Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ROOTKIT OR TROJAN INFECTION.


  • Please log in to reply
26 replies to this topic

#1 TechDisciple

TechDisciple

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 28 September 2009 - 11:05 PM

One week ago, I found my desktop had a Trojan a (backdoor.pcclient).

MBAM got rid of it.

after that i use hijackthis and everything seem ok. But my comodo firewall today warn me about avg free anti-virus
trying to have direct acces to my keyboard. while i was in surfing the web with firefox 3.5.3. so i really suspicious about a rootkit or a trojan still hidding in my computer.

Am really panic about a trojan or something else trying to get my keystrokes. pls help me. :'(


Finaly this is some of the protective software i use for protection.
1.avg free anti-virus
2.Comodo Firewall
3.MBAM
4.SpywareBlaster
5.Windows Defender


pls recommend me which protection programs are the best or the one u use?

Edited by TechDisciple, 28 September 2009 - 11:14 PM.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 29 September 2009 - 12:05 PM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Depending on what you were infected with, more investigation may be necessary as MBAM will not find al malicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 29 September 2009 - 12:35 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2847
Windows 5.1.2600 Service Pack 3

9/23/2009 6:08:35 AM
mbam-log-2009-09-23 (06-08-35).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206202
Time elapsed: 3 hour(s), 59 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP899\A0611804.exe (Backdoor.PcClient) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP858\A0567102.exe (Backdoor.PcClient) -> Quarantined and deleted successfully.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 29 September 2009 - 12:46 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan was in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file.

Note: Since MBAM did NOT detect the original malicious file responsible for the backup in SR, it may have already been removed by a prior scan or another security tool.

When you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

However, before doing that lets do some more investigating.

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version.
The database shows 2847. Last I checked it was 2871.

Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 29 September 2009 - 12:56 PM

yesterday I scan with spyware doctor and it found 27 infections and i need to remove them with a free program


Spyware.Possible_Website_Hijack 27 infections


Posted Image


from the look of infections it appears that some hosts is directing my browsers to bad web sites.
when i was browsing my pages, were getting no where and were getting reset.
so i had to reload or refresh alot of times.




also do i turn my DNS ON OR OFF cause i have mvp host?


OK I WILL DO WAT U INSTRUCTED ME TO DO RIGHT -AWAY.

Edited by TechDisciple, 29 September 2009 - 01:09 PM.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 29 September 2009 - 02:03 PM

I was about to reply when I saw your edits which answered a couple of my questions so I had to redo my reply.

Although malware can be responsible for altering the HOSTS file in an attempt to redirect your browser, it does not do so without infecting other areas of your system. There are several legitimate security programs like SpySweeper, STOPzilla, Spybot S&D, etc which can add entries to the HOSTS file and that action may be detected as a change or some other alert. If you downloaded and used a custom HOSTS file (as you said you did) or made edits that too would trigger a change detection or alert. You need to investigate further as this could be a false detection.

I would start by restoring your HOSTS file to its default, then reinstall the MVPS HOSTS file and rescan right away to see if SD is still detecting threats in it.

If you connect to the Internet using AOL, a custom dialer, through a Local Area Network (LAN) or a remote proxy server, using a HOSTS file may not work. Using a remote proxy server (which does the DNS requesting for you) prevents the HOSTS file from being used. The browser will route its request through the proxy server before your machine looks up an entry in Hosts. The DNS serivce needs to be disabled and computer rebooted for the HOSTS file to take effect. Failing to disable DNS service will result in slow performance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 29 September 2009 - 03:01 PM

I connect using dial-up.

also when i install the mvp host file i did everything u mention above i was suppose to do i disable the DNS from services then then i ran the mvp and rebooted immediately.

my newtwork seems good like always is not slowing.

last my comodo firewall when i install it said if i wanted their dns host and i can't remember if i checked it.
so am guessing thats kind of the problem having to host or something.

i will enable DNS ,shutdown then restart disable DNS AND run mvp host again and reboot after i will scan With SD to see if the problem is gone. i will reply if it is.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#8 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 29 September 2009 - 03:03 PM

here is the new MBAM UPDATED VERSION

Malwarebytes' Anti-Malware 1.41
Database version: 2873
Windows 5.1.2600 Service Pack 3

9/29/2009 12:40:58 PM
mbam-log-2009-09-29 (12-40-58).txt

Scan type: Quick Scan
Objects scanned: 127496
Time elapsed: 10 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 29 September 2009 - 08:10 PM

A clean MBAM log is a good sign. Now lets see what SD has to say.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 30 September 2009 - 02:17 AM

ok i will run SD after i let u know this.

