Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 [Moved from HJT]


  • Please log in to reply
14 replies to this topic

#1 whealthy

whealthy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 01:53 PM

Hello,

I have apparently been infected with the Internet Security 2010 malware.
I have tried to run rkill.com. I loaded it on a flash drive and the IS2010 deletes it before I can get to it. I rename it before I plug in the drive and it isn't there when I can get to the drive. I finally renamed it and put it on a CD-RW and then copied it to the Desktop and managed to get it started. I got to the "Terminating known Malware processes. Please be patient." prompt and it blinked for about 5 minutes and locked up.

I have been unable to run the DDS.scr and the Root Repeal starts but goes back to Initialize and stays there.

I can't do much in normal mode and the malware has taken over Safe Mode as well. I have been unable to run any of the standard malware removers except for AVG in Safe Mode. AVG found something but I couldn't get back into Windows after that so I reverted to the Last Working Configuration

I am running Windows XP SP3.

Any help would be greatly appreciated. :thumbsup:

Thanks.

Edited by whealthy, 26 January 2010 - 08:42 PM.


BC AdBot (Login to Remove)

 


#2 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 02:39 PM

I have gotten a renamed rkill.com to the desktop and to load. I get a message that says the "Application cannot be executed. The file is infected...." I don't do anything to the rkill box just leave it there...

rkill gets to the same point as stated earlier, the prompt blinks for several minutes and then the command prompt box disappears. I doesn't show any thing other than a blinking prompt the whole time it is up. Tried to load malwarebytes after the box disappeared but couldn't

Edited by whealthy, 26 January 2010 - 02:40 PM.


#3 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 03:19 PM

I am currently running the Avira Antivir Rescue CD and asked it to repair infected files or rename them
So far it has said it has found a file called winhlp64.exe in the Local Settings/Temp/ directory and says it is the Trojan horse TR/Crypt.CFI.Gen. It was unable to remove it but was able to rename it.
Found another dmload.sys in the system32/drivers folder it says is the Tr/Trash.Gen Trojan horse. Renamed

Has detected patterns of the Java script virus JS/FakeAlert.btq and HTML script virus HTML/Malicious.PDF.Gen

Has found the TR/FraudPack.afwz Trojan Horse in the System Volume directory.

Has detected a few instances of the TR/Crypt.XPACK.Gen in .dll files in the system32 directory

Has detected Trojan Horse TR/Fake.IntelinetSm and TR/Fake.Intelinet.A

Edited by whealthy, 26 January 2010 - 04:11 PM.


#4 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 05:55 PM

Rebooted after scan to Safe Mode. No difference. Can't run rkill.com at all now.
Running AVG again in Safe Mode.

Any ideas anyone?

Thanks.

#5 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 07:19 PM

Avira & AVG must have done enough to knock something down. I managed to get a renamed MalwareBytes to run and get rid of a lot of the infections. I ran it through Safe Mode with copied updated rules.ref from another computer. I have been trying to run Malwarebytes in Normal mode and it won't run. Have been trying to uninstall it so I could do a fresh install and it just hangs in the UnInstall status window. I started rkill.com in case something is still running but it appears Windows has locked up...

#6 GarciaFan

GarciaFan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 26 January 2010 - 07:52 PM

I am dealing with this SAME virus myself as we speak.. Let me post what has worked for me so far.

#7 GarciaFan

GarciaFan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 26 January 2010 - 07:57 PM

Do you still have internet access? We once the virus attacked the computer and have yet to get it back so I have been doing the same things that you are such as putting MalwareBytes onto a disc on my laptop and then loading it with the disc on the affected one.

If you do not have internet, this is what you can try. PC Pitstop helped me out with this.


Open a command prompt....from the Start menu, select Run > In the box/"open field", enter cmd.exe

type ipconfig /flushdns press 'enter' ***note that there is a space between 'g' and '/'


Next,
Download the HostsXpert 4.3 - Hosts File Manager. Use your computer and copy this .zip folder to a CD

On the infected machine, make a new folder by right clicking on C:\ and selecting "New"

* Unzip HostsXpert 4.3 - Hosts File Manager to the new folder such as C:\HostsXpert
* Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
* Click "Make Hosts Writable?" in the upper right corner (If available).
* Click Restore Microsoft's Hosts file and then click OK.
* Click the X to exit the program.


For manual removal you can do the following and this WORKED for me. I am still just having problems gaining access to the internet again but the pop ups, fake warnings and such are gone.

