Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Odd behavior - Very Slow or incomplete web page loading etc.


  • This topic is locked This topic is locked
14 replies to this topic

#1 stanpatpick

stanpatpick

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 07 April 2010 - 07:08 AM

Odd behavior - Slow or incomplete web page loading, IE7 opens by itself and tries to get to 2 or three pages on its own, ie7 (which I didn't open) 2 instances at the same time,show up in the task list but I can't see it.

Something is going on but I don't understand what it is.

I have ran various removal softwares including Malwarewarebytes,Superantispyware,MS Essentials, Spybot S&D,Spyware Blaster, Sophos rootkit detection, in the last few days but these have not returned my system to normal browsing behavior. ( Quick and smooth on a 16meg cable connection )

I have tried running system file checker but I don't think it helped. I don't know if it finished normally. It just seemed to stop requesting redirection to the xp cd without saying it had finished.

I need help and a systematic way to cure this system.

Any help appreiciated.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 07 April 2010 - 07:29 AM

Try resetting Internet Explorer. Doing this will reset the browser back to the way it was when initially installed.

Reset Internet Explorer Settings in XP or Vista using the automatic Fix it button in the instructions provided by Microsoft on that page. To manually reset the settings do this:
  • Exit all programs, including Internet Explorer (if it is running).
  • Click Posted Image > Run..., and in the Open box, type: inetcpl.cpl
  • Click OK or press Enter.
  • If using Vista, click Start and type inetcpl.cpl in the Start Search box, and then press Enter.
The Internet Options dialog box appears.
  • Click the Advanced tab.
  • Under "Reset Internet Explorer settings", click Reset. Then click Reset again.
  • When Internet Explorer finishes resetting the settings, click Close in the "Reset Internet Explorer Settings" dialog box.
  • Start Internet Explorer again.
  • Instructions with screenshots if needed.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 07 April 2010 - 11:02 AM

OK.

IE7 has been reset.

IE7 now opens by itself and tries to load 4 or 5 webpages by itself.

A scan with malwarebytes found gootkit and tried removal after reboot.

A second scan found 2 items again but I didn't get to see what they were because malwarebytes locked up before finishing.

Some of the slowness is better.

What should I do next?

Edited by stanpatpick, 07 April 2010 - 11:14 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 07 April 2010 - 12:19 PM

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 07 April 2010 - 03:58 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3965

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/7/2010 4:45:05 PM
mbam-log-2010-04-07 (16-45-05).txt

Scan type: Full scan (J:\|K:\|)
Objects scanned: 438512
Time elapsed: 42 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2GN5RZMN\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk5.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk6.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk7.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk8.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtkB4B.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtkE.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temporary Internet Files\Content.IE5\RSPFCO01\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\lx76hfcxb\Target\LiveXP\i386\System32\deskadp.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
J:\lx76hfcxb\Target\LiveXP\i386\System32\deskmon.dll (Trojan.Agent) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP853\A0140051.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP854\A0140443.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP854\A0141479.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk10.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk11.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk2.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk3.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk4.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk5.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk6.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
K:\Installed Downloads Beginning 02072008\OPERATING SYSTEMS\kf151\keyfinder.exe (Application.FindKey) -> Quarantined and deleted successfully.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 07 April 2010 - 04:09 PM

Your Malwarebytes Anti-Malware log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
    For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
-- If you cannot boot into safe mode or complete a scan, then perform your scan in normal mode.

-- If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 10 April 2010 - 09:12 AM

I could not get into safe mode.

So far the improvements seem to be

malwarebytes updates and seems to run normally.
superantispyware finishes scanning without causing the pc to reboot.
the icons I normally see in my task bar have reappeared.
browswer response is improving some.

BUT... ( This is an observation and not a complaint )

after multiple runs of the cycle of mbam,tfc, and sas

the gootkit thingc an still be detected by mbam.
can't boot into safe mode
and unless windows live messenger(resident but not connected) makes it start up - I still have an unexplained instance of IE7 - at least I don't nderstand why it would be in the process list and not in the running applications list.

