Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I got infected while MS Security Essentials were up to date and running


  • Please log in to reply
20 replies to this topic

#1 berni2k

berni2k

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 29 October 2010 - 05:40 AM

Hello,

I first saw the infection when i discovered 3 strange files in temp dirs and my system produced a very strange blue screen:
user/appdata/local/temp: tmbyo.exe -> 60kb
windows/temp: dat1fb0.tmp.exe -> 115kb
windows/temp: dat1fb0.tmp -> 0kb
the blue screen was in a way i never saw before: all blue but 2 short lines in top left saying: STOP: c0000bf0 Unknown Hard Error
(i think the virus wanted my sys to be restarted after installing some virus services and drivers)
as i know now that was the point the outbreak started: all virus files i found after that had the creation time from this forced shutdown (time in the windows event log corresponding to new installed dlls and sys files)

I copyed the 3 files above to a random location to look at them later with newer virus definitions and other antivirus programs as Microsoft Security Essentials did tell me they are save.

Then i found a strange new task in windows/tasks (something like A1.job) it already run before i found and delted it :(

After 2 days with strange behavior (Firefox suddenly not starting up all the time i click it but running as 2MB process in the process list and a website popup after starting firefox i never saw before directing to this site: ATTENTION! www.dreamwater.net ATTENTION! and longer windows startup times with other new installed programs running but not functioning right: AIDA64 in tray but no context menu) finally Microsoft Security Essentials after 4 or 5 new updates found a virus in a new location with same creation date as my blue creen shutdown (25.10.2010 21:00):
windows/system32/config/systemprofile/appdata/local/microsoft/windows/temporary internet files/content.ie5/xrah2cr8/stbis.exe -> alureon.dx virus

After that i tryed to lock down my system:
I deleted 2 strange looking services in the registry and 2 sys files in system32/Drivers that were corresponding to them and 2 dll files in system32 with the same creation date as the original virus files (same creation date: 25.10.2010 21:00h)
reg1: zevetckj
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\zevetckj]
"ImagePath"="system32\\drivers\\obfpni.sys"
"DisplayName"="zevetckj"
"Group"="Boot Bus Extender"
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"_MAIN"=hex:00,7e,00,00,3c,47,00,00,10,00,00,00,00,00,00,00,03,eb,b1,45,83,d6,........ very long (to long to post but i still have it if needed)

reg2: wyzrq -> same as above but "ImagePath"="system32\\drivers\\xmnjgkp.sys"

(i also found the 2 reg entrys in one more location: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\])

driver1: zmnjgkp.sys -> 43kb, properties-language: russian (still got the file if needed)
driver2: obfpni.sys -> 43kb, properties-language: russian (still have the file if needed)

dll1: dl035af.dll -> 712kb
dll2: dlo35af.tmp -> 0kb

i also found str.sys -> 168kb with same creation date and moved it away

after that i installed Malwarebytes Antimaleware and made a quick and a complete scan with latest definitions: no results
system still infected with odd behavier as discripted above
after that i installed latest eset NOD32 smart security with firewall and did deep scans with all options activated: no results
system still infected :(

HELP

my sys: windows 7 ultimate 64bit

PS: i rescanned the original virus files with NOD32:
K:\backup\tmbyo.exe NSIS script.nsi - NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan
K:\backup\DAT1FB0.tmp.exe - a variant of Win32/Rootkit.BlackEnergy.AA trojan
K:\backup\dlo35AF.dll - Win32/Boaxxe.A trojan
i dont have the stbis.exe anymore so i can not rescan it with nod32 (see above for result with microsoft security essentials)

BC AdBot (Login to Remove)

 


#2 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 29 October 2010 - 05:57 AM

oh i forgot:
besides stbis.exe i also found img_0100.exe in the same dir as stbis.exe
NOD32 still says nothing when i scan it but it has the same date and size as dll1: dlo35af.dll -> 712kb

my first post has a typo: dll1: dl035af.dll -> 712kb should be dll1: dlo35af.dll -> 712kb

thx

#3 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 29 October 2010 - 06:14 AM

one more thing i forgot writing in the first post:

the infection also changed my DNS entrys DNS1 and DNS2 under ipv4
i already changed them back to 8.8.8.8 and 8.8.4.4 so i do not know the virus ones anymore

i already did a flushdns over cmd

thx

#4 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 29 October 2010 - 07:40 PM

hmm ...

as no one got an idea how to solve this, how big are the chances that my infection changed files on other partitions?
if 0% i will just format the infected windows 7 partition and be happy ...

