Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nt32.exe, load32.exe, 315load32.exe malware


  • This topic is locked This topic is locked
5 replies to this topic

#1 agl120

agl120

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 21 February 2014 - 09:10 PM

Hi, I need help with a load32.exe virus.  I apologize beforehand for this detailed explanation of what I did since I don't know what will be useful and what is not.

 

I was careless and ran an .exe file after scanning it for virus and it came back clean.  My computer did not do anything for maybe 10 seconds, then the orginially intended program started running.  It looks as if everything is working out but I just got this hunch based on past experience that something went wrong. I exited the program, went to delete it and naturally found that it cannot be deleted because it is in use. My first thought was to restart my computer to end the process.

 

After restarting my computer, some of my normal start up programs did not run as well as some icons in the notification area of the task bar missing.  I got a windows pop up message that window processor needs permission to run so I declined it.

 

Trying to delete the original exe and related files that infected me leads me to multiple instances of File1 in applications, load32.exe and 315load32.exe under processes in task manager. I ended the applications and processes in question and deleted the orginial culpits.  One instance of 315load32.exe can not be ended.

 

After restarting a few times, I looked at the pop up message detail and it mentioned that some software was changed and it needs to be checked.  I was reluntantly to allow it.  But after checking the certificate was from microsoft corporation, I was hopeful (but mainly stupid) that it may fix the start up problems and hit allow.  Saw a command prompt popped for a split second then disappeared.  Not sure if that hurt me more or not, but now I am thinking it was a mistake.  Never saw the message again but the same problems remained. 

Other problems that I found:
1.  There's only about 40 processes when normally there's about 70 to 80?
2.  Also have 2 PC issues to be solved: turn on windows defender and find an antivirus program.  I normally use mircosoft securtiy essential but it is disabled.
3.  I tried to download and install malwarebyte.  Everytime I download the setup file with firefox, it disappeared from my computer and cannot be found.  The same happens with dds.com.

 

After hunting for the hidden files and restarting my computer a few times, I located them at:
C:\Users\Naoko\Documents\315load32.exe
C:\ProgramData\load32.exe

In safe mode, these processes and applications still ran at start up.  I was able to end them, rename them and delete load32.exe with a few computer restarts.  I had to change the permissions on the renamed 315load32.exe before I can delete it.

 

I downloaded malwarebyte with another computer and sent the setup file over.  At first it fail at installing because certain malwarebytes files were already located at C:\ProgramData
I honestly cannot remember whether I have used malwarebytes on this computer before or not, but there is also a McAfee folder with some files as well in the same location.  I know for sure I never use McAfee.  Google tells me that this type of virus may overwrite the current antivirus programs with copies of itself.  I backed them up in a zip file elsewhere and deleted them.  Then I ran malwarebyte setup again and it completed the install. The launch after setup gives this error stating the exe can't be found:

 

Unable to execute file:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

CreateProcess failed; code2.
The system cannot find the file specified.

 

when I run malwarebytes normally, I still get the error that the file can't be found:
Windows cannot find 'C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe'.  Make sure you typed the name correctly, and then try again.

 

Reinstalling does not help.  The same error happens when I try to run microsoft security essential but the files are there.  Random programs work but two of the start up ones that I always use suffer from the same error.

 

After a lot more Google, I read about a nt32.exe that can stops my processes from running.  After digging around, find it at  C:\NTKernel\nt32.exe

According to what I read, it can be a rootkit/ keylogger/ messes with registry so I don't want to mess with it.  I did not even try to delete it. 

 

Help is greatly appreciated.  Thank You.

