Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netbook riddled with Rootkits!!


  • This topic is locked This topic is locked
6 replies to this topic

#1 poppy83

poppy83

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 15 December 2010 - 03:12 PM

Hi there

Im new to the site, I joined because Im going nuts with my emachines netbook. I have the dreaded rootkit trojan virus and have tried everything in my power to remove them. I have purchased and installed both Stopzilla and SuperAntiSpyware professional, which both pick up the infections and remove them. But after a few hours the system becomes reinfected again with rootkits and appear to be in the same places as before.

Im very amateur with computers, and have only just found my way around the keyboard! My system is Windows xp. Is there any other way I can get rid of these infections once and for all AND stop them returning?

Thanks

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:25 PM

Posted 15 December 2010 - 04:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 poppy83

poppy83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 15 December 2010 - 05:39 PM

DDS (Ver_10-12-12.02) - NTFSx86
Run by jodie at 21:41:54.28 on 15/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1013.305 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Launch Manager\LManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\snuvcdsm.exe
C:\Program Files\HBLite\bin\11.0.264.0\HBLiteSA.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe
C:\Program Files\Launch Manager\LMworker.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\jodie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://search.myheritage.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [BrowserChoice] "c:\windows\system32\browserchoice.exe" /run
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snuvcdsm] c:\windows\snuvcdsm.exe
mRun: [HBLiteSA] "c:\program files\hblite\bin\11.0.264.0\HBLiteSA.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Blubster] c:\program files\blubster\Blubster.exe SILENT
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {D872016E-E573-485E-B982-C2B771BDB3E1} = 8.8.8.8,8.8.4.4
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-10-22 386560]
R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2010-5-4 312400]
R2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2010-5-4 243232]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-5-4 60456]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-5-4 1691480]

=============== Created Last 30 ================

2010-12-10 20:55:33 -------- d-----w- c:\program files\Dealio Toolbar
2010-12-10 20:55:33 -------- d-----w- c:\program files\common files\Spigot
2010-12-10 20:55:33 -------- d-----w- c:\program files\Application Updater
2010-12-10 08:32:25 -------- d-----w- c:\program files\STOPzilla!
2010-12-09 17:38:26 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-12-09 17:38:24 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-12-09 17:38:24 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-12-09 17:38:24 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-12-09 17:38:24 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-12-09 17:38:24 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-12-09 17:38:22 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-12-09 17:38:22 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-12-09 17:38:22 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-12-09 17:38:22 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-12-09 17:38:20 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-12-09 17:38:20 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-12-04 18:41:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-04 18:25:02 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{27421C9C-709B-43F9-8172-0099AB711CC3}
2010-11-29 10:13:34 -------- d-----w- c:\docume~1\jodie\applic~1\SUPERAntiSpyware.com
2010-11-29 10:12:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-29 09:29:43 -------- d-----w- c:\program files\PC Tools Security
2010-11-29 09:27:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-11-29 09:13:19 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-29 09:13:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-29 09:12:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-11-27 12:41:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-26 20:23:05 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-11-26 20:08:01 -------- d-----w- C:\_OTM
2010-11-26 18:39:46 -------- d-----w- c:\docume~1\jodie\applic~1\Uniblue
2010-11-26 18:39:36 -------- d-----w- c:\program files\Uniblue
2010-11-26 18:39:28 -------- d-----w- c:\docume~1\jodie\locals~1\applic~1\PackageAware
2010-11-22 21:55:28 -------- d-----w- c:\docume~1\jodie\applic~1\Search Settings
2010-11-20 13:38:49 -------- d-----w- c:\program files\Blubster

==================== Find3M ====================

2010-10-09 08:22:41 66048 --sha-r- c:\windows\system32\fltMc9.dll
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.PBBO -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF4DD111B]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf4dd4888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x863872B0]
3 CLASSPNP[0xF772FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x85956B90]
\Driver\Disk[0x8570F3E0] -> IRP_MJ_CREATE -> 0xF4DD111B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS545016B9A300_________________PBBOC60F#4&36fb52f8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 21:42:22.50 ===============

Attached Files

  • Attached File  ark.txt   25.69KB   2 downloads


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:25 PM

Posted 15 December 2010 - 05:49 PM

Hello poppy83,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
The following is referring to Uniblue Registry Booster> .
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click onPosted Image ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 poppy83

poppy83
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 16 December 2010 - 03:15 AM

Hi Firemanit

Thanks for your help.

TDSS did not find anything so I closed the program as instructed.

Here is the combofix text below. Once the scan was done it did not restart my computer. Should it have?

ComboFix 10-12-15.06 - jodie 16/12/2010 7:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1013.568 [GMT 0:00]
Running from: c:\documents and settings\jodie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\All Users\Application Data\HBLiteSA
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSA.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSA_kyf.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAAbout.mht
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAau.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAEULA.mht
c:\program files\ClickPotatoLite
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\IE\4.1\config.ini
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\HBLite
c:\program files\HBLite\bin\11.0.264.0\firefox\extensions\chrome.manifest
c:\program files\HBLite\bin\11.0.264.0\firefox\extensions\install.rdf
c:\program files\HBLite\bin\11.0.264.0\firefox\extensions\plugins\npclntax_HBLiteSA.dll
c:\program files\HBLite\bin\11.0.264.0\HBLiteSA.exe
c:\program files\HBLite\bin\11.0.264.0\HBLiteSAAX.dll
c:\program files\HBLite\bin\11.0.264.0\HBLiteSAHook.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.

