Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tdl4@MBR Rootkit infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 morganjoy

morganjoy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 12 April 2011 - 11:31 AM

My computer keeps launching IE on its own and going to random sites. Google redirects to a different page than where I want to go. svchost.exe is using most all system resources. Computer very slow doing anything. Please help!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 11:47:25.95 on Tue 04/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1367 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\User\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1298995797234
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsla698adab;MpKsla698adab;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e3fc12f7-0ae5-4e4b-89c4-b1fc62502319}\MpKsla698adab.sys [2011-4-12 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2011-3-1 20160]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-3-1 23456]
.
=============== Created Last 30 ================
.
2011-04-12 14:26:11 34816 ----a-w- c:\windows\system32\itlnfw32.dll
2011-04-12 14:26:11 215040 ----a-w- c:\windows\system32\itlpfw32.dll
2011-04-12 14:13:40 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e3fc12f7-0ae5-4e4b-89c4-b1fc62502319}\MpKsla698adab.sys
2011-04-11 20:57:34 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e3fc12f7-0ae5-4e4b-89c4-b1fc62502319}\mpengine.dll
2011-04-11 20:56:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-11 20:56:12 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-11 20:53:45 -------- d-----w- c:\program files\ATI
2011-04-11 18:28:58 -------- d-----w- c:\documents and settings\user\IECompatCache
2011-03-25 21:23:14 -------- d-----w- c:\documents and settings\user\.shcache
2011-03-25 19:56:12 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Identities
.
==================== Find3M ====================
.
2011-03-01 17:54:35 0 ----a-w- c:\windows\ativpsrm.bin
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVS-75UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89CAF439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89cb57d0]; MOV EAX, [0x89cb584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CE2030]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000079[0x89CE7F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D0AB00]
\Driver\atapi[0x89CE2DC8] -> IRP_MJ_CREATE -> 0x89CAF439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75UST0___________________01.01A01#5&314e625d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89CAF27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:49:32.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 12 April 2011 - 02:50 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#3 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 12 April 2011 - 08:38 PM

Thanks so much for your help. The results of the scan are as follows:



aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-12 21:27:09
-----------------------------
21:27:09.546 OS Version: Windows 5.1.2600 Service Pack 3
21:27:09.546 Number of processors: 2 586 0x6802
21:27:09.546 ComputerName: JOYCEDELL UserName: User
21:27:10.015 Initialize success
21:27:18.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
21:27:18.484 Disk 0 Vendor: WDC_WD1200BEVS-75UST0 01.01A01 Size: 114473MB BusType: 3
21:27:18.484 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75UST0___________________01.01A01#5&314e625d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
21:27:18.484 Device \Driver\atapi -> DriverStartIo 89cca27f
21:27:20.484 Disk 0 MBR read successfully
21:27:20.484 Disk 0 MBR scan
21:27:20.484 Disk 0 TDL4@MBR code has been found
21:27:20.484 Disk 0 MBR hidden
21:27:20.484 Disk 0 MBR [TDL4] **ROOTKIT**
21:27:20.484 Disk 0 trace - called modules:
21:27:20.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89cca439]<<
21:27:20.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d00030]
21:27:20.500 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000079[0x89d0ff18]
21:27:20.500 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x89d01b00]
21:27:20.531 \Driver\atapi[0x89ce0938] -> IRP_MJ_CREATE -> 0x89cca439
21:27:20.531 Scan finished successfully

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 13 April 2011 - 01:36 PM

Good evening. :)

Run aswMBR.exe again.

  • Click the Scan button as before.
  • Once the scan has completed, then Fix button should become active - click it.
  • Once complete, click Save log as before, save it to your desktop and post in your next reply.

So long, and thanks for all the fish.

 

 


#5 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 13 April 2011 - 02:08 PM