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16798
Run by Naoko at 20:23:22 on 2014-02-21
Microsoft Windows 7 Ultimate   6.1.7601.1.932.81.1033.18.8104.6629 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTShellHlp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWinlogon: Shell = explorer.exe,"C:\ProgramData\load32.exe"
uWindows: Load = G:\c85\[Fuwanovel] Ikusa Otome Suvia\Valkyrie Svia\suvia.exe
mWinlogon: Userinit = userinit.exe,
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [NT Kernel Service] C:\ProgramData\load32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows"
StartupFolder: C:\Users\Naoko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
TCP: NameServer = 10.1.10.1
TCP: Interfaces\{AD0831A0-3550-496C-ABC7-DC0A7AAFC1A5} : DHCPNameServer = 10.1.10.1
SSODL: WebCheck - <orphaned>
IFEO: AvastSvc.exe - C:\Users\Naoko\Documents\315load32.exe
IFEO: AvastUI.exe - C:\Users\Naoko\Documents\315load32.exe
IFEO: avcenter.exe - C:\Users\Naoko\Documents\315load32.exe
IFEO: avconfig.exe - C:\Users\Naoko\Documents\315load32.exe
IFEO: avgcsrvx.exe - C:\Users\Naoko\Documents\315load32.exe
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: AvastSvc.exe - C:\Users\Naoko\Documents\315load32.exe
x64-IFEO: AvastUI.exe - C:\Users\Naoko\Documents\315load32.exe
x64-IFEO: avcenter.exe - C:\Users\Naoko\Documents\315load32.exe
x64-IFEO: avconfig.exe - C:\Users\Naoko\Documents\315load32.exe
x64-IFEO: avgcsrvx.exe - C:\Users\Naoko\Documents\315load32.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Naoko\AppData\Roaming\Mozilla\Firefox\Profiles\nt2asc8a.default\
FF - prefs.js: network.proxy.ftp - 209.97.203.60
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 209.97.203.60
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 209.97.203.60
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 209.97.203.60
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 209.97.203.60
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll
FF - plugin: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypchub.dll
FF - plugin: C:\Users\Naoko\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: C:\Users\Naoko\AppData\Roaming\raidcall\plugins\nprcplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_44.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.irspeeddial.aflt - fxtb103
FF - user.js: extensions.irspeeddial.instlRef -
FF - user.js: extensions.irspeeddial.cr - 1124572904
FF - user.js: extensions.irspeeddial.cd - 2XzuyEtN2Y1L1Qzu0B0CyD0F0FyEtA0Bzy0A0EyCyC0DtB0EtN0D0Tzu0SyByByDtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1Czu1G2Z1S
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-9 283200]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-4-5 236544]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 134944]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-3-4 126952]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-3-4 390632]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-6-2 32344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-6-2 471144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-3 1255736]
.
=============== Created Last 30 ================
.
2014-02-21 10:46:29 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-02-21 10:46:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-21 06:39:38 -------- d-----w- C:\ProgramData\Malwarebytes
2014-02-21 04:49:23 -------- d--h--w- C:\NTKernel
2014-02-21 04:33:57 -------- d--h--w- C:\ProgramData\NTKernel
2014-02-21 00:49:43 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C9CBF3A1-063E-4504-90C0-EBB3462D7C82}\gapaengine.dll
2014-02-21 00:49:31 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2137C619-EF05-4F38-9B26-5A57D9CCE474}\mpengine.dll
2014-02-18 22:59:52 10536864 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-14 02:18:41 -------- d-----w- C:\Users\Naoko\AppData\Local\PunkBuster
2014-02-12 06:35:59 775344 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe
2014-02-11 22:32:16 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2014-02-11 22:32:16 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-02-11 22:32:16 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-02-11 22:32:16 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-02-11 22:32:04 3928064 ----a-w- C:\Windows\System32\d2d1.dll
2014-02-11 22:32:04 3419136 ----a-w- C:\Windows\SysWow64\d2d1.dll
2014-02-11 22:32:04 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2014-02-11 22:32:04 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2014-02-02 10:51:07 -------- d-----w- C:\Users\Naoko\AppData\Roaming\SYRUP
2014-01-25 08:19:07 -------- d-----w- C:\Users\Naoko\AppData\Local\Blizzard
2014-01-25 00:02:14 -------- d-----w- C:\Users\Naoko\AppData\Local\Blizzard Entertainment
2014-01-25 00:02:12 -------- d-----w- C:\Users\Naoko\AppData\Roaming\Battle.net
2014-01-25 00:02:12 -------- d-----w- C:\Users\Naoko\AppData\Local\Battle.net
2014-01-24 04:47:10 -------- d-----w- C:\Program Files (x86)\Dungeon Defenders
2014-01-24 02:34:55 -------- d-----w- C:\Users\Naoko\AppData\Local\id Software
.
==================== Find3M  ====================
.
2014-02-14 05:38:49 103736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2014-02-14 02:18:50 66872 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2014-02-09 01:03:52 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-09 01:03:52 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-02-01 09:19:49 2241536 ----a-w- C:\Windows\System32\wininet.dll
2014-02-01 09:18:25 3960320 ----a-w- C:\Windows\System32\jscript9.dll
2014-02-01 09:18:21 67072 ----a-w- C:\Windows\System32\iesetup.dll
2014-02-01 09:18:21 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2014-02-01 07:58:31 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-01 07:57:20 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-02-01 07:57:16 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-02-01 07:57:16 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2014-02-01 07:40:43 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2014-02-01 07:34:53 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-02-01 06:45:40 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2014-02-01 06:38:03 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2013-12-21 09:39:33 600064 ----a-w- C:\Windows\System32\vbscript.dll
2013-12-21 07:56:10 523776 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-11-27 01:41:37 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-11-27 01:41:15 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-11-27 01:41:11 53248 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-11-27 01:41:11 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-11-27 01:41:09 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-11-27 01:41:06 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-11-27 01:41:03 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-11-26 10:32:56 3156480 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 20:24:44.41 ===============
 

