Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

another browser redirect virus


  • Please log in to reply
1 reply to this topic

#1 vaporiser

vaporiser

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 September 2010 - 02:02 AM

Hi,
I have picked up a virus that I can't seem to get rid of. AVG shows it as Adload_r.akc
It can't remove it since it is installed in explorer.exe and is in use. It was installed in firefox.exe but it says it removed it, but every reboot reinfects it.
I dropped to windows safe mode and ran AVG in command line mode to try and remove it. - no help

Malware Bytes does not see the virus.- this may be since I cannot update malware bytes

Windows update can not check for updates- it shows an error code of 80072EFE

I am getting redirects in firefox searches with google and yahoo.
I am also getting spam redirects while I am reading a page with the first page on the list is wyciwyg:// as the beginning address

I am running windows 7 32 bit

I'm not sure what other info you need to get started.

Thanks in advance

Here are the log files . I forgot to post them at first.

DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by oem at 3:49:33.96 on Mon 09/06/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Enterprise N 6.1.7600.0.1252.1.1033.18.3326.1889 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\XSrvSetup.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Marvell\raid\tray\MarvellTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Gigabyte\ET6\GUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Bodog Poker\BPGame.exe
C:\Users\oem\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [AdobeBridge]
uRun: [CPN Notifier] c:\program files\cake poker (beta)\PokerNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [MRUTray] c:\program files\marvell\raid\tray\MarvellTray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\oem\appdata\roaming\micros~1\windows\startm~1\programs\startup\cakepo~1.lnk - c:\program files\cake poker (beta)\CakeNotifier.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\oem\appdata\roaming\mozilla\firefox\profiles\w7pir87o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\drivers\mv91cons.sys [2009-10-9 20008]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-10 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-10 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-10 243024]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-3-3 172032]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-4-10 219360]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-4-10 68136]
R2 JMB36X;JMB36X;c:\windows\system32\XSrvSetup.exe [2010-4-10 65536]
R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\marvell\raid\svc\mvraidsvc.exe [2009-10-5 151552]
R2 MRUWebService;MRU Web Service;c:\program files\marvell\raid\apache2\bin\httpd.exe [2009-4-8 24635]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2010-4-10 27648]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-3-3 5340160]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-3-2 152064]
R3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2010-4-14 24944]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-9-25 56576]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-9-25 138240]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-4-10 189440]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2010-7-5 13976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2010-4-14 17488]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2010-4-10 43008]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2010-4-10 19968]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2010-4-10 43008]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-11 1343400]

=============== Created Last 30 ================

2010-09-06 07:45:51 0 ----a-w- c:\users\oem\defogger_reenable
2010-09-06 04:43:27 0 d-----w- c:\users\oem\appdata\roaming\AVG9
2010-09-05 04:20:00 524288 --sha-w- c:\users\oem\ntuser.dat{fa1bd90e-b871-11df-b634-6cf0490b902b}.TMContainer00000000000000000002.regtrans-ms
2010-09-05 04:19:59 65536 --sha-w- c:\users\oem\ntuser.dat{fa1bd90e-b871-11df-b634-6cf0490b902b}.TM.blf
2010-09-05 04:19:59 524288 --sha-w- c:\users\oem\ntuser.dat{fa1bd90e-b871-11df-b634-6cf0490b902b}.TMContainer00000000000000000001.regtrans-ms
2010-09-05 04:12:11 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-09-05 00:17:09 0 d-----w- c:\program files\DoylesRoom
2010-08-29 22:45:14 0 d-----w- c:\program files\Mozilla Firefox 4.0 Beta 4
2010-08-17 00:23:45 0 d-----w- c:\programdata\Apple Computer
2010-08-15 18:07:05 36781 ----a-w- C:\RCPBak.ibf
2010-08-14 14:40:37 641 ----a-w- C:\ReefConWL.csv
2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-08-08 03:54:38 0 ----a-w- c:\windows\PROTOCOL.INI
2010-08-08 03:54:28 0 d-----w- c:\program files\Infinity Software
2010-08-08 03:54:08 299520 ----a-w- c:\windows\uninst.exe