Read the manual removal instructions here
http://www.bleepingcomputer.com/virus-remo...t-security-2010

Reboot into safe mode:
Restart the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Show Hidden Files and Folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete any of the files (if found) that the tutorial shows:
QUOTE
Associated Internet Security 2010 Files:

c:\s
c:\Program Files\InternetSecurity2010
c:\Program Files\InternetSecurity2010\IS2010.exe
c:\WINDOWS\system32\41.exe
c:\WINDOWS\system32\winhelper86.dll
c:\WINDOWS\system32\winlogon86.exe
c:\WINDOWS\system32\winupdate86.exe
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
%UserProfile%\Desktop\Internet Security 2010.lnk
%UserProfile%\Start Menu\Internet Security 2010.lnk


Associated Internet Security 2010 Windows Registry Information:

HKEY_CURRENT_USER\Software\IS2010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Internet Security 2010"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winupdate86.exe"


You will have to use 'regedit' to get to the keys above. If you can't use regedit on that machine, then download free version 'lite' http://www.resplendence.com/downloads

#8 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 08:35 PM

I have internet access and all of the popups have disappeared but I can't get malwarebytes to run again. I have tried to uninstall, won't work.

I have managed to do the ddr.scr script if anyone would like to look at them but the Root Repeal still hangs

Edited by whealthy, 26 January 2010 - 10:18 PM.


#9 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 10:22 PM

I have got malwarebytes to run again by renaming but it hangs. It finds two references to Rootkit but hangs when it gets to finding a third in both Normal and Safe Mode. It looks like RootRepeal is finally going to run. I have it running in Safe Mode and changed a Setting that said it would only run on SCSI drives...>??

Root Repeal locked up. I am having problems with any program that runs for more than a few minutes locking up...

Edited by whealthy, 26 January 2010 - 10:47 PM.


#10 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 10:50 PM

Here is my dds.txt file:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brook at 17:07:43.56 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2527.1963 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
e:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
e:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\PROGRA~1\Lenovo\LENOVO~1\LPMGR.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
c:\program files\lenovo\system update\suservice.exe
E:\PROGRA~1\AVG\AVG9\avgtray.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Rocket Software\Rocket Mobile & Security Apps\MobileCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brook\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://digihug.com/brownboard/viewforum.php?f=2
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - e:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - e:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - e:\program files\orbitdownloader\GrabPro.dll
TB: Lenovo ThinkVantage Toolbox: {86b9b5dd-fb75-4035-bd52-3c94f7849caf} - c:\program files\pc-doctor\ATLPcdToolbar544928.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RocketAppCenter.exe] "e:\program files\rocket software\rocket mobile & security apps\MobileCenter.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DiskeeperSystray] "e:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [LPManager] c:\progra~1\lenovo\lenovo~1\LPMGR.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] e:\progra~1\avg\avg9\avgtray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "e:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
IE: &Download by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///F:/LTOCX14N.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} - hxxp://download.boulder.ibm.com/ibmdl/pub/pc/pccbbs/bp_pc/acpir.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264094068209
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {6AF204F5-3829-4FEB-8B2D-B0FB89A41371} = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkJdCTm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brook\applic~1\mozilla\firefox\profiles\mcssuo9e.default\
FF - prefs.js: browser.startup.homepage - hxxp://digihug.com/brownboard/viewforum.php?f=2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 17:08:48.25 ===============

#11 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2010 - 11:33 PM

Root Repeal locked up after getting through the Files scan.
Definitely haven't removed everything. Can't get mostother malware programs to run.
Strange thing happens every once in a while...sounds like a TV commercial comes on over the speakers.
No browser is open, I don't have a tuner hooked up to my computer. Listerine commercial just came on....
I did see that Root Repeal said it found some .dll files in the system32 folder that the Windows API couldn't see...

#12 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 27 January 2010 - 01:14 AM

I ran rkill.com and it showed the prompt and nothing else for half an hour. While it was running I finally got MalwareBytes to complete a run. It found four infections. I ran this in Safe Mode. Immediately started another run in Normal mode and it has found the same infections. It obviously isn't finding everything.

Edited by whealthy, 27 January 2010 - 01:16 AM.


#13 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 27 January 2010 - 01:58 AM

Completed that last run of MalwareBytes and the Windows decided it had to do a checkdisk on boot up. Then the computer went through a reboot loop a couple of times halfway through the checkdisk. It finally booted into windows and I ran MalwareBytes again. This time it found 11 infections. It wants to run the check disk as it is rebooting now and I stopped it. Will run MalwareBytes again...

#14 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 27 January 2010 - 02:05 AM

Ran MalwareBytes, NO Infections. Doing a full scan now.

#15 whealthy

whealthy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 27 January 2010 - 07:03 PM

Computer is booting fine into Windows normal mode, MalwareBytes finds no infections... The other anti-malware and AVG run. No lock ups...
I survived. :thumbsup: :flowers:

Edited by whealthy, 27 January 2010 - 07:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users