Thanks for the help so far.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3973

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/10/2010 8:19:41 AM
mbam-log-2010-04-10 (08-19-41).txt

Scan type: Quick scan
Objects scanned: 108639
Time elapsed: 31 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk3.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk4.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NJ6UKHAO\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temporary Internet Files\Content.IE5\3F7U00VS\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
*********************************************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/10/2010 at 09:48 AM

Application Version : 4.35.1002

Core Rules Database Version : 4786
Trace Rules Database Version: 2598

Scan type : Complete Scan
Total Scan Time : 00:30:40

Memory items scanned : 539
Memory threats detected : 1
Registry items scanned : 6693
Registry threats detected : 27
File items scanned : 94029
File threats detected : 3

Adware.Vundo Variant
J:\WINDOWS\SYSTEM32\MSXSLTSSO.DLL
J:\WINDOWS\SYSTEM32\MSXSLTSSO.DLL
HKLM\Software\Classes\CLSID\{0D65D8A5-8A26-4112-933B-85FAA1A45F7A}
HKCR\CLSID\{0D65D8A5-8A26-4112-933B-85FAA1A45F7A}
HKCR\CLSID\{0D65D8A5-8A26-4112-933B-85FAA1A45F7A}\InProcServer32
HKLM\Software\Classes\CLSID\{66C2B634-21BC-40B9-934C-9DEDF6903F8D}
HKCR\CLSID\{66C2B634-21BC-40B9-934C-9DEDF6903F8D}
HKCR\CLSID\{66C2B634-21BC-40B9-934C-9DEDF6903F8D}\InProcServer32
HKLM\Software\Classes\CLSID\{8088753E-FC37-4F23-BF36-AECDEDB90436}
HKCR\CLSID\{8088753E-FC37-4F23-BF36-AECDEDB90436}
HKCR\CLSID\{8088753E-FC37-4F23-BF36-AECDEDB90436}\InProcServer32
HKLM\Software\Classes\CLSID\{9EC4DACE-B58B-4D3F-9B3F-FEAAED0F89A5}
HKCR\CLSID\{9EC4DACE-B58B-4D3F-9B3F-FEAAED0F89A5}
HKCR\CLSID\{9EC4DACE-B58B-4D3F-9B3F-FEAAED0F89A5}\InProcServer32
HKLM\Software\Classes\CLSID\{BAC38E82-08FF-425D-9DCF-92E0AA93B56F}
HKCR\CLSID\{BAC38E82-08FF-425D-9DCF-92E0AA93B56F}
HKCR\CLSID\{BAC38E82-08FF-425D-9DCF-92E0AA93B56F}\InProcServer32
HKLM\Software\Classes\CLSID\{BAE802BA-8DF4-47DD-A347-362E40BE8280}
HKCR\CLSID\{BAE802BA-8DF4-47DD-A347-362E40BE8280}
HKCR\CLSID\{BAE802BA-8DF4-47DD-A347-362E40BE8280}\InProcServer32
HKLM\Software\Classes\CLSID\{CA9F443E-7F36-4A24-B354-E9389A260BC0}
HKCR\CLSID\{CA9F443E-7F36-4A24-B354-E9389A260BC0}
HKCR\CLSID\{CA9F443E-7F36-4A24-B354-E9389A260BC0}\InProcServer32
HKLM\Software\Classes\CLSID\{E6D6D4EA-06FA-4A06-9064-907ABDDEB497}
HKCR\CLSID\{E6D6D4EA-06FA-4A06-9064-907ABDDEB497}
HKCR\CLSID\{E6D6D4EA-06FA-4A06-9064-907ABDDEB497}\InProcServer32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#GootkitSSO

Adware.Tracking Cookie
J:\Documents and Settings\Stanley P. Pickens\Cookies\stanley_p._pickens@atdmt[2].txt
J:\Documents and Settings\LocalService\Cookies\system@ads.bridgetrack[2].txt

Trojan.Agent/Gen
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

Edited by stanpatpick, 10 April 2010 - 09:16 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 10 April 2010 - 09:22 AM

SUPERAntiSypware has a built in "Repairs" feature to fix the safeboot key, policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.
  • From the Main Menu, click Preferences... or right-click on the icon in the system tray and choose "View Control Center (Perferences/Options)..."
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key"
  • Then click the Perform Repair... button.
  • You may be asked to reboot your computer for the changes to take effect.
Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to begin.
  • If offered the option to get information or buy software. Just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

    C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 12 April 2010 - 03:05 PM

I may have spoken too soon when I said that malwarebytes was behaving normally.
I will describe what I see and you can let me know if it seems to be behaving properly.

The scan finishes.
I click to see the list of things found.
I click for them to be removed.
Mbam reports that removal was complete except for items that will be removed after reboot.
I click to reboot.
Nothing seems to happen immeadiately.
I close out any other programs and then click to exit mbam.
mbam reports that there is a scan going on and asks if I really want to terminate and close the program.
I click ok.
I manually restart the pc.

The sas tool seems to have fixed the safe mode problem.

