Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Crash Google Redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 MikeyFl

MikeyFl

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 05 May 2011 - 02:07 PM

Hi,

My mom has given me the task of fixing her computer for Mother's Day. Me being the great son I am said sure thing :) ...little did I know what I was getting myself into.

She complained that Firefox would crash and Google searches redirect her to other sites. BTW she's running Windows XP. Steps I took to fix it were
1) Update firefox to latest version

2) Ran Spybot Search and Destroy and removed the following:

Microsoft.WindowsSecurityCenter.FirewallOverride - 1 entry
Fraud.InternetSecurity2011 - 26 entries
Microsoft.Windows.AppFirewallBypass - 2 entries
Microsoft.WindowsSecurityCenter.AntivirusOverride - 2 entries

3) Ran Malwarebytes' Anti-Malware
Quick Scan

Files Infected:
c:\documents and settings\christine\local settings\Temp\1CA.tmp (Rogue.SecurityTool) -> Quarantined and deleted successfully.
c:\documents and settings\christine\application data\microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\christine\application data\chkntfs.dat (Malware.Trace) -> Quarantined and deleted successfully.


Full Scan

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ggr.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ggr.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ggr.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ggr.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.


4) Ran Avira Anti-Vir
Here's a snippet of it where it found a "JAVA/Exdoer.BE.2 Java" virus:

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0R2DSLC5\swflash[1].cab
[0] Archive type: CAB (Microsoft)
--> FP_AX_CAB_INSTALLER.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-3c8ade4b
[0] Archive type: ZIP
--> olig/aret.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.BB.2 Java virus
--> manty/rova.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.BE.2 Java virus

Beginning disinfection:
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-3c8ade4b
[NOTE] The file was moved to '4e252656.qua'!



After doing all of this, Spybot, Malwarebytes, and Antivir comes back clean yet FF still crashes and redirects. Help please...

Thanks,
Mike

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 05 May 2011 - 02:15 PM

Before doing anything if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 12:39 AM

Thank you very much for the quick response.

I ran the TDSS Rootkit Removing Tool and it did find the TDSS rootkit and I did a system restart.

Now, for whatever reason, it appears something else is affecting the system. Malwarebytes desktop icon and Firefox icon have disappeared along with other icons on the desktop and WindowsSecurityCenter is saying I have 26 infections. I did some Googling on my clean computer, and it appears to be "XP AntiMalware".

I ran Spybot which found more entries which I removed. I'm unable to run Malware bytes though. Also I cannot access BleepingComputer from Firefox on the infected computer. But I did manage to copy and paste the log file from TDSS Rootkit and e-mail to myself. Here it is:

2011/05/05 23:41:28.0671 5772 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/05 23:41:29.0156 5772 ================================================================================
2011/05/05 23:41:29.0156 5772 SystemInfo:
2011/05/05 23:41:29.0156 5772
2011/05/05 23:41:29.0156 5772 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/05 23:41:29.0156 5772 Product type: Workstation
2011/05/05 23:41:29.0156 5772 ComputerName: MICHAEL2-8217AE
2011/05/05 23:41:29.0156 5772 UserName: MichaelW
2011/05/05 23:41:29.0156 5772 Windows directory: C:\WINDOWS
2011/05/05 23:41:29.0156 5772 System windows directory: C:\WINDOWS
2011/05/05 23:41:29.0156 5772 Processor architecture: Intel x86
2011/05/05 23:41:29.0156 5772 Number of processors: 2
2011/05/05 23:41:29.0156 5772 Page size: 0x1000
2011/05/05 23:41:29.0156 5772 Boot type: Normal boot
2011/05/05 23:41:29.0156 5772 ================================================================================
2011/05/05 23:41:29.0406 5772 Initialize success
2011/05/05 23:41:53.0203 4204 ================================================================================
2011/05/05 23:41:53.0203 4204 Scan started
2011/05/05 23:41:53.0203 4204 Mode: Manual;
2011/05/05 23:41:53.0203 4204 ================================================================================
2011/05/05 23:41:53.0671 4204 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/05 23:41:53.0734 4204 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/05 23:41:53.0843 4204 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/05 23:41:53.0921 4204 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/05 23:41:54.0156 4204 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/05 23:41:54.0218 4204 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/05 23:41:54.0250 4204 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/05 23:41:54.0343 4204 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/05 23:41:54.0468 4204 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/05 23:41:54.0562 4204 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/05 23:41:54.0625 4204 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/05 23:41:54.0718 4204 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/05 23:41:54.0781 4204 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/05 23:41:54.0828 4204 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/05 23:41:54.0875 4204 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/05 23:41:54.0984 4204 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/05 23:41:55.0125 4204 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/05 23:41:55.0187 4204 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/05 23:41:55.0312 4204 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/05 23:41:55.0359 4204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/05 23:41:55.0453 4204 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/05 23:41:55.0515 4204 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/05 23:41:55.0593 4204 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/05 23:41:55.0703 4204 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/05 23:41:55.0750 4204 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/05 23:41:55.0781 4204 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/05 23:41:55.0875 4204 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/05 23:41:55.0953 4204 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/05 23:41:56.0031 4204 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/05 23:41:56.0093 4204 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/05 23:41:56.0171 4204 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/05 23:41:56.0296 4204 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/05 23:41:56.0359 4204 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/05 23:41:56.0421 4204 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/05 23:41:56.0500 4204 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/05 23:41:56.0609 4204 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/05 23:41:56.0828 4204 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/05 23:41:57.0062 4204 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/05 23:41:57.0265 4204 IntcAzAudAddService (8cd7f3fb0b2418af79914adb1e265184) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/05 23:41:57.0703 4204 intelppm (3eab2e817233d66392d673490de10e9f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 23:41:57.0718 4204 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 3eab2e817233d66392d673490de10e9f, Fake md5: 8c953733d8f36eb2133f5bb58808b66b
2011/05/05 23:41:57.0734 4204 intelppm - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/05/05 23:41:57.0750 4204 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/05 23:41:57.0781 4204 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/05 23:41:57.0843 4204 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/05 23:41:57.0921 4204 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/05 23:41:57.0984 4204 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/05 23:41:58.0062 4204 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/05 23:41:58.0109 4204 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/05 23:41:58.0171 4204 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/05 23:41:58.0281 4204 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/05 23:41:58.0343 4204 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/05 23:41:58.0515 4204 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/05/05 23:41:58.0593 4204 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/05/05 23:41:58.0656 4204 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/05/05 23:41:58.0750 4204 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/05 23:41:58.0812 4204 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/05 23:41:58.0859 4204 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/05 23:41:58.0937 4204 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/05 23:41:59.0015 4204 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/05 23:41:59.0093 4204 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/05 23:41:59.0187 4204 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/05 23:41:59.0250 4204 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/05 23:41:59.0296 4204 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/05 23:41:59.0390 4204 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/05 23:41:59.0453 4204 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/05 23:41:59.0500 4204 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/05 23:41:59.0593 4204 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/05 23:41:59.0640 4204 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/05 23:41:59.0703 4204 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/05 23:41:59.0765 4204 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/05 23:41:59.0812 4204 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/05 23:41:59.0859 4204 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/05 23:41:59.0890 4204 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/05 23:42:00.0000 4204 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/05 23:42:00.0062 4204 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/05 23:42:00.0125 4204 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/05 23:42:00.0218 4204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/05 23:42:00.0265 4204 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/05 23:42:00.0343 4204 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/05 23:42:00.0406 4204 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/05 23:42:00.0468 4204 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/05 23:42:00.0515 4204 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/05 23:42:00.0578 4204 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/05 23:42:00.0625 4204 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/05 23:42:00.0796 4204 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/05 23:42:00.0859 4204 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/05 23:42:00.0890 4204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/05 23:42:01.0000 4204 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/05 23:42:01.0062 4204 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/05 23:42:01.0125 4204 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/05 23:42:01.0171 4204 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/05 23:42:01.0234 4204 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/05 23:42:01.0265 4204 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/05 23:42:01.0343 4204 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/05 23:42:01.0421 4204 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/05 23:42:01.0468 4204 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/05 23:42:01.0546 4204 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/05 23:42:01.0625 4204 RTLE8023xp (b52b25f41bf3511071a0e7d10d659c56) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/05/05 23:42:01.0703 4204 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/05 23:42:01.0750 4204 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/05 23:42:01.0812 4204 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/05 23:42:01.0890 4204 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/05 23:42:01.0968 4204 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/05 23:42:02.0046 4204 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/05 23:42:02.0140 4204 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/05 23:42:02.0218 4204 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/05 23:42:02.0296 4204 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/05 23:42:02.0343 4204 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/05 23:42:02.0468 4204 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/05 23:42:02.0546 4204 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/05 23:42:02.0609 4204 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/05 23:42:02.0687 4204 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/05 23:42:02.0750 4204 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/05 23:42:02.0843 4204 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/05 23:42:02.0953 4204 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/05 23:42:03.0015 4204 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/05 23:42:03.0093 4204 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/05 23:42:03.0140 4204 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/05 23:42:03.0203 4204 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/05 23:42:03.0265 4204 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/05 23:42:03.0312 4204 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/05 23:42:03.0343 4204 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/05 23:42:03.0390 4204 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/05 23:42:03.0468 4204 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 23:42:03.0515 4204 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/05 23:42:03.0578 4204 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/05 23:42:03.0687 4204 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/05 23:42:03.0750 4204 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/05 23:42:03.0953 4204 ================================================================================
2011/05/05 23:42:03.0953 4204 Scan finished
2011/05/05 23:42:03.0953 4204 ================================================================================
2011/05/05 23:42:03.0953 4576 Detected object count: 1
2011/05/05 23:42:34.0843 4576 intelppm (3eab2e817233d66392d673490de10e9f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 23:42:34.0843 4576 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 3eab2e817233d66392d673490de10e9f, Fake md5: 8c953733d8f36eb2133f5bb58808b66b
2011/05/05 23:42:35.0484 4576 Backup copy found, using it..
2011/05/05 23:42:35.0515 4576 C:\WINDOWS\system32\DRIVERS\intelppm.sys - will be cured after reboot
2011/05/05 23:42:35.0515 4576 Rootkit.Win32.TDSS.tdl3(intelppm) - User select action: Cure
2011/05/05 23:42:53.0546 5780 Deinitialize success



