Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zfsearch.com infection, and possibly more?


  • Please log in to reply
15 replies to this topic

#1 bluecrown

bluecrown

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 12 August 2009 - 12:46 AM

Dell Inspiron 8600, 2004 model
Windows XP Home

Antispyware/Antivirus programs:
Spybot S&D
TeaTimer
MalwareBytes
McAfee

For about the past week, my computer has been running strangely. When visiting sites such as youtube.com, last.fm, and digg.com, after browsing for about a minute my cooling fan would spike to maximum speed and stay at that speed until I rebooted my computer. Looking in the task manager, I was running about 45 processes total. Watching the graph of the CPU's capacity, I was running at 100% while the fan was blazing, despite having no windows open. I decided to run MalwareBytes, which came up with only 1 or 2 items being found. I ran Spybot S&D, which came up with 202 items total (yes, I have failed to scan regularly, no I am not proud of it), mostly tracking cookies. After cleaning all of them out (Spybot said that they had all been deleted successfully), I went to open firefox. The Mozilla homepage was very slow to load, and some of the images did not load at all. I do not remember why, but I right-clicked the page to check the NoScript settings, and noticed that in addition to allowing/denying google.com scripts, there was a "Forbid zfsearch.com" option. I clicked to block it and immediately did a google search on just what the heck this was. None of the links to websites about the zfsearch virus would load, including many on bleepingcomputer. Now, no pages show up in Firefox at all. Other users on the computer can use Firefox, but my profile cannot. It simply shows a blank screen where the webpage should be. Is this a sign of more spyware?

I anxiously await the professional's response. Thank you in advance.

Edited by bluecrown, 12 August 2009 - 12:47 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 12 August 2009 - 12:52 AM

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Chewy

No. Try not. Do... or do not. There is no try.

#3 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 12 August 2009 - 03:17 PM

GooredFix by jpshortstuff (12.07.09)
Log created at 13:16 on 12/08/2009 (Eric)
Firefox version 3.5.2 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [06:28 29/05/2008]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [02:38 11/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [01:45 17/09/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [18:20 11/10/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [00:11 15/04/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [14:59 20/01/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [23:20 14/02/2008]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:58 20/01/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [22:45 17/02/2009]

-=E.O.F=-

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 14 August 2009 - 01:19 AM

Sorry I lost this thread, I meant to think it about it some more before posting

Post that MBAM log you refered to and run a fresh quick scan after updating

but first

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.40) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/


Also
Chewy

No. Try not. Do... or do not. There is no try.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 14 August 2009 - 01:20 AM

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
I need to see the 2 MBAM logs and a SAS one
Chewy

No. Try not. Do... or do not. There is no try.

#6 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 14 August 2009 - 10:52 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/14/2009 at 04:30 AM

Application Version : 4.27.1002

Core Rules Database Version : 4056
Trace Rules Database Version: 1996

Scan type : Complete Scan
Total Scan Time : 03:40:32

Memory items scanned : 267
Memory threats detected : 0
Registry items scanned : 5808
Registry threats detected : 3
File items scanned : 73735
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Eric\Cookies\eric@kontera[1].txt
C:\Documents and Settings\Eric\Cookies\eric@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Eric\Cookies\eric@msnportal.112.2o7[1].txt
C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt

Rogue.Component/Trace
HKLM\Software\Microsoft\D8E08906
HKLM\Software\Microsoft\D8E08906#d8e08906
HKLM\Software\Microsoft\D8E08906#Version




Malwarebytes' Anti-Malware 1.40
Database version: 2619
Windows 5.1.2600 Service Pack 3

8/14/2009 12:30:58 AM
mbam-log-2009-08-14 (00-30-58).txt

Scan type: Quick Scan
Objects scanned: 123945
Time elapsed: 15 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/7/2009 4:01:24 PM
mbam-log-2009-08-07 (16-01-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 228516
Time elapsed: 1 hour(s), 43 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 14 August 2009 - 11:09 AM

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • When the program opens, click the Report tab at the bottom, then click the Scan button.
  • In the Select Scan, dialog which asks What do you want to include in the scan?, check all the boxes.
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click OK.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • The scan can take some time to finish. Do not use the computer while the scan is running.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "[color=blue]safe mode".
Chewy

No. Try not. Do... or do not. There is no try.