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 30 October 2010 - 08:15 AM

Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process. <- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 30 October 2010 - 04:36 PM

thx a lot for helping me, as i already read many other posts here on the forum i also thought this could be the infection or at least one of my infections if i got more ...

here are the logs:
first one before and second one after i cleaned the MBR with tdsskiller and rebooted

2010/10/30 11:28:52.0223 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/30 11:28:52.0223 ================================================================================
2010/10/30 11:28:52.0223 SystemInfo:
2010/10/30 11:28:52.0223
2010/10/30 11:28:52.0223 OS Version: 6.1.7600 ServicePack: 0.0
2010/10/30 11:28:52.0223 Running under WOW64
2010/10/30 11:28:52.0223 Processor architecture: Intel x64
2010/10/30 11:28:52.0223 Number of processors: 4
2010/10/30 11:28:52.0223 Page size: 0x1000
2010/10/30 11:28:52.0223 Boot type: Normal boot
2010/10/30 11:28:52.0223 ================================================================================
2010/10/30 11:28:52.0223 Utility is running under WOW64
2010/10/30 11:28:53.0081 Initialize success
2010/10/30 11:29:08.0743 ================================================================================
2010/10/30 11:29:08.0743 Scan started
2010/10/30 11:29:08.0743 Mode: Manual;
2010/10/30 11:29:08.0743 ================================================================================
2010/10/30 11:29:09.0211 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/10/30 11:29:09.0258 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/10/30 11:29:09.0258 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/10/30 11:29:09.0289 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/10/30 11:29:09.0320 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2010/10/30 11:29:09.0336 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2010/10/30 11:29:09.0383 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2010/10/30 11:29:09.0414 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
....
2010/10/30 11:29:14.0780 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2010/10/30 11:29:14.0811 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/10/30 11:29:14.0843 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2010/10/30 11:29:14.0874 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2010/10/30 11:29:14.0889 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/10/30 11:29:14.0952 \HardDisk2\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/30 11:29:14.0952 ================================================================================
2010/10/30 11:29:14.0952 Scan finished
2010/10/30 11:29:14.0952 ================================================================================
2010/10/30 11:29:14.0952 Detected object count: 1
2010/10/30 12:19:17.0633 \HardDisk2\MBR - will be cured after reboot
2010/10/30 12:19:17.0633 Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) - User select action: Cure
2010/10/30 12:19:27.0523 Deinitialize success

-----

2010/10/30 12:33:17.0054 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/30 12:33:17.0054 ================================================================================
2010/10/30 12:33:17.0054 SystemInfo:
2010/10/30 12:33:17.0054
2010/10/30 12:33:17.0054 OS Version: 6.1.7600 ServicePack: 0.0
2010/10/30 12:33:17.0054 Running under WOW64
2010/10/30 12:33:17.0054 Processor architecture: Intel x64
2010/10/30 12:33:17.0054 Number of processors: 4
2010/10/30 12:33:17.0054 Page size: 0x1000
2010/10/30 12:33:17.0054 Boot type: Normal boot
2010/10/30 12:33:17.0054 ================================================================================
2010/10/30 12:33:17.0054 Utility is running under WOW64
2010/10/30 12:33:17.0787 Initialize success
2010/10/30 12:33:20.0143 ================================================================================
2010/10/30 12:33:20.0143 Scan started
2010/10/30 12:33:20.0143 Mode: Manual;
2010/10/30 12:33:20.0143 ================================================================================
2010/10/30 12:33:20.0689 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/10/30 12:33:20.0704 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/10/30 12:33:20.0720 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
.....
2010/10/30 12:33:26.0320 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/10/30 12:33:26.0367 ================================================================================
2010/10/30 12:33:26.0367 Scan finished
2010/10/30 12:33:26.0367 ================================================================================

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 30 October 2010 - 10:07 PM

This is the pertinent section of the log which indicates an infected Master Boot Record (MBR) that will be cured after reboot.