What should I do next?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 06 May 2011 - 06:32 AM

This is the pertinent section of the log which indicates a TDSS rootkit infection. The forged file was identified and will be cured after reboot.

2011/05/05 23:42:03.0953 4576 Detected object count: 1
2011/05/05 23:42:34.0843 4576 intelppm (3eab2e817233d66392d673490de10e9f) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 23:42:34.0843 4576 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 3eab2e817233d66392d673490de10e9f, Fake md5: 8c953733d8f36eb2133f5bb58808b66b
2011/05/05 23:42:35.0484 4576 Backup copy found, using it..
2011/05/05 23:42:35.0515 4576 C:\WINDOWS\system32\DRIVERS\intelppm.sys - will be cured after reboot
2011/05/05 23:42:35.0515 4576 Rootkit.Win32.TDSS.tdl3(intelppm) - User select action: Cure

To learn more about this infection please refer to:Since you already rebooted, rerun TDSSKiller again and post the new log to confirm the infection was cured.

Please download FixNCR.reg to your Desktop.
  • Double-click on that file to run.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Choose "Yes" when prompted to add it into the registry.
  • Once that is completed you should be able to run other programs.
If you cannot use the Internet or download the file to the infected machine, try downloading from another computer (family member, friend, library, etc) with an Internet connection. Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine.