==================== Find3M ====================

2010-09-06 06:22:52 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-09-06 06:22:36 17488 ----a-w- c:\windows\gdrv.sys
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-16 19:38:20 51712 ----a-w- c:\windows\wc98pp.dll
2010-07-16 15:02:10 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 15:02:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 15:01:51 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 08:16:07 17488 ----a-w- c:\windows\etdrv.sys
2009-07-14 04:54:36 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:54:36 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:54:36 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:54:36 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:08:58 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-04-20 05:18:25 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 3:50:05.57 ===============



Gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-06 04:06:07
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\oem\AppData\Local\Temp\uwldapow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83246AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83246104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832463F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322F2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8322E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832461DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83246958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832466F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83246F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832471A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E5F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E83F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.rsrc C:\Windows\System32\drivers\volmgrx.sys entry point in ".rsrc" section [0x83AF7014]
.text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x91619000, 0x2ECEB2, 0xE8000020]
.text peauth.sys A3AB7C9D 28 Bytes [15, 32, E6, C5, CA, 81, A7, ...]
.text peauth.sys A3AB7CC1 28 Bytes [15, 32, E6, C5, CA, 81, A7, ...]
PAGE peauth.sys A3ABDB9B 72 Bytes [8E, 8B, 45, D0, 55, 9E, CD, ...]
PAGE peauth.sys A3ABDBEC 111 Bytes [E7, BD, CD, 6A, D5, 8D, E8, ...]
PAGE peauth.sys A3ABDE20 101 Bytes [CB, 8A, 63, E5, C7, BC, 51, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 76EE5380 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtWriteVirtualMemory 76EE5F00 5 Bytes JMP 0036000A
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!KiUserExceptionDispatcher 76EE6448 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[1364] ole32.dll!CoCreateInstance 75B757FC 5 Bytes JMP 003C000A
.text C:\Windows\system32\svchost.exe[1364] USER32.dll!GetCursorPos 758FC198 5 Bytes JMP 00CC000A
.text C:\Windows\Explorer.EXE[2248] ntdll.dll!NtProtectVirtualMemory 76EE5380 5 Bytes JMP 001C000A
.text C:\Windows\Explorer.EXE[2248] ntdll.dll!NtWriteVirtualMemory 76EE5F00 5 Bytes JMP 001D000A
.text C:\Windows\Explorer.EXE[2248] ntdll.dll!KiUserExceptionDispatcher 76EE6448 5 Bytes JMP 001B000A
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CreateProcessW 75CE202D 5 Bytes JMP 7FFA009F
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CreateProcessA 75CE2062 5 Bytes JMP 7FFA00BE
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!ReadFileScatter 75D12998 5 Bytes JMP 7FFA0483
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SearchPathA 75D14DE7 5 Bytes JMP 7FFA057B
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!VirtualQueryEx 75D16E2A 5 Bytes JMP 7FFA0080
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CopyFileW 75D18C8F 5 Bytes JMP 7FFA0272
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstChangeNotificationW 75D19073 5 Bytes JMP 7FFA032E
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindNextChangeNotification 75D1911B 5 Bytes JMP 7FFA034D
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindCloseChangeNotification 75D1DB91 5 Bytes JMP 7FFA036C
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetOverlappedResult 75D1E0DD 5 Bytes JMP 7FFA01D7
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileAttributesExA 75D1E63A 5 Bytes JMP 7FFA04E0
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CopyFileExW 75D207BB 5 Bytes JMP 7FFA0291
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SetFilePointerEx 75D22A2A 5 Bytes JMP 7FFA04A2
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleHandleExA 75D22A5A 5 Bytes JMP 7FFA0635
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CreateFileMappingW 75D23A51 5 Bytes JMP 7FFA0199
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileTime 75D244AF 5 Bytes JMP 7FFA0407
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!TerminateProcess 75D2509B 5 Bytes JMP 7FFA0042
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileSize 75D25D47 5 Bytes JMP 7FFA01F6
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileAttributesExW 75D25F4D 5 Bytes JMP 7FFA03C9
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleHandleExW 75D28B60 5 Bytes JMP 7FFA0616
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SearchPathW 75D2A7A8 5 Bytes JMP 7FFA038B