2010-12-15 22:45 . 2010-12-15 22:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-12-10 20:55 . 2010-12-10 20:55 -------- d-----w- c:\program files\Application Updater
2010-12-10 20:55 . 2010-12-10 20:55 -------- d-----w- c:\program files\Common Files\Spigot
2010-12-10 08:32 . 2010-12-10 08:32 -------- d-----w- c:\program files\STOPzilla!
2010-12-09 17:38 . 2010-12-09 17:38 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-12-09 17:38 . 2010-12-09 17:38 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-12-09 17:38 . 2010-12-09 17:38 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-12-09 17:38 . 2010-12-09 17:38 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-12-09 17:38 . 2010-12-09 17:38 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-12-09 17:38 . 2010-12-09 17:38 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-12-09 17:38 . 2010-12-09 17:38 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-12-09 17:38 . 2010-12-09 17:38 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-12-09 17:38 . 2010-12-09 17:38 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-12-09 17:38 . 2010-12-09 17:38 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-12-09 17:38 . 2010-12-09 17:38 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-12-09 17:38 . 2010-12-09 17:38 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-12-04 18:41 . 2010-12-04 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-12-04 18:25 . 2010-12-16 07:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-11-29 10:13 . 2010-11-29 10:13 -------- d-----w- c:\documents and settings\jodie\Application Data\SUPERAntiSpyware.com
2010-11-29 10:12 . 2010-11-29 10:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-29 09:29 . 2010-11-29 09:51 -------- d-----w- c:\program files\PC Tools Security
2010-11-29 09:29 . 2010-11-29 09:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-11-29 09:27 . 2010-11-29 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-11-29 09:13 . 2010-11-29 09:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-29 09:13 . 2010-11-29 09:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-29 09:12 . 2010-11-29 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-11-27 12:41 . 2010-11-27 12:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-26 20:23 . 2010-11-26 20:23 78040 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-11-26 20:08 . 2010-11-26 20:08 -------- d-----w- C:\_OTM
2010-11-26 18:39 . 2010-11-26 18:39 -------- d-----w- c:\documents and settings\jodie\Application Data\Uniblue
2010-11-26 18:39 . 2010-11-26 18:39 -------- d-----w- c:\program files\Uniblue
2010-11-26 18:39 . 2010-11-26 18:39 -------- d-----w- c:\documents and settings\jodie\Local Settings\Application Data\PackageAware
2010-11-22 21:55 . 2010-11-22 21:55 -------- d-----w- c:\documents and settings\jodie\Application Data\Search Settings
2010-11-20 13:39 . 2010-11-20 13:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2010-11-20 13:38 . 2010-12-15 08:15 -------- d-----w- c:\program files\Blubster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-05-04 09:45 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2010-05-04 18:25 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2010-05-04 18:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2010-05-04 18:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-05-04 18:25 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2010-05-04 18:25 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2010-05-04 18:25 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2010-05-04 18:25 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-09-18 11:23 . 2010-05-04 18:25 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2010-05-04 18:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2010-05-04 18:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2010-05-04 18:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-16 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-16 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-16 141336]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"RTHDCPL"="RTHDCPL.EXE" [2010-03-12 19521056]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-04-08 908368]
"PLFSetL"="c:\windows\PLFSetL.exe" [2010-02-12 99712]
"snuvcdsm"="c:\windows\snuvcdsm.exe" [2010-02-12 30080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-09-04 149280]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2010-10-22 524288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 16:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 17:01 59280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [22/10/2010 16:38 386560]
R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [04/05/2010 18:26 312400]
R2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [04/05/2010 11:15 243232]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [04/05/2010 18:26 60456]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 16:59 61328]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [04/05/2010 11:00 1691480]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://search.myheritage.com
LSP: mswsock.dll
TCP: {D872016E-E573-485E-B982-C2B771BDB3E1} = 8.8.8.8,8.8.4.4
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-HBLiteSA - c:\program files\HBLite\bin\11.0.264.0\HBLiteSA.exe
HKLM-Run-Blubster - c:\program files\Blubster\Blubster.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 08:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.PBBO -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xF64F611B]<<
c:\docume~1\jodie\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; PUSH EBX; PUSH ESI; PUSH EDI; CMP EAX, [0xf64f9888]; JNZ 0x1f; MOV EBX, [EBP+0xc]; CALL 0xfffffffffffffd3b; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x863D6030]
3 CLASSPNP[0xF772FFD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8563C030]
\Driver\Disk[0x8570C1D8] -> IRP_MJ_CREATE -> 0xF64F611B
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS545016B9A300_________________PBBOC60F#4&36fb52f8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\jodie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\jodie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\jodie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\jscript.dll
.
Completion time: 2010-12-16 08:03:45
ComboFix-quarantined-files.txt 2010-12-16 08:03

Pre-Run: 130,498,539,520 bytes free
Post-Run: 131,605,385,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6D477AA65DD9FC3279D50EEDF3B5B219

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:25 PM

Posted 16 December 2010 - 06:01 PM

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:25 PM

Posted 19 December 2010 - 12:37 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users