Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirects in IE, locked windows logins, locked windows backgrounds


  • This topic is locked This topic is locked
17 replies to this topic

#1 jjkeane3rd

jjkeane3rd

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 23 August 2009 - 08:56 PM

Problem(s) - redirects in IE, locked windows logins, locked windows backgrounds - I assume this is all related.

History of actions to date:

Smitfraudfix appears to have corrected the “RENOS” Trojan I had as I no longer get the pop ups and the background indicating I’m infected.

File “WinHelpr.exe” was identified as having or being – FAKEINIT Trojan. I renamed that file and Windows defender quarantined it.

What it is doing now that I decided to stop going it alone:

Safemode does not work - it shuts the PC down immediately.

Only one of the 4 logins works- 3 of them immediately log off.

For the 1 login that works I get to a point where the background picture is there - but no desktop icons or Taskbar at the bottom of the screen. CTRL_ALT_DEL does bring up Task Manger – where I can force explorer to run via the “FILE – NEW TASK” pull down. Then the desktop icons and taskbar comes back. (Something had locked out TASK Manager before and SmitFraudfix corrected that)

I installed Malwarebytes – had to rename it to winlogon to get it to actually run though.

SuperAntispyware.exe will not install – I get an “has encountered a problem and needs to close error”

Malwarebytes is currently running as I type this – It’s been 14 minutes and only at 50000 files and it's found 9 objects. It’ll be a while before it is done.

Besides letting Malwarebytes do it’s thing and gettign it's log file – what should I report back next with?

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 23 August 2009 - 09:00 PM

Hello jjkeane3rd and :thumbsup: to BleepingComputer

For now, just post the Malwarebytes log. Once we've got that we'll work from there.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 August 2009 - 06:19 AM

I let the full scan run last night and below is what it found. I did let it fix the problems, then rebooted and got right back to the desktop with no issues. Have not checked safeboot or other user logins. I can also change the desktop wall paper now. So, so far so good. I currently have it running a quick scan and will post that once it is done.

Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 3

8/24/2009 6:59:18 AM
mbam-log-2009-08-24 (06-59-13).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|I:\|S:\|Y:\|Z:\|)
Objects scanned: 361159
Time elapsed: 2 hour(s), 33 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\uacbbr.dll (Rogue.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
\\?\globalroot\systemroot\system32\uacbbr.dll (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\uacbbr.dll (Rogue.Agent) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y2IJQU5Q\exe[1].exe (Rogue.AdvancedVirusRemover) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y2IJQU5Q\ftp[1].exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\Temp\UACeea5.tmp (Rogue.Agent) -> No action taken.
C:\WINDOWS\Temp\rdlE6.tmp.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\Temp\rdlF9.tmp.exe (Rogue.AdvancedVirusRemover) -> No action taken.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\V3KZMH7X\SetupAdvancedVirusRemover[1].exe (Rogue.AdvancedVirusRemover) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACegqlfvsawp.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\UACfnjcgoaofu.sys (Trojan.Agent) -> No action taken.


John

#4 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 August 2009 - 06:20 AM

Here is the results of the quick scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 3

8/24/2009 7:19:10 AM
mbam-log-2009-08-24 (07-19-10).txt

Scan type: Quick Scan
Objects scanned: 127930
Time elapsed: 13 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 August 2009 - 07:17 AM

More info:

Ran Windows defender quick scan - found nothing
Ran Adaware - found nthing but cookies
Ran SpyBot S&D - Found the following and let it fix it:

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Win32.TDSS.reg: [SBI $66FD0615] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\modules\UACd
Win32.TDSS.reg: [SBI $3C9C3975] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uacd.sys\modules\UACd
Win32.TDSS.reg: [SBI $BC6C2E6A] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\modules\UACd
Win32.TDSS.reg: [SBI $63B21090] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys\modules\UACc
Win32.TDSS.reg: [SBI $39D32FF0] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uacd.sys\modules\UACc
Win32.TDSS.reg: [SBI $B92338EF] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uacd.sys\modules\UACc
Win32.TDSS.rtk: [SBI $83AE5231] File (File, nothing done) C:\WINDOWS\system32\uacsr.dat Properties.size=174 Properties.md5=26F77A145C774E6FE2848C0CACE0C187 Properties.filedate=1251030738 Properties.filedatetext=2009-08-23 08:32:17
FastClick: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

DoubleClick: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

BurstMedia: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

Zedo: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

Statcounter: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

MediaPlex: Tracking cookie (Internet Explorer: Kim) (Cookie, nothing done)

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 24 August 2009 - 09:15 AM

We need to do a rootkit scan.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 August 2009 - 01:20 PM

Ok, Major change in events. I rebooted and now all safemode options do not work and it only wants to boot that way.

I placed my XP disk in the drive and never get past the "search for hardware..." screen.

I did get a BSOD once.

Do I put this on hold and move to a topic on the XP forum?

ARRRGGHHH (sorry - had to let that out)

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 24 August 2009 - 03:40 PM

ARRRGGHHH (sorry - had to let that out)

:thumbsup: <- look familiar? :flowers:

Let me make sure I understand you correctly. You're saying that the computer will only boot into safe mode now, but when it tries to boot into safe mode it fails? Basically, you can't boot at all. Is this correct?