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!LoadLibraryExW 75D2B6BF 5 Bytes JMP 7FFA0673
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!LoadLibraryExA 75D2BC8B 5 Bytes JMP 7FFA0692
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!MapViewOfFile 75D2C0D4 5 Bytes JMP 7FFA01B8
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SetCurrentDirectoryA 75D2C66C 5 Bytes JMP 7FFA0445
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileSizeEx 75D2CA51 5 Bytes JMP 7FFA0215
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindNextFileW 75D2CB2D 5 Bytes JMP 7FFA02F0
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CreateFileMappingA 75D2CCD1 5 Bytes JMP 7FFA017A
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindNextFileA 75D2D593 5 Bytes JMP 7FFA053D
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!ReadFile 75D2DAA9 5 Bytes JMP 7FFA00FC
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CloseHandle 75D305D7 5 Bytes JMP 7FFA013C
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!CreateFileW 75D30B7D 5 Bytes JMP 7FFA00DD
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileInformationByHandle 75D30D1E 5 Bytes JMP 7FFA0426
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstFileW 75D3107A 5 Bytes JMP 7FFA02B2
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleFileNameA 75D31094 5 Bytes JMP 7FFA06D0
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!UnmapViewOfFile 75D3127E 5 Bytes JMP 7FFA0234
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileAttributesW 75D313EE 5 Bytes JMP 7FFA03AA
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!MapViewOfFileEx 75D317B6 5 Bytes JMP 7FFA0253
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetProcAddress 75D31857 5 Bytes JMP 7FFA06EF
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleHandleW 75D319C1 5 Bytes JMP 7FFA05F7
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FreeLibrary 75D31A09 5 Bytes JMP 7FFA05D8
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileType 75D31C62 5 Bytes JMP 7FFA03E8
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!LoadLibraryA 75D32884 5 Bytes JMP 7FFA059A
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!LoadLibraryW 75D328D2 5 Bytes JMP 7FFA05B9
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleHandleA 75D328F7 5 Bytes JMP 7FFA06B1
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetModuleFileNameW 75D32A14 5 Bytes JMP 7FFA0654
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!GetFileAttributesA 75D32A3F 5 Bytes JMP 7FFA04C1
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!ExitProcess 75D32AEF 5 Bytes JMP 7FFA0004
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!VirtualQuery 75D33124 5 Bytes JMP 7FFA0061
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SetFilePointer 75D3351F 5 Bytes JMP 7FFA015B
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindClose 75D3353A 5 Bytes JMP 7FFA030F
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!SetCurrentDirectoryW 75D33577 5 Bytes JMP 7FFA0464
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstFileExW 75D335A7 5 Bytes JMP 7FFA02D1
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstFileA 75D3F346 5 Bytes JMP 7FFA04FF
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!ReadFileEx 75D462A5 5 Bytes JMP 7FFA011D
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FatalExit 75D6E883 5 Bytes JMP 7FFA0023
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstFileExA 75D6F58F 5 Bytes JMP 7FFA051E
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] kernel32.dll!FindFirstChangeNotificationA 75D6F59F 5 Bytes JMP 7FFA055C
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] GDI32.dll!AddFontResourceExA 76BBEA67 5 Bytes JMP 7FFA070E
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] GDI32.dll!AddFontResourceExW 76BBED05 5 Bytes JMP 7FFA072D
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] GDI32.dll!RemoveFontResourceExW 76BBED34 5 Bytes JMP 7FFA074C
.text C:\Program Files\Cake Poker (BETA)\CakeNotifier.exe[3404] shell32.dll!ShellExecuteExW 75F61BCC 5 Bytes JMP 7FFA076B
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtProtectVirtualMemory 76EE5380 5 Bytes JMP 0014000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!NtWriteVirtualMemory 76EE5F00 5 Bytes JMP 0015000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!KiUserExceptionDispatcher 76EE6448 5 Bytes JMP 0012000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5560] ntdll.dll!LdrLoadDll 76EFF625 5 Bytes JMP 001A13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86688EC5

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\volmgrx.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



I have already ran the defogger program.

Hope these help

I forgot to add the log files at first.

Thanks.

EDIT: Posts merged ~BP

Edited by Budapest, 06 September 2010 - 04:50 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:46 AM

Posted 13 September 2010 - 07:13 AM

Hello vaporiser

Welcome to BleepingComputer smile.gif
==========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

========
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.



When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users