Thanks again. The results of the scan and fix are as follows:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-13 15:05:29
-----------------------------
15:05:29.609 OS Version: Windows 5.1.2600 Service Pack 3
15:05:29.609 Number of processors: 2 586 0x6802
15:05:29.609 ComputerName: JOYCEDELL UserName: User
15:05:30.156 Initialize success
15:05:33.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
15:05:33.234 Disk 0 Vendor: WDC_WD1200BEVS-75UST0 01.01A01 Size: 114473MB BusType: 3
15:05:33.234 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75UST0___________________01.01A01#5&314e625d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
15:05:33.234 Device \Driver\atapi -> DriverStartIo 89cb327f
15:05:35.234 Disk 0 MBR read successfully
15:05:35.234 Disk 0 MBR scan
15:05:35.234 Disk 0 TDL4@MBR code has been found
15:05:35.234 Disk 0 MBR hidden
15:05:35.234 Disk 0 MBR [TDL4] **ROOTKIT**
15:05:35.234 Disk 0 trace - called modules:
15:05:35.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89cb3439]<<
15:05:35.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ce5030]
15:05:35.250 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000007a[0x89cebf18]
15:05:35.250 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x89ce7d98]
15:05:35.250 \Driver\atapi[0x89ce8500] -> IRP_MJ_CREATE -> 0x89cb3439
15:05:35.250 Scan finished successfully
15:05:48.921 Disk 0 fixing MBR
15:05:58.921 Disk 0 MBR restored successfully
15:05:58.921 Infection fixed successfully - please reboot ASAP

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 13 April 2011 - 03:00 PM

OK, did you reboot the PC as directed - in the Command Window that opened when you ran the tool?

So long, and thanks for all the fish.

 

 


#7 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 13 April 2011 - 04:12 PM

Sorry, but I did not reboot from the command window. I copied the text and pasted into the reply, exited the command box, then rebooted.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 13 April 2011 - 04:28 PM

Slight misunderstanding there - as long as you rebooted as the instruction in the Command Windows asked you to, all's good.

Will you give the PC a run out and then tell me how it's behaving.

So long, and thanks for all the fish.

 

 


#9 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 13 April 2011 - 04:47 PM

Will do. Thanks again.

#10 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 13 April 2011 - 06:31 PM

Very sluggish. Microsoft Security Essentials popped up with a detection on Trojan:DOS/Alureon.A. I told it to remove the infection. It said it was successful. Ran MBAM and found nothing but during scan MSSE popped up With Alureon.A again. I told it to remove. Then I ran MSSE quick scan and it found 3 infections:
Trojan:Win32/Meredrop
Trojan:Win32/Koblu.B
Trojan:DOS/Alureon.A
It says they were removed, but computer still real sluggish. I think I'm still sick. What next?

Again, thanks so very much for your help.

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 14 April 2011 - 01:15 PM

Good evening. :)

The difficulty with speed issues is that it is hard to nail down the exact cause. The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on.

So long, and thanks for all the fish.

 

 


#12 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 14 April 2011 - 09:41 PM

I was thinking that the sluggishness was due to the multiple trojans. Do you not agree? I thought they probably should be cleaned out before any "spring cleaning". Do you agree or do you think I'm clean? Are these trojan alerts from Microsoft Security Essentials false positives or are they in fact malicious? Please let me know how to proceed. Thanks again for all your help.

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 15 April 2011 - 01:31 PM

Good evening. :)

I was thinking that the sluggishness was due to the multiple trojans. Do you not agree? I thought they probably should be cleaned out before any "spring cleaning". Do you agree or do you think I'm clean?

According to your post the scanners that detected the nasties reported them successfully cleaned, so I worked on the principal that the sluggishness had another cause.
The easiest way I can think of to rule out these infections as the cause of the PC's problem is to reboot the PC and run the scanners again. If they detect the same infections again, they are obviously not removing what they find. If they come back clean, they removed what they identified.

Are these trojan alerts from Microsoft Security Essentials false positives or are they in fact malicious?

Impossible to say from the limited information that you posted. Should the scanners detect anything with the new scan I would need to full filepaths including filenames before I can offer an opinion on the above.

So long, and thanks for all the fish.

 

 


#14 morganjoy

morganjoy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 15 April 2011 - 02:21 PM

What can I run now for you to look at and say my computer is clean or infected. The trojans that have been caught with MSSE and MBAM and supposedly cleaned or removed keep popping back up with various names. How would I find the full filepath and file name? I would love to run something that shows whether my entire system is clean or not. Any suggestions?

Sorry if I sound like I don't know what I'm doing, but I don't. I really appreciated you taking the time to help me out. You guys are a lifesaver to those of us who are computer illiterate. Thanks again.

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:26 PM

Posted 15 April 2011 - 02:35 PM

Open MSE, click the History tab, and then select the Quarantined items option. In theory this should list all the files that have been removed by MSE and you can copy the information about the latest entries from there - I need the full names and filepaths e.g. C:\Windows\System32\Nasty.exe.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users