Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Believe I have a Redirect Virus and Need Help


  • Please log in to reply
11 replies to this topic

#1 Hanley

Hanley

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 13 July 2011 - 12:08 AM

Hello,

I believe I have somehow downloaded a redirect virus of some kind. Whenever I use search in IE8, IE9, or Chrome I get sent to random ad sites. I have run McAfee scans and ARO scans and nothing has turned up or been fixed.

I am running Windows 7 64-bit and would like to avoid having to reinstall windows if at all possible.

Thanks for your help.

~Hanley

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 13 July 2011 - 08:46 AM

Before doing anything further, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extensio, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Step 7 instructs you to scan your computer using Malwarebytes Anti-Malware. Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 13 July 2011 - 07:38 PM

Thanks for your help.

I ran Malware Bytes and the TDSSkiller, which did not detect anything. Malwarebytes detected a few things. The log is pasted below. Please let me know what to do next. Thanks again.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7099

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/12/2011 10:51:50 PM
mbam-log-2011-07-12 (22-51-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 532462
Time elapsed: 1 hour(s), 41 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Users\Hanley\AppData\Roaming\winlogon.exe (Trojan.Agent) -> 4648 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\Micronsoft (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate (Trojan.Agent) -> Value: MSWUpdate -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vnukepurif (Trojan.Agent.U) -> Value: Vnukepurif -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cbobubig (Trojan.Agent.U) -> Value: Cbobubig -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Hanley\AppData\Roaming\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 13 July 2011 - 09:12 PM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 7099. Last I checked it was 7112.


Please download MiniToolBox by farbar and save it to your desktop.

Close all open browsers, double-click on the file to launch the utility and check the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Users, Partitions and Memory size
Click Go and a log file named Result.txt will open in Notepad with the results. Copy and paste the contents in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 July 2011 - 12:38 AM

Hello,

I updated the MalwareBytes definitions and found one more virus. Below are the logs from MalwareBytes and MiniToolBox. The virus still seems to persist.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7122

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/13/2011 10:28:13 PM
mbam-log-2011-07-13 (22-28-13).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 534423
Time elapsed: 1 hour(s), 35 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\T7PKEYSDPX (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


MiniToolBox

MiniToolBox by Farbar
Ran by Hanley (administrator) on 13-07-2011 at 22:33:58
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************


================= Flush DNS: ==============================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

== End of Flush DNS ==

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

== End of IE Proxy Settings ==
=============== Hosts content: ============================================

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

== End of Hosts ==

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Hanley-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.ca.comcast.net.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : hsd1.ca.comcast.net.
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 00-23-AE-E7-59-98
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ddb7:6a81:8094:bd82%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.197(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, July 13, 2011 10:30:26 PM
Lease Expires . . . . . . . . . . : Thursday, July 14, 2011 10:30:26 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 251667374
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-59-C3-5D-00-23-AE-E7-59-98
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.ca.comcast.net.
Description . . . . . . . . . . . : Dell Wireless 1505 Draft 802.11n WLAN Mini-Card
Physical Address. . . . . . . . . : 00-26-5E-46-13-A5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.hsd1.ca.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.ca.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:4da:687:94fc:7771(Preferred)
Link-local IPv6 Address . . . . . : fe80::4da:687:94fc:7771%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.224.115
74.125.224.113
74.125.224.114
74.125.224.116
74.125.224.112


Pinging google.com [74.125.224.148] with 32 bytes of data:
Reply from 74.125.224.148: bytes=32 time=244ms TTL=55
Reply from 74.125.224.148: bytes=32 time=260ms TTL=55

Ping statistics for 74.125.224.148:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 244ms, Maximum = 260ms, Average = 252ms
Server: UnKnown
Address: 192.168.2.1

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=240ms TTL=51
Reply from 209.191.122.70: bytes=32 time=281ms TTL=51

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 240ms, Maximum = 281ms, Average = 260ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
10...00 23 ae e7 59 98 ......Realtek PCIe GBE Family Controller
2...00 26 5e 46 13 a5 ......Dell Wireless 1505 Draft 802.11n WLAN Mini-Card
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.197 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.197 276
192.168.2.197 255.255.255.255 On-link 192.168.2.197 276
192.168.2.255 255.255.255.255 On-link 192.168.2.197 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.197 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.197 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:4da:687:94fc:7771/128
On-link
10 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::4da:687:94fc:7771/128
On-link
10 276 fe80::ddb7:6a81:8094:bd82/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

== End of IP Configuration ==

========================= Memory info: ====================================

Percentage of memory in use: 32%
Total physical RAM: 5110.99 MB
Available physical RAM: 3466.3 MB
Total Pagefile: 10220.17 MB
Available Pagefile: 8114.63 MB
Total Virtual: 4095.88 MB
Available Virtual: 3982.8 MB

======================= Partitions: =======================================

1 Drive c: (OS) (Fixed) (Total:683.59 GB) (Free:543.94 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.16 GB) NTFS

================= Users: ==================================================

User accounts for \\HANLEY-PC

-------------------------------------------------------------------------------
Administrator Guest Hanley
UpdatusUser
The command completed successfully.

== End of Users ==

#6 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 July 2011 - 12:47 AM

Also, for whatever it's worth, Windows Security Center will no longer open or turn on.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 14 July 2011 - 05:53 AM

Please download and scan with the McAfee FakeAlert Stinger Tool.
Be sure to follow the instructions provided and to check “Super Scan” mode in the preferences dialog before performing the scan.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 July 2011 - 07:14 PM

The McAffee scan didn't produce anything. Just that there are 607,198 clean files. And I didn't see an option for "Super Scan" so I selected and ran a "full scan" instead. I figured they were the same things.

Here is the log from the ESET scan.

C:\Users\Hanley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\7e5de995-2d6876d0 multiple threats
C:\Users\Hanley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\33889816-44d35643 Java/TrojanDownloader.Agent.NCM trojan
C:\Users\Hanley\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1d4e2af1-22b25f49 multiple threats

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 14 July 2011 - 07:19 PM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache manually to ensure everything is cleaned out:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.You can verify (test) your JAVA Software Installation & Version here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 July 2011 - 07:48 PM

I just did everything you suggested. Cleared the Java Cache, Temp Files, browsing history, etc. and the issue still persists. I don't know if it is helpful or not but when I click on a search result a numeral address of some sort appears before I land on some ad site.

Is there anything else I can do? Thanks again for all of your help.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:08 AM

Posted 15 July 2011 - 06:09 AM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Hanley

Hanley
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 15 July 2011 - 08:55 AM

Will do. Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users