Please download RKill by Grinler and save it to your desktop.RKill.exe Download Link
RKill.com Download Link
RKill.scr Download LinkRenamed versions if the above do not work:
iExplore.exe Download Link
eXplorer.exe Download Link <- this renamed copy is usually effective but may trigger an alert from MBAM...just ignore it.
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link
alternate link with all versionsRKill is available in several versions to include renamed versions in case one does not work, you can try another. As such, you may want to download and save more than one before proceeding.

  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, and try another version.
  • If it still does not work, repeat the process and attempt to use one of the remaining version until the tool runs.
  • Note: You may have to make repeated attempts to use RKill several times before it will run as some malware variants try to block it.
  • A log file will be created and saved to the root directory, C:\RKill.log
  • Copy and paste the contents of RKill.log in your next reply.
-- If you get an alert that RKill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run RKill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that RKill can perform its routine.

-- Some security tools may flag RKill as malware, especially when renamed to iexplore.exe, explorer.exe, winlogon.exe, etc because they have definitions in place that flag certain file names used outside their normal path. If you encounter such an alert when running Rkill, you can safely ignore it and continue to allow the program to run.

Important: Do not reboot your computer until you complete the next step.

Now try performing a Quick Scan in normal mode with Malwarebytes' Anti-Malware and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 07:31 AM

Thanks looks like we've made good progress because I'm replying directly from the infected computer this morning. I reran TDSSKiller last night and it did cure the infection. Log below:

