Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

swbh4454f virus infection?


  • This topic is locked This topic is locked
12 replies to this topic

#1 querty

querty

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 10:47 PM

Not sure when I was infected, but my laptop was infected with something. I first noticed when my Malwarebytes Anti-Malware icon changed from the regular white M on a red background to a black U with a green background. I checked task manager and found lots of processes with the name sbsertbnsrnrt and the description swbh4454f. This description was beside a lot of other processes with names from ICO.exe to mbam.exe. I immediately ended all of those processes, removed the black U Malwarebytes, reinstalled the regular Malwarebytes, and restarted my computer. When I checked task manager after I restarted, I found the swbh4454f processes running again so I checked msconfig and found several startup items with the name sbsertbnsrnrt, but with various commands.

Since then I've gotten Security Shield, the Google re-direct virus, and various malware and trojans as well.

Edited by querty, 07 May 2011 - 10:50 PM.


BC AdBot (Login to Remove)

 


#2 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 10:57 PM

Tough infection, so it seems.

Run Malwarebytes quick scan, remove anything found, post the log here. - make sure it's fully updated

Http://www.superantispyware.com - download, update, run full scan. Remove infections post log reboot PC

http://www.safer-networking.org/en/spybotsd/index.html - download right click Run As Administrator update run scan remove infections reboot PC

Should be all set. Let me know how that goes

#3 querty

querty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:12 PM

I just had to do a system restore which put me right back to when the Malwarebytes icon changed to the black U with a green background one.
This system restore was after I had installed CCleaner, Spybot Search and Destroy, tdsskiller, and a few other programs. After using these programs, Windows would not startup again so I had to do a system restore.

Also when swbh4454f processes were active, random windows with names like blankwindow2 and hello4 were appearing.

I am now running Malwarebytes and waiting for the scan to end.

#4 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:16 PM

Please do as I instructed..

#5 querty

querty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:18 PM

Currently running the Malwarebytes scan, and the system restore was before I started posting here.

#6 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:26 PM

Please do the other scans too.

#7 querty

querty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:31 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6529

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/8/2011 12:26:52 AM
mbam-log-2011-05-08 (00-26-52).txt

Scan type: Quick scan
Objects scanned: 155955
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\Xbk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\_ex-08.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\local settings\application data\oxxwnlbqp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\Windows\start menu\Programs\security shield.lnk (Rogue.SecurityShield) -> Quarantined and deleted successfully.

This is the Malwarebytes log.

The Spybot one will be much longer.

Edited by querty, 07 May 2011 - 11:35 PM.


#8 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 May 2011 - 11:39 PM

Be sure to run Superantispyware as well. Seems you may have a backdoor but it's too soon to determine.

Edited by Computerproblem101, 07 May 2011 - 11:39 PM.


#9 querty

querty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 May 2011 - 02:18 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/08/2011 at 01:36 AM

Application Version : 4.52.1000

Core Rules Database Version : 7012
Trace Rules Database Version: 4824

Scan type : Complete Scan
Total Scan Time : 00:39:37

Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 9624
Registry threats detected : 1
File items scanned : 43855
File threats detected : 132

System.BrokenFileAssociation
HKCR\.exe

Trojan.Agent/Gen-Falprod
C:\PROGRAM FILES\ACTIVIDENTITY\ACTIVCLIENT\ACCRDSUB.EXE
C:\PROGRAM FILES\ACTIVIDENTITY\ACTIVCLIENT\ACEVENTS.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI.ACE\CORE-STATIC\CLISTART.EXE
C:\PROGRAM FILES\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\FILE SANITIZER\CORESHREDDER.EXE
C:\PROGRAM FILES\IDT\WDM\STTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MANAGED VIRUSSCAN\DESKTOPUI\XTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE
C:\PROGRAM FILES\PDF COMPLETE\PDFSTY.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON ONLINE BACKUP\ACTIVATION\NOBUACTIVATION.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\VERIZONDM\BIN\SPRTCMD.EXE
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\NORTON ONLINE BACKUP\NORTON ONLINE BACKUP.LNK
C:\WINDOWS\SYSTEM32\ICO.EXE

Adware.Tracking Cookie
media.kyte.tv [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
media.mtvnservices.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
media.scanscout.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
media1.break.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
objects.tremormedia.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
s0.2mdn.net [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
secure-it.imrworldwide.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
secure-us.imrworldwide.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\P4D8DMF8 ]
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@247realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@a1.interclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.flux[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adbrite[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adbrite[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adknowledge[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.bighealthtree[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pointroll[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.pointroll[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.undertone[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserv.rotator.hadj7.adjuggler[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserver.adtechus[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adserver.adtechus[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertising[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertnation[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adxpose[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adxpose[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adxpose[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[5].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@apmebf[6].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@beacon.dmsinsights[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bizzclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cdn.jemamedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@citi.bridgetrack[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@click.fastpartner[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@click.fastpartner[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@collective-media[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@collective-media[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@crackle[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[5].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@dc.tremormedia[6].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[5].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[6].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@doubleclick[8].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@enhance[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@fastclick[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@harrenmedianetwork[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@imrworldwide[5].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@insurancefinders[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@interclick[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@lucidmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@lucidmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@lucidmedia[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media.adfrontiers[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[5].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediabrandsww[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediabrandsww[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediabrandsww[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediaplex[4].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@network.realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@p216t1s859074.kronos.bravenetmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@p268t1s2329631.kronos.bravenetmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@pointroll[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@questionmarket[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@realmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ru4[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ru4[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@search.321findit[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@search.boltfind[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@serving-sys[3].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@solvemedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficengine[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficking.nabbr[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@trafficmp[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@tribalfusion[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@uiadserver[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@viacom.adbureau[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@www.findstuff[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@xml.trafficengine[1].txt

This is the log from SUPERAntiSpyware
And when I ran Spybot Search and Destroy before, The only thing it found was something like Click.GiftLoad

#10 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 May 2011 - 12:59 PM

Click.Giftload is a variant of the TDL rootkit, you will need to run Aswmbr it seems but I can't recommend that, wait for an expert to come. Post some logs in the malware removal thread.

#11 querty

querty
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 May 2011 - 01:46 PM

What logs should I post: the logs from here or logs from something like ComboFix?

EDIT: I just checked Add or Remove programs and found McAfee with the black U and green background icon. Is this infecting security programs?

EDIT: I am checking through all the Program Files now. I've found the icon as accrdsub and acevents under ActivIdentity, but with the original programs there too. Checked all processes in Windows task manager and found them running.

EDIT: Checked through almost every folder in Program Files and found these files with black u replacements :
Jusched in Java Update
sttray in WDM in IDT
pdfsty in PDF complete
SynTPEnh in SynTP in Synaptics
sprtcmd in bin in VERIZONDM

Edited by querty, 08 May 2011 - 02:49 PM.


#12 Computerproblem101

Computerproblem101

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 May 2011 - 04:36 PM

Logs from things like DDS etc, which I can't give you the link for. Make a thread in this forum: http://www.bleepingcomputer.com/forums/forum22.html - give them the link to this thread and ask what to do.

#13 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:01:34 AM

Posted 18 May 2011 - 01:50 PM

Topic closed to avoid confusion and duplicate assistance due to member being assisted here: http://www.bleepingcomputer.com/forums/topic396286.html/page__gopid__2253293#entry2253293

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users