1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive System Restore deleted because of fake anti-virus software

Discussion in 'Malware and Virus Removal Archive' started by mintymist, 2010/09/03.

Thread Status:
Not open for further replies.
  1. 2010/09/03
    mintymist

    mintymist Banned Thread Starter

    Joined:
    2010/09/03
    Messages:
    2
    Likes Received:
    0
    [Inactive] System Restore deleted because of fake anti-virus software

    So, I was browsing around the internet last night and I got hit with a trojan that basically said "you have a virus! use our anti-virus software to delete it." I knew that was a fake anti-virus software so I immediately went for finding my system restore, which I couldn't.

    The error message said "System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator. "

    I've logged in as my Admin in safe mode and I cannot turn on system restore. The tab doesn't exist.

    Since then, I turned my computer, disconnected its Internet connection and then waited a while. I restarted and my McAfee was able to find these trojans:

    lvduwrkshdw.exe
    lfkdicxshdw.exe
    lwvkayushdw.exe
    loirrvsshdw.exe

    My McAfee told me I needed to reboot in order to delete them since they were going to be deleted on the next start up.

    So, I restarted again, and no error messages from McAfee appeared. To see if my virus was gone, I decided to see if I could do a system restore. Unfortunately, nope. I got the same error message as before that my admin removed permission.

    Any help would be greatly appreciated!!

    Below is what DDS told me:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Mel at 16:21:15.34 on Fri 09/03/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1210 [GMT -4:00]

    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CSHelper.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Mel\.COMMgr\complmgr.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Documents and Settings\Mel\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe
    C:\Documents and Settings\Mel\Application Data\U3\0000060421039887\LaunchPad.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Mel\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: CDNSCacheObj Object: {376892ae-1825-4e5f-9f85-23f9640051cc} - c:\windows\mplayerplgn.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [AdobeBridge]
    uRun: [Google Update] "c:\documents and settings\mel\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [uwmmikul] c:\documents and settings\mel\local settings\application data\iilueqdgf\acvtnratssd.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Mxejisunogewusu] rundll32.exe "c:\windows\kbdexpsv.dll ",Startup
    uRun: [COM+ Manager] "c:\documents and settings\mel\.commgr\complmgr.exe "
    uRun: [eppiwmvc] c:\documents and settings\mel\local settings\application data\ooolwcxbs\loirrvsshdw.exe
    uRun: [yerbfxih] c:\documents and settings\mel\local settings\application data\mcjlwtlsg\lwvkayushdw.exe
    uRun: [usstoktm] c:\documents and settings\mel\application data\koekwlxkt\lfkdicxshdw.exe
    uRun: [wnajitco] c:\documents and settings\mel\application data\ycgkwumuk\lvduwrkshdw.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe "
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [uwmmikul] c:\documents and settings\mel\local settings\application data\iilueqdgf\acvtnratssd.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [xneramswoc.tmp] "c:\docume~1\mel\locals~1\temp\xneramswoc.tmp "
    mRun: [smoecaxwrn.tmp] "c:\docume~1\mel\locals~1\temp\smoecaxwrn.tmp "
    StartupFolder: c:\docume~1\mel\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mel\applic~1\mozilla\firefox\profiles\3fqq9ys0.default\
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\mel\application data\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\mel\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\mel\application data\mozilla\firefox\profiles\3fqq9ys0.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\mel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsef:\greprefs\all.js - pref( "ui.use_native_colors ", true);
    f:\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    f:\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    f:\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    f:\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    f:\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    f:\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    f:\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    f:\greprefs\all.js - pref( "network.proxy.type ", 5);
    f:\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    f:\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    f:\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    f:\greprefs\all.js - pref( "svg.smil.enabled ", false);
    f:\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    f:\greprefs\all.js - pref( "browser.formfill.debug ", false);
    f:\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    f:\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    f:\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    f:\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    f:\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    f:\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    f:\greprefs\all.js - pref( "accelerometer.enabled ", true);
    f:\greprefs\all.js - pref( "html5.enable ", false);
    f:\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    f:\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    f:\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    f:\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    f:\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    f:\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    f:\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    f:\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    f:\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    f:\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    f:\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    f:\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    f:\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    f:\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    f:\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    f:\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    f:\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    f:\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    f:\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    f:\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    f:\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    f:\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    f:\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    f:\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    f:\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-28 64288]
    R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
    R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-8-17 266240]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-1-27 144704]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-1-27 54608]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-12-28 73512]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-12-28 34408]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-12-28 177864]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

    =============== Created Last 30 ================

    2010-09-03 04:58:09 21380 ---h--w- c:\windows\win32.exe
    2010-09-03 04:57:51 120 ----a-w- c:\windows\Klolifanivago.dat
    2010-09-03 04:57:51 0 ----a-w- c:\windows\Epujuwa.bin
    2010-09-03 04:56:08 0 d-----w- c:\docume~1\mel\applic~1\ycgkwumuk
    2010-09-03 04:56:03 0 d-----w- c:\docume~1\mel\applic~1\koekwlxkt
    2010-09-03 04:55:59 0 d-sh--w- c:\documents and settings\mel\.COMMgr
    2010-09-03 04:55:38 0 d-----w- c:\docume~1\mel\applic~1\65586FBAFE60216BAD29320ACF2CA682
    2010-08-31 00:41:23 57436 ----a-w- c:\windows\DASShp.dll
    2010-08-31 00:41:23 0 d-----w- c:\program files\Microsoft Reader
    2010-08-17 23:07:06 266240 ----a-w- c:\windows\system32\CSHelper.exe
    2010-08-17 23:07:06 225280 ----a-w- c:\windows\system32\CSInstru.DLL

    ==================== Find3M ====================

    2010-09-03 20:21:37 789504 ----a-w- c:\windows\system32\drivers\aec.sys
    2010-09-03 05:15:44 789504 ----a-w- c:\windows\system32\drivers\aleryrds.sys
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-28 18:50:20 144469 ----a-w- c:\windows\hpwins16.dat
    2010-06-28 18:27:36 104000 ----a-w- c:\windows\hpqins01.dat
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
    2010-05-23 23:37:01 32768 --sha-w- c:\windows\temp\cookies\index.dat
    2010-05-23 23:37:01 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
    2010-05-23 23:37:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

    ============= FINISH: 16:22:46.53 ===============
     
    mintymist,
    #1
  2. 2010/09/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Attach.txt part of DDS log is missing.
    Please, provide that and when you're done....

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...