log-2009-06-20 (22-59-54).txt

Scan type: Quick Scan
Objects scanned: 148283
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


It appears clean but I have my doubts.
Any suggestions?

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:27 PM

Posted 20 June 2009 - 06:46 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 20 June 2009 - 10:10 PM

Hi there rigel. Thankyou for helping :thumbsup:

Here is the RootRepeal log as requested
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/21 12:32
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6E81000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF799B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB600A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\HIBERFIL.SYS
Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwiltobwmvvrwayw.sys

==EOF==

#4 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 22 June 2009 - 08:48 AM

Here are some more logs since the Root Repeal log, first Spybot yesterday, then Malwarebytes today.


--- Report generated: 2009-06-21 17:39 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Win32.TDSS.rtk: [SBI $6665A6E1] File (File, fixed)
C:\WINDOWS\system32\UACluerlykpjkjokqu.log

Win32.TDSS.rtk: [SBI $83AE5231] File (File, fixed)
C:\WINDOWS\system32\UACtdresboebtbiysy.dat

DoubleClick: Tracking cookie (Internet Explorer: Tascha) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: Tascha) (Cookie, fixed)


MediaPlex: Tracking cookie (Internet Explorer: Tascha) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2009-01-19 unins000.exe (51.49.0.0)
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDShred.exe (1.0.2.3)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-07-07 SDMain.exe (1.0.0.6)
2008-06-14 DelZip179.dll (1.79.11.1)
2007-04-02 aports.dll (2.1.0.0)
2008-06-19 sqlite3.dll
2008-10-22 advcheck.dll (1.6.2.13)
2008-10-22 Tools.dll (2.1.6.8)
2008-09-15 SDHelper.dll (1.6.2.14)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\TrojansC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-06-17 Includes\PUPSC.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2009-06-16 Includes\MalwareC.sbi (*)
2009-06-16 Includes\KeyloggersC.sbi (*)
2009-06-09 Includes\HijackersC.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-16 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-01-14 Includes\Security.sbi (*)
2009-06-17 Includes\Trojans.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-19 Includes\Adware.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-10 Includes\Malware.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll



Malwarebytes' Anti-Malware 1.38
Database version: 2321
Windows 5.1.2600 Service Pack 3

6/22/2009 10:45:28 PM
mbam-log-2009-06-22 (22-45-28).txt

Scan type: Quick Scan
Objects scanned: 148843
Time elapsed: 17 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:27 PM

Posted 25 June 2009 - 03:23 PM

Win32.TDSS.rtk


This is a rootkit and bad news...

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 26 June 2009 - 06:44 AM

Thanks rigel

I would like to try to clean the computer.
I'll use another one to do the password changes on everything, not that my bank account details would be worth getting :thumbsup:

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:27 PM

Posted 26 June 2009 - 08:56 AM

I know what you mean. The bad guys would go broke if they hit my account.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#8 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 26 June 2009 - 08:56 PM

Thanks so much for taking the time to help.

I've had a read of the guide, I'll give it a go.

:flowers:


I have another computer the same (Acer, XP) also running the same programs (AVGfree & Spybot with malwarebytes) which had similar problems, I think I managed to delete the probs when they appeared.
This one had winav, fakealert, and other things. This computer had evidence of some questionable searches done on google(safe search off) by one of our twelveyear old sons :thumbsup:

So I think both computers may have been exposed to the same thing.

I haven't found anything since the problems a month ago. This computer now has a paid version of Norton Antivirus2009 with anti spyware and still has Malwarebytes.

I did a RootRepeal log on it. Does this computer appear safe for doing banking, etc on?

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/27 11:33
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF13D2000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AC6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF03DE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sfc.SYS
Image Path: C:\WINDOWS\System32\Drivers\sfc.SYS
Address: 0xF0166000 Size: 12256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7410000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_moaktrfl5hsgh1c
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\virgin broadband\log\atrecord.txt
Status: Size mismatch (API: 227750, Raw: 226028)

Path: c:\program files\virgin broadband\log\callbalk_trace.txt
Status: Size mismatch (API: 117188, Raw: 116141)

Path: c:\program files\virgin broadband\log\func_trace.txt
Status: Size mismatch (API: 24864, Raw: 24715)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x84511590

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x84511650

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x84511d60

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x83801e50

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x847fa8b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf172d040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x84511340

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x83801cb0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x847c94f0

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x83801f10

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf172d2c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf172d820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x84511ef0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x84511bc0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x84511410

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x845114d0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x848059c0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x84511ae0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x84511280

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x842140c8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x84511e30

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x84511100

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x84511fc0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x83801d80

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x847c23b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x84511890

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x84511950

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x83801fd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf172da70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x845111c0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x84511710

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x842141e0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x845117d0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x84511a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x84511c90

Stealth Objects
-------------------
Object: Hidden Module [Name: sfcfiles.dll]
Process: winlogon.exe (PID: 932) Address: 0x10000000 Size: 36864

Object: Hidden Module [Name: mssfc.dll]
Process: winlogon.exe (PID: 932) Address: 0x66700000 Size: 1622016

==EOF==

Edited by metalmaiden, 26 June 2009 - 09:24 PM.


#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:27 PM

Posted 27 June 2009 - 06:12 PM

To be sure with banking, I recommend posting a log for it as well. That team uses tools that looks deep into the core of your operating system

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 metalmaiden

metalmaiden
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Australia
  • Local time:02:57 AM

Posted 28 June 2009 - 12:21 AM

Ok.

Thank you very much for your time.

:thumbsup:

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,956 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:27 PM

Posted 28 June 2009 - 06:34 AM

Your DDS/HijackThis log is posted here.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:27 PM

Posted 28 June 2009 - 11:05 AM

Hello Metalmaiden,

I've reopened this topic briefly to answer the question you edited into the bottom of your new topic in HJT.

Do I start a new topic for my other computer or post here?


The answer to that is to create a different HJT topic for that computer. Discussing more than one computer in the same topic causes confusion for all concerned. Please start your title with "Computer 2" to avoid possible mishaps with the topics.

Cheers,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users