1.I ran the TFC.exe finish and rebooted.

2.I ran the Dr.Web cure it in normal mode and the express scan didn't find any infections finish and rebooted.

then i ran Dr. Web cure it in safe mode to double check and express scan didn't find a thing, but after i ran it in full scan

it scan my system for like 3h:51m:50s this is the scan time.

and it found 5 infected files i wrote them down here they are oh but the scan froze and i couln't reboot so i shut it down manually pressing the shutdown button because it never responded for like 45 minutes straight. after restarting the computer again i immediately rebooted. i didn't had the chance to press cure since it froze.

OBJECTS. ACTIONS:

Infected:2 moved:2
adware: 2 deleted:2
hacktools:1

WxBugSetup60b6.04.0.9m.EXE/data017\data001

data017

WxBugSetup60b6.04.0.9m.EXE

KillWind.exe

EN_CA-ie.reg

A0005691.EXE/data017\data001

data017

A0005691.EXE

A0005693.reg


froze when scanning this path.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95_967D-A5C2B4653ED0}\RP844\A0551310.dll

at the bottom said 5 infected files.

i think their is more cause it froze i couldn't finish scanning.

adware: Adware.MyWay
trojan.startpage.1505

Posted Image

Posted Image

THIS IS WHERE IT FROZE.^^^^^^^^^^^^^^^^

Edited by TechDisciple, 30 September 2009 - 02:19 AM.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 30 September 2009 - 06:11 AM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was detected in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

When done, try rescanning again to see if you can complete the scan.

If you cannot complete, then do this:

Please perform an online scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 30 September 2009 - 09:53 PM

ok i will post back with the online kapersky scan log tomorrow. tnks

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 01 October 2009 - 08:28 AM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 TechDisciple

TechDisciple
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:[U.S.A]
  • Local time:06:59 AM

Posted 01 October 2009 - 02:11 PM

here is everything from the kapersky scan.

i took all the pics and log on the infecteds path.

not-a-virus:Client-IRC.Win32.mIRC.g
not-a-virus:AdWare.Win32.MyWay.j
not-a-virus:AdWare.Win32.MyWay.j
not-a-virus:Client-IRC.Win32.mIRC.g

KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 1, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 01, 2009 17:23:03
Records in database: 2938617


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Objects scanned 58444
Threats found 2
Infected objects found 4
Suspicious objects found 0
Scan duration 01:48:16

File name Threat Threats count
C:\Documents and Settings\Owner.USER-CA9ACF7832\Application Data\Auslogics\Rescue\One Button Checkup\090905000126843.rsc Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

C:\Documents and Settings\Owner.USER-CA9ACF7832\DoctorWeb\Quarantine\A0005691.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1

C:\Documents and Settings\Owner.USER-CA9ACF7832\DoctorWeb\Quarantine\WxBugSetup60b6.04.0.9m.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j 1

C:\System Volume Information\_restore{98B060A4-3649-41BB-8E21-65708EB02B74}\RP8\A0002700.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

Selected area has been scanned.







the settings before scanning.

Posted Image


scan results

Posted Image

Posted Image

Posted Image

Posted Image



i think i know how i got infected it was by mirc client i downloaded some time back like a month ago but i got rid of it cause i wasnt using it.

Edited by TechDisciple, 01 October 2009 - 02:19 PM.

A PROUD FIREFOX 3.6 USER.

A proud player of Deadfrontier online MMO Zombie Apocalypse Game


A proud Member of the Steam Community
Posted Image

Posted Image

:)


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 01 October 2009 - 02:32 PM

Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect. You can use it to delete the threats in your Documents and Settings Folder.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.



Then you will need to create another new restore point and purge the old to remove those detected files in the SVI folder.

Edited by quietman7, 01 October 2009 - 02:33 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users