#8 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 14 August 2009 - 06:21 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 16:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2BD5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C63000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB123C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\mcmsc_v5vsfrknevshpod
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_748.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACqvnrjlbb.sys

==EOF==

#9 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 14 August 2009 - 06:31 PM

Wait, I'm gonna bet on which one he's gonna be asked to delete....

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 14 August 2009 - 07:16 PM

Something got the rootkit, only the broken registery entry seems to be left?

The temp files look bad tho

Please download TFC by Old Timer and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.

#11 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 15 August 2009 - 01:13 AM

Okay, I ran TFC, and that went fine. When I went into safe mode to run the Dr.WEB scan, my fan went wild again shortly after I logged on. I shut down, and as I was doing so, I got a dialog box saying "Ending Program - Sample". Some research led me to this:

http://www.security-forums.com/viewtopic.php?t=20423

http://www.bleepingcomputer.com/forums/t/59601/sample-not-responding/

I tried uninstalling Intel PROset from the Add/Remove Programs list, but partway through the removal, the fan went wild and the computer almost completely froze. I know PROSet is still present, because when I rebooted, I could see the icon in the system tray, and on the start menu. And of course, the fan went to maximum speed again. This has me really frustrated now. I'm starting to get jumpy at the sound of cooling fans in general.

This may be related and it might not, but I figure I'll mention it anyway. For about the past month, occasionally when I restart the computer, it will give me the message after the BIOS Screen "Your system was automatically shut down due to overheating. Press F1 to continue, or F2 to (I forget the option here)". It does this from a dead cold in the morning, or on a reboot. More often than not, it does not do it at all, but it does happen occasionally. I have already removed the fan access cover and cleaned off the heatsink and fan blades, so it's not an air circulation issue.

Just to let you know, I am leaving on a trip early Sunday morning, and will not be back for a week.

Edited by bluecrown, 15 August 2009 - 01:24 AM.


#12 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 September 2009 - 01:58 PM

Okay, this makes things a bit interesting. I renamed ZCFGSVC. This seemed to solve the problem of the overloaded CPU. However, after a few days, the same old symptoms returned. Especially after watching some sort of flash video (I.E. YouTube) or doing anything that used a large amount of the CPU's capacity (listening to music in my library, watching a video, ETC).
So I simply deleted ZCFGSVC, since I do not use the Intel ProSET software anyway. Once again, that fixed it. Now it's back again. The last time I shut down, anothr Ending Program window appeared, this time it said "Ending Process- FFHook". I googled this, and didn't come up with anything much. It seems to be a .dll file in the McAfee Securitycenter (??). Once again, I hope like hell that this isn't something nasty.

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 01 September 2009 - 03:00 PM

This rootkit(TDSS) can cause problems with drivers, but we are seeing a lot of problems with computers running McAfee where issues develope after trying to remove the malware. I would suggest uninstalling McAfee till you get the mess sorted out.

I usually uninstall it before trying to clean a computer as that's the reccomended procedure accross the board at security forums.

You have to use add/remove programs then use their clean tool

http://service.mcafee.com/FAQDocument.aspx?id=TS100507

Some(including me) have to reload the OS
Chewy

No. Try not. Do... or do not. There is no try.

#14 bluecrown

bluecrown
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 September 2009 - 03:30 PM

Really? I have the TDSS Rootkit? Darn.

You said some have to reload the OS. I have a pretty significant amount of data on the computer that I would like to save. Correct me if I am wrong, but doesn't reloading the operating system involve wiping the harddrive and starting from scratch?

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:05 AM

Posted 01 September 2009 - 03:37 PM

Running windows as a repair disk after removing McAfee usually repairs the damge done if the infection has been completely removed.

Many factory loaded computers do not have that option, which also wipes out all windows updates.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users