2011/05/05 23:48:01.0421 2372 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/05 23:48:01.0843 2372 ================================================================================
2011/05/05 23:48:01.0843 2372 SystemInfo:
2011/05/05 23:48:01.0843 2372
2011/05/05 23:48:01.0843 2372 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/05 23:48:01.0843 2372 Product type: Workstation
2011/05/05 23:48:01.0843 2372 ComputerName: MICHAEL2-8217AE
2011/05/05 23:48:01.0843 2372 UserName: MichaelW
2011/05/05 23:48:01.0843 2372 Windows directory: C:\WINDOWS
2011/05/05 23:48:01.0843 2372 System windows directory: C:\WINDOWS
2011/05/05 23:48:01.0843 2372 Processor architecture: Intel x86
2011/05/05 23:48:01.0843 2372 Number of processors: 2
2011/05/05 23:48:01.0843 2372 Page size: 0x1000
2011/05/05 23:48:01.0843 2372 Boot type: Normal boot
2011/05/05 23:48:01.0843 2372 ================================================================================
2011/05/05 23:48:02.0031 2372 Initialize success
2011/05/05 23:49:02.0500 4776 ================================================================================
2011/05/05 23:49:02.0500 4776 Scan started
2011/05/05 23:49:02.0500 4776 Mode: Manual;
2011/05/05 23:49:02.0500 4776 ================================================================================
2011/05/05 23:49:02.0796 4776 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/05 23:49:02.0843 4776 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/05 23:49:02.0890 4776 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/05 23:49:02.0984 4776 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/05 23:49:03.0171 4776 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/05 23:49:03.0218 4776 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/05 23:49:03.0250 4776 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/05 23:49:03.0328 4776 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/05 23:49:03.0437 4776 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/05/05 23:49:03.0531 4776 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/05/05 23:49:03.0578 4776 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/05/05 23:49:03.0625 4776 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/05 23:49:03.0671 4776 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/05 23:49:03.0703 4776 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/05 23:49:03.0734 4776 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/05 23:49:03.0796 4776 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/05 23:49:03.0921 4776 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/05 23:49:03.0984 4776 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/05 23:49:04.0015 4776 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/05 23:49:04.0031 4776 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/05 23:49:04.0062 4776 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/05 23:49:04.0140 4776 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/05 23:49:04.0187 4776 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/05 23:49:04.0250 4776 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/05 23:49:04.0281 4776 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/05 23:49:04.0296 4776 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/05 23:49:04.0328 4776 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/05 23:49:04.0421 4776 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/05 23:49:04.0453 4776 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/05 23:49:04.0515 4776 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/05 23:49:04.0578 4776 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/05 23:49:04.0656 4776 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/05 23:49:04.0687 4776 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/05 23:49:04.0765 4776 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/05 23:49:04.0843 4776 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/05 23:49:04.0906 4776 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/05 23:49:05.0093 4776 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/05 23:49:05.0296 4776 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/05 23:49:05.0468 4776 IntcAzAudAddService (8cd7f3fb0b2418af79914adb1e265184) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/05 23:49:05.0609 4776 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/05 23:49:05.0625 4776 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/05 23:49:05.0656 4776 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/05 23:49:05.0687 4776 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/05 23:49:05.0734 4776 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/05 23:49:05.0796 4776 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/05 23:49:05.0843 4776 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/05 23:49:05.0875 4776 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/05 23:49:05.0937 4776 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/05 23:49:06.0015 4776 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/05 23:49:06.0062 4776 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/05 23:49:06.0203 4776 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/05/05 23:49:06.0296 4776 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/05/05 23:49:06.0359 4776 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/05/05 23:49:06.0421 4776 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/05 23:49:06.0453 4776 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/05 23:49:06.0500 4776 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/05 23:49:06.0546 4776 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/05 23:49:06.0578 4776 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/05 23:49:06.0656 4776 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/05 23:49:06.0687 4776 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/05 23:49:06.0734 4776 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/05 23:49:06.0765 4776 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/05 23:49:06.0781 4776 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/05 23:49:06.0859 4776 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/05 23:49:06.0875 4776 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/05 23:49:06.0921 4776 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/05 23:49:06.0953 4776 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/05 23:49:07.0000 4776 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/05 23:49:07.0046 4776 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/05 23:49:07.0093 4776 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/05 23:49:07.0125 4776 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/05 23:49:07.0156 4776 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/05 23:49:07.0203 4776 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/05 23:49:07.0250 4776 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/05 23:49:07.0312 4776 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/05 23:49:07.0359 4776 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/05 23:49:07.0390 4776 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/05 23:49:07.0453 4776 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/05 23:49:07.0468 4776 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/05 23:49:07.0531 4776 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/05 23:49:07.0562 4776 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/05 23:49:07.0593 4776 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/05 23:49:07.0625 4776 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/05 23:49:07.0781 4776 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/05 23:49:07.0812 4776 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/05 23:49:07.0828 4776 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/05 23:49:07.0906 4776 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/05 23:49:07.0968 4776 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/05 23:49:07.0984 4776 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/05 23:49:08.0000 4776 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/05 23:49:08.0031 4776 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/05 23:49:08.0062 4776 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/05 23:49:08.0093 4776 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/05 23:49:08.0125 4776 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/05 23:49:08.0140 4776 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/05 23:49:08.0203 4776 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/05/05 23:49:08.0250 4776 RTLE8023xp (b52b25f41bf3511071a0e7d10d659c56) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/05/05 23:49:08.0312 4776 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/05 23:49:08.0343 4776 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/05 23:49:08.0359 4776 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/05 23:49:08.0406 4776 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/05 23:49:08.0468 4776 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/05 23:49:08.0531 4776 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/05 23:49:08.0593 4776 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/05 23:49:08.0640 4776 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/05/05 23:49:08.0687 4776 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/05 23:49:08.0734 4776 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/05 23:49:08.0828 4776 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/05 23:49:08.0890 4776 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/05 23:49:08.0937 4776 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/05 23:49:09.0015 4776 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/05 23:49:09.0062 4776 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/05 23:49:09.0140 4776 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/05 23:49:09.0187 4776 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/05 23:49:09.0234 4776 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/05 23:49:09.0281 4776 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/05 23:49:09.0343 4776 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/05 23:49:09.0390 4776 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/05 23:49:09.0421 4776 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/05 23:49:09.0453 4776 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/05 23:49:09.0484 4776 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/05 23:49:09.0578 4776 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/05 23:49:09.0640 4776 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/05 23:49:09.0671 4776 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/05 23:49:09.0734 4776 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/05 23:49:09.0859 4776 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/05 23:49:09.0890 4776 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/05 23:49:10.0078 4776 ================================================================================
2011/05/05 23:49:10.0078 4776 Scan finished
2011/05/05 23:49:10.0078 4776 ================================================================================
2011/05/05 23:54:36.0156 3772 Deinitialize success



I used the iExplorer.exe version of RKill and that worked perfectly. Log below:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/06/2011 at 7:56:27.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\adv.exe


Rkill completed on 05/06/2011 at 7:56:31.