Attached File  attach.txt   16.43KB   4 downloads



BC AdBot (Login to Remove)

 


#2 ~Kal~

~Kal~

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:UK
  • Local time:07:43 PM

Posted 23 February 2014 - 02:48 PM

Hello agl120 and welcome to Bleeping Computer!

 

I'm Kal and I'll be helping you. Please bear with me while I review your logs and get back to you with your next steps.

In the meantime, while we're working together there are a few things I'd like you to be aware of:

1. DO NOT run any tools or make any changes to your computer unless instructed to do so.

I'll ask you to run different tools in a specific order to ensure any malware is completely removed from your machine. Running any additional tools, attempting fixes yourself or installing/uninstalling programs etc may interfere with our removal process.

2. You can copy and paste any logs I ask for into your replies, as it's easier for me to analyze them.

3. Please be sure to read my instructions carefully and follow the steps in the order I list them. If you run into any problems, please stop and let me know.

4. Even if things appear to be better, your computer may still be infected. Please continue to follow my instructions and reply back until I give you the "all clean".


If any of the instructions I provide aren't clear, or there's something you don't understand, please do ask.

If you are already being helped elsewhere (on this site or another forum) or have resolved the issue, please let me know so I can close this topic.

Kal


Kal
Please bear in mind I'm in the UK so our timezones may not always sync.
If I'm helping you and haven't replied within 24 hrs please send me a pm

#3 ~Kal~

~Kal~

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:UK
  • Local time:07:43 PM

Posted 24 February 2014 - 04:31 AM

Hello alg120

From the information contained in your log, it does appear that you have a serious infection. Now for the really bad news: The identified infection is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

From looking through your logs, I do need to give you another warning:

Going over your logs I noticed that you have a torrent program  installed and that you use gaming sites.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web/gaming sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall the torrent programme, however that choice is up to you. If you choose to remove it, you can do so via Start > Control Panel > Add/Remove Programs

If you wish to keep it, please do not use it until your computer is cleaned.

Please complete the following steps:

 

1. Run Farbar's Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system – 64bit.

  • Right-click FRST then click "Run as administrator"
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log Addition.txt - also located in the same directory the tool was run from. Please also paste that, along with the FRST.txt into your next reply.

2. Are you using a proxy to connect to the internet with Firefox?

3. So in your next post I’d like to see:

- Confirmation of whether or not you’d like to continue cleaning your machine
- The frst.txt and addition.txt logs
- The answer to my question about the firefox proxy


Kal
Please bear in mind I'm in the UK so our timezones may not always sync.
If I'm helping you and haven't replied within 24 hrs please send me a pm

#4 agl120

agl120
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 24 February 2014 - 05:07 AM

Hello Kal,

 

Thank you for the replies and the warnings.  I have been considering a reformat since I found this virus.  I was hoping there would be an easier but reliable solution.  Since you also suggested reformat, I would take your advice and go ahead with that.  You can go ahead and close this topic.  You have been very helpful and once again thank you for taking the time to look at my problem. 



#5 ~Kal~

~Kal~

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:UK
  • Local time:07:43 PM

Posted 25 February 2014 - 03:47 AM

Hi alg120

 

You're welcome. I've included below some general tips on safety and security for you to bear in mind once you've reformatted and reinstalled. I hope they prove useful.

 

One of the most common questions found when cleaning Spyware or Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet whilst surfing, you are not running the proper security software, and that your computer's security settings are set too low. Read the articles below for tips on staying safe:

Below are some steps to take to increase the security of your computer:

 

Update your AntiVirus Software
If you do not update your antivirus software regularly then it will not be able to catch new variants that come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Keep windows and your other microsoft software up to date
Out of date versions of windows and other software can present security vulnerabilities, which attackers and malware can exploit to get access to your system. Use 'automatic updates' to keep your version of windows up to date.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerabilities that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall
Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see Understanding and Using Firewalls

Install an AntiSpyware Program
You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software. Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

Best wishes

 

kal


Kal
Please bear in mind I'm in the UK so our timezones may not always sync.
If I'm helping you and haven't replied within 24 hrs please send me a pm

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:43 PM

Posted 10 March 2014 - 02:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users