2010/10/30 11:29:14.0952 \HardDisk2\MBR - detected Rootkit.Win32.TDSS.tdl4
2010/10/30 11:29:14.0952 ================================================================================
2010/10/30 11:29:14.0952 Scan finished
2010/10/30 11:29:14.0952 ================================================================================
2010/10/30 11:29:14.0952 Detected object count: 1
2010/10/30 12:19:17.0633 \HardDisk2\MBR - will be cured after reboot
2010/10/30 12:19:17.0633 Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) - User
select action: Cure


To learn more about this infection please refer to:
Try doing an online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 31 October 2010 - 05:28 AM

If you want to use it i also got NOD32 smart security 4 installed on the infected system.

here are the results of the online scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.7930.16406 (WIN7_IE9_Beta.100831-2345)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-31 09:52:51
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776573 100 94 176200 40147637 0 0
# compatibility_mode=8201 23428477 100 75 6253 6902537 0 0
# scanned=105997
# found=0
# cleaned=0
# scan_time=984


i also did an eset online scan 3 days ago when the rootkit was still active and eset online scan didnt find anything back then either:

# version=7
# iexplore.exe=9.00.7930.16406 (WIN7_IE9_Beta.100831-2345)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-27 09:35:35
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5891 16776573 100 100 42593 18673084 0 0
# compatibility_mode=8192 67108863 100 0 639 639 0 0
# scanned=107360
# found=0
# cleaned=0
# scan_time=429

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 31 October 2010 - 06:47 AM

How is your computer running now? Are there any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 31 October 2010 - 11:07 AM

hard to say, it seems as the symptoms went away, i only wonder why there is (eg 5min after booting up windows) so much disk activity (several minutes), i looked at it a bit with resource monitor and saw disk activity (by system) on partitions were there should be no activity because there is nothing installed and only data on it or disk activity in folders which im not using at that moment (also on other partitions)

could the virus mask itself on other partitons and come back if i reinstall windows?

I am unsure what to do at the momnet

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 31 October 2010 - 02:39 PM

Delayed load time can be an indication of too many applications loading at startup when Windows boots. Almost all applications you install want to startup when Windows loads. If you allow all these startups, they will compete for and use system resources resulting in poor performance and a slow system. Many of these programs are not needed and disabling them can save resources and improve performance as they can be accessed from Start > Programs or an icon on the desktop if needed. So the first thing I would look at is how many programs are loading at startup.

Too many browser Add-ons / toolbars can also cause problems. Incompatible browser extensions and add-ons can impact system performance and cause compatibility issues such as application hangs (freezing).[/i]

If you have a lot of unecessary startups, try using a free Startup Manager like one of the following:You will be provided with a list of programs that load when Windows starts. If you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled.
-- Note: some startup programs are necessary so be careful what you disable.

If you are unsure what any of the program entries are or if they are safe to disable, search the name using Google <- click here for an example.
Or search the following databases:
For more information about other ways to improve performance, please refer to Slow Computer/Browser? Check here first; it may not be malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 31 October 2010 - 06:30 PM

the startup is long finished before this special disk activity starts that i described above :thumbsup:

well as we found the Rootkit.Win32.TDSS.tdl4(\HardDisk2\MBR) in addition to what i found in the first post, does these virus families also infect other partitions (eg data partitions on other harddisks) or can you exclude that?

for all the others reading this here a sum up what i already did and what you can do if you are infected with the same or a similar virus:

MBAM, MSE or NOD32 antivirus are useless against this rootkit infecton but
i managed to delete at least parts of the virus manually:

0) delete the virus task jobs from windows/tasks (default names with latest creation date)
1) clean your windows/temp and appdata/local/temp folders
2) clean temp internet files from IE
3) clean temp internet files from system32/config/systemprofile/appdata/local/microsoft/windows/temporary internet files/
4) delete the virus *.sys files in system32/drivers (they have random names with files dates from infection)
5) delete the corresponding registry folders (random names too but they include a path to the sys files from above and should be boot bus extenders) under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\]
6) delete the virus *.dll and *.tmp files from windows/system32/ (creatio date = infection date) random names of course
7) check/reset your dns under ipv4
8) finally run tdsskiller.exe (get latest version from kaspersky for free) and let it clean the MBR infection and restart

this is all i know so far

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 31 October 2010 - 09:16 PM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 berni2k

berni2k
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 12 November 2010 - 07:13 PM

Hi,

I didn't post a log so far in the other forum because i reinstalled windows.

But i could not format the whole hard disk, just the system partition in front.

Should we still go on and check?

cu

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:01 PM

Posted 12 November 2010 - 07:49 PM

How is your computer running?
Did you repeat your scans with MBAM, NOD32?
Did they find anything?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users