I will post again after the eset scan.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3980

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/12/2010 3:50:38 PM
mbam-log-2010-04-12 (15-50-38).txt

Scan type: Full scan (J:\|K:\|)
Objects scanned: 434834
Time elapsed: 3 hour(s), 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk4.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temp\gtk7.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\Stanley P. Pickens\Local Settings\Temporary Internet Files\Content.IE5\OS4PAFL2\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0141684.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0143714.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0143726.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0143740.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0143782.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP858\A0143797.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP860\A0143934.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP861\A0145967.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP861\A0146003.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP861\A0146040.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP861\A0146078.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{B8627E55-95F9-4F39-B8D3-AFA49F968ADA}\RP861\A0146114.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
J:\WINDOWS\Temp\gtk14.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk15.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk2.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk3.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk7.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtk8.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\WINDOWS\Temp\gtkC.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.

Edited by stanpatpick, 12 April 2010 - 03:07 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 12 April 2010 - 03:58 PM

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component.

Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:If you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

Edited by quietman7, 12 April 2010 - 03:59 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 12 April 2010 - 09:36 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=49f254edc723354794888fb7770a6d91
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-12 11:45:29
# local_time=2010-04-12 07:45:29 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=334738
# found=16
# cleaned=16
# scan_time=12296
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\googleanalytics_en[1].html JS/TrojanDownloader.Agent.NRF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\index[1].htm HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPNKABLV\grabber[1].exe Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\index[1].htm HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\index[2].htm HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\mod_error[1].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\default[2].html HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\error[1].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\zenis2e[1].php JS/TrojanDownloader.Agent.NRD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\index[1].htm HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\index[1].html JS/TrojanDownloader.Agent.NRX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\index[2].htm HTML/TrojanClicker.Iframe.GT.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\Stanley P. Pickens\Application Data\Thunderbird\Profiles\skgorxmt.default\Mail\pop.gmail.com\Sent multiple threats (contained infected files) 00000000000000000000000000000000 C
J:\WINDOWS\system32\msxsltsso.dll Win32/Gootkit.A trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
J:\WINDOWS\Temp\gtkD.tmp Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
L:\CORSAIR CONTENTS\Profiles\77paj4ya.default\Mail\mail.bellsouth.net\Sent multiple threats (contained infected files) 00000000000000000000000000000000 C

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 13 April 2010 - 07:55 AM

WINDOWS\system32\msxsltsso.dll Win32/Gootkit.A trojan (cleaned by deleting (after the next restart)

Reboot and repeat the scan. I would also recommend you run another scan with MBAM.

If the file returns, then you probably have other malware on your system which is protecting or regenerating it and more powerful tools will be needed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 stanpatpick

stanpatpick
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SouthEast US
  • Local time:10:59 AM

Posted 16 April 2010 - 06:27 AM

It would appear stronger measures are needed.
What next?

Would repeating any steps in safe mode make any difference?
or with restore functions turned off?

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=49f254edc723354794888fb7770a6d91
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-16 03:50:57
# local_time=2010-04-15 11:50:57 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=337069
# found=27
# cleaned=27
# scan_time=18487
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6BS4YF1M\grabber[1].exe Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\default[1].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\default[2].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\index[2].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPLIC9L1\index[3].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CPNKABLV\index[1].html JS/TrojanDownloader.Agent.NTW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\config[1].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\config[2].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\index[1].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\index[2].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E0G5EQ5V\index[3].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FUQUT14N\mass_send[1].php JS/TrojanDownloader.Agent.NTW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\config[1].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\config[2].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\config[3].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\default[3].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\index[1].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\index[2].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\index[2].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\G63YUTNK\index[3].php HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\default[1].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\M01OVKX3\index[2].html HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C
J:\WINDOWS\system32\msxsltsso.dll Win32/Gootkit.A trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
J:\WINDOWS\Temp\gtk11.tmp Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\WINDOWS\Temp\gtk2D.tmp Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
J:\WINDOWS\Temp\gtk9.tmp Win32/PSW.Agent.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
K:\Installed Downloads Beginning 02072008\MOTHERBOARD STUFF\HSS-1.22-install-anchorfree-76-conduit.zip a variant of Win32/Adware.AnchorFree application (deleted - quarantined) 00000000000000000000000000000000 C


************************************************************************

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3995

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/16/2010 7:21:42 AM
mbam-log-2010-04-16 (07-21-42).txt

Scan type: Quick scan
Objects scanned: 109548
Time elapsed: 20 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\WINDOWS\system32\msxsltsso.dll (Trojan.GootKit) -> Delete on reboot.
J:\WINDOWS\Temp\gtk3.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RO20YA4Q\grabber[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 AM

Posted 16 April 2010 - 08:48 AM

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:59 AM

Posted 20 April 2010 - 03:59 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/311242/gootkit-and-possibly-others-need-removal-help/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users