~Blade

Edited by Blade Zephon, 24 August 2009 - 03:43 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 24 August 2009 - 07:12 PM

Yes, It's as if it's stuck in a safemode boot cycle - Starting windows normally and any other option performs and immediate and efficient reboot.

I assume the maleware set this up and now i'm stuck with a 35 pound paperweight.

I have the option to remove my second hard drive (holds only mp3s) and format it , install xp and use it to see the other drive and restart the cleansing process. What do you think? I can handle doing that.

Unless I can get a bootable CD that will let me get to a c: prompt and I can root around from there. Maybe my boot.ini is compromised. Any suggestions?

I felt like I was close to having it under control.

Question - is this stuff in the hard components of my pc (motherboard, video cards, etc) or just in the harddrive?

Thanks - It's like the wild west with this stuff huh?

John

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 24 August 2009 - 09:06 PM

Looks like Spybot pissed it off.... :thumbsup: I actually don't use Spybot anymore; it's becoming rather antiquated. Plus, with more serious infections it often seems to cause more problems than it solves. (as you might have noticed).

Well the first question I should ask is are you willing to undergo a format of the infected drive? At this point a reformat will be the simplest road to a functional machine.

If the answer to that is no, then for the remainder of our time working together, please do not run any programs or attempt any fixes unless instructed to do so. If you act independently it becomes impossible for me to predict what will happen and thus design fixes.

Second question: Do you have access to a Windows XP CD?

Question - is this stuff in the hard components of my pc (motherboard, video cards, etc) or just in the harddrive?

Almost certainly just in the hard drive. While firmware rootkits do exist, they're almost strictly proof-of-concept due to their nature.

It's like the wild west with this stuff huh?

:flowers:

~Blade

Edited by Blade Zephon, 24 August 2009 - 09:23 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 August 2009 - 05:29 AM

At this point I am willing to format a secondary harddrive (not the infected one) so I can gain access to the infected one, remove the harmful stuff, pull off some data and then reformat it.

How risky does that sound?

And yes I have my Windows XP CD.

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 25 August 2009 - 07:06 AM

At this point I am willing to format a secondary harddrive (not the infected one) so I can gain access to the infected one, remove the harmful stuff, pull off some data and then reformat it.

How risky does that sound?

And yes I have my Windows XP CD.


We ought to be able to restore access to your hard drive for the purpose of data retrieval via bootable disk; I'll provide instructions for that shortly. If you are willing to reformat the infected drive after we've gotten your data off though there's really no point in cleaning it.

Let's try and get into that drive now. :thumbsup: If this fails let me know. . . I've got one other disk we can try but it's a bit more complicated to make.

***************************************************

We will be using Knoppix, a bootable disk. From it, we can access your harddrive and do repairs.

From a working computer download and install IMGBurn.

Download Knoppix to your desktop.

Open IMGBurn via the newly created icon on your desktop, or by pointing to Start->All Programs->ImgBurn->ImgBurn
Push the large "Write image file to disk" button.
Right under "Source" and next to "Please select a file" push the Posted Image button.
Browse to and select the Knoppix image file on your desktop.

Place a blank CD-R into your clean system's CD Burner, and press the large button that looks like a page going into a CD in the bottom left of IMGBurn.

Now place this CD into the non-bootable system. Configure the system to boot from CD. You can usually do this by pressing F10, F11, or F12 (try all of them if unsure) to bring up configuration options, and select CDRom as your boot device. Some machines will automatically attempt boot from the CD if one is inserted.

When you see this screen,
Posted Image
Press enter, and wait for Knoppix to boot.
On Knoppix' desktop, you should see an icon for your hard disk (Looks like Posted Image.)

Right click the drive, and select "Change Read\Write Mode". Press "Yes" at the prompt.

Now you have ready access to you hard drive. You can drag and drop files/folder to another hard drive, a flash drive or burn the data to disk.

For safety sake...

Note that the files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


--
Once the files are done moving, press the large K button in the lower left corner of the screen, and select Log Out...
Then press "Turn off computer".

~Blade

Edited by Blade Zephon, 25 August 2009 - 07:06 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 August 2009 - 12:00 PM

Beautiful!

Software downloaded
CD burnt

Will attempt to run it this evening and report back.

You, my bleeping computer friend, are assume.

If you are ever in Richmond Virginia – I‘d like to buy you lunch!

#14 jjkeane3rd

jjkeane3rd
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 August 2009 - 06:25 PM

The software you had me use got me back in! I edited my Boot.ini and it booted up.

I went back a few postes and ran the rootrepeal program and here is it's results:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 19:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF24F5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CDE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFBC8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_jfgucsawhjrbcdr
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_gajrcldb31pymqb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_smn032jeywfqtoj
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_alh6jweealdo5gp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ecduqikbycmsl5c
Status: Allocation size mismatch (API: 4096, Raw: 0)

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACfnjcgoaofu.sys

==EOF==


Now that i Have HOPE again :thumbsup: - I'd like to focus on cleaning it and not formating it. What's the next step?

John

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:53 PM

Posted 25 August 2009 - 06:52 PM

The next step is to gather some more information. I see a hint of rootkit activity in your RootRepeal log, but I want to confirm it before we do anything else.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users