I ran Malwarebytes which I couldn't do last night so that's also a good sign. Log below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6519

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/6/2011 8:14:50 AM
mbam-log-2011-05-06 (08-14-50).txt

Scan type: Quick scan
Objects scanned: 218677
Time elapsed: 12 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bwutuku (Trojan.Hiloti) -> Value: Bwutuku -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UySxVIYJUiSDkJH (Trojan.FakeAlert) -> Value: UySxVIYJUiSDkJH -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Unpnsl.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\uysxviyjuisdkjh.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\application data\adv.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\NN78W1YD\windows-update-sp4-kb65351-setup[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Is it completely removed? Since rebooting after the Malwarebytes quickscan I haven't run a full scan yet.

Also, when I check the Security Center it says Firewall and Automatic Updates are turned off. Is it safe to turn those on?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 06 May 2011 - 03:01 PM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 03:53 PM

Thank you very much quietman for all the help, and I'm getting it done in time for Mother's Day! Woo-hoo..

I ran Malwarebytes full scan and detected 1 file I think it was and removed that. Ran AntiVir and removed something it found there. I enabled the firewall which I was cautious about doing until all the other programs came back clean in case it was Malware acting up.

Additionally, to help her not catch any future Malware I installed add-ons with FF....No Script, WOT, Ad Block Plus, and Ad Block Plus Pop Up Add On.

However I have 2 remaining issues:
1) On the computer there are multiple user accounts. On her specific user account I cannot run FF. FF works perfectly on the other user accounts.
2) I keep getting a Windows Security Alert saying Automatic Updates isn't enabled when I've set it up to run automatically so I know it's there.

EDIT: I just saw your last post. Let me perform your recommendations.

Edited by MikeyFl, 06 May 2011 - 03:53 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 06 May 2011 - 04:03 PM

For Firefox, try reinstalling it.

For Automatic Updates, ensure the service is started and set to automatic.
  • Press the Windows Key + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: services.msc
  • Click OK or press Enter.
  • Click the Extended tab at the bottom to view all the info on your services.
  • Scroll down the list and find the service called Automatic Updates.
  • When you find the service, double-click on it or right-click and choose Properties.
  • In the Properties Window > General Tab that opens, click the Start button.
  • From the drop-down menu next to Startup Type, click on Automatic.
  • Click Apply, then OK and close any open windows.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 05:53 PM

ESET found and cleaned 1 file. Here's the .txt file:

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L7FT7R39\QQkFBwQEAgABBQEHEkcJBQcEAAAMAAYGBw==[1].htm JS/Exploit.Agent.NCQ trojan cleaned by deleting - quarantined

#10 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 06:00 PM

Also Automatic Updates isn't on the list of Services?

#11 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 May 2011 - 06:25 PM

Just tried uninstalling and installing FF. I still cannot run FF on her user account and all others are working. I did a restart after the last scan and when I tried logging into her user account I got 2 pop up windows.

First one read, "Windows cannot find 'C:DOCUME~1\CHRIST~1\LOCALS~1\Temp\dwm.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

After I close that window, another window pops up saying, "Could not load or run 'C:DOCUME~1\CHRIST~1\LOCALS~1\Temp\dwm.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry."

Not sure what I need to do here?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 07 May 2011 - 08:03 AM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 MikeyFl

MikeyFl
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 11 May 2011 - 06:02 AM

Quick update - the new thread I created in the Virus, Trojan, Spyware, and Malware Removal Logs forum is here.

I haven't bumped that thread since its been up according to the forum rules, but I'd really appreciate if anyone can assist.

Thanks,
Michael

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:42 PM

Posted 11 May 2011 - 09:12 AM

You're welcome.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users