also @ TechSpot: 'Supercapacitor' could fully charge your phone in less than 30 seconds

Google Redirects and unauthorized attempts to connect to Sites, Vista

Discussion in 'Virus and Malware Removal' started by Demianwulf, Oct 29, 2010.

Page 3 of 5

  1. Demianwulf Newcomer, in training Posts: 74

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Wulftop
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Mixed
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
    Physical Address. . . . . . . . . : 00-E0-B8-E2-3C-E6
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::4c85:24a2:77d4:d412%199(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DHCPv6 IAID . . . . . . . . . . . : 184606904
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-04-DA-21-00-E0-B8-E2-3C-E6
    DNS Servers . . . . . . . . . . . : 93.188.162.241
    93.188.160.51
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Demianwulf, Nov 1, 2010
    #41

  2. Demianwulf Newcomer, in training Posts: 74

    My wireless adapter doesn't work on this computer for which I originally installed the questionable driver software that might have caused all of these issues.

    Also, as of right now for whatever reason the computer won't load into a profile properly...the customization settings seem to be stopped.
    Demianwulf, Nov 1, 2010
    #42

  3. Demianwulf Newcomer, in training Posts: 74

    the user profile service can't be started even if I got into services and try to manually start it.
    Demianwulf, Nov 1, 2010
    #43

  4. Demianwulf Newcomer, in training Posts: 74

    I think I still have to kill the scvhost.exe under network in the taskmanager to keep firefox connected.
    Demianwulf, Nov 1, 2010
    #44

  5. Demianwulf Newcomer, in training Posts: 74

    Still can't get malewarebytes to run...
    Demianwulf, Nov 1, 2010
    #45

  6. Demianwulf Newcomer, in training Posts: 74

    Redirection still happening from google links as well....

    Its odd though I tried again and no redirection...maybe i'm getting paranoid.
    Demianwulf, Nov 1, 2010
    #46
     

  7. Broni Malware Annihilator Posts: 39,320   +175

    DNS server is still not right:
    That's the hijacker.

    Are you 100% sure, you did reset your router correctly?
    Broni, Nov 1, 2010
    #47

  8. Broni Malware Annihilator Posts: 39,320   +175

    Did you read my last reply?
    Broni, Nov 1, 2010
    #48

  9. Demianwulf Newcomer, in training Posts: 74

    I'm sure the router was reset because I logged into the router via the browser going to 192.168.1.1 and my password was reset as well as all my settings for portforwarding, and the wireless settings were turned off and clear.
    Demianwulf, Nov 1, 2010
    #49

  10. Demianwulf Newcomer, in training Posts: 74

    Not sure what I missed I reread your posts...I tried to run the commands but they gave the same errors like before.

    I'm assuming they can't run because some services aren't running/starting up properly.

    Should I just change the DNS manually?
    Demianwulf, Nov 1, 2010
    #50

  11. Broni Malware Annihilator Posts: 39,320   +175

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    At Command Prompt, type in:
    netsh int ip reset reset.log
    Hit Enter.
    Type in:
    netsh winsock reset catalog
    Hit Enter.

    Restart computer.

    Re-run command from my post #40 and post the log.
    Broni, Nov 1, 2010
    #51

  12. Broni Malware Annihilator Posts: 39,320   +175

    I think, we posted at the same time.
    Read my previous reply.
    Broni, Nov 1, 2010
    #52

  13. Demianwulf Newcomer, in training Posts: 74

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Wulftop
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Mixed
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
    Physical Address. . . . . . . . . : 00-E0-B8-E2-3C-E6
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::4c85:24a2:77d4:d412%199(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    DHCPv6 IAID . . . . . . . . . . . : 184606904
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-04-DA-21-00-E0-B8-E2-3C-E6
    DNS Servers . . . . . . . . . . . : 8.8.8.8
    8.8.4.4
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Demianwulf, Nov 2, 2010
    #53

  14. Demianwulf Newcomer, in training Posts: 74

    sorry for the delay I had to change the dns and manually put in a static ip to get the computer to connect to the internet again as well as kill the svchost.exe in task manager...seemed like the IP changed after running the commands you mentioned but they both ran successfully
    Demianwulf, Nov 2, 2010
    #54

  15. Demianwulf Newcomer, in training Posts: 74

    I was even able to run all of the flush dns commands as well as the other ones except for the iprenew command . from your post 33. Dns client started successfully.
    Demianwulf, Nov 2, 2010
    #55

  16. Broni Malware Annihilator Posts: 39,320   +175

    I still don't like the fact, that you have to do something manually.

    Delete your GMER and Combofix files, download fresh ones and post both new logs.
    Broni, Nov 2, 2010
    #56

  17. Demianwulf Newcomer, in training Posts: 74

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-11-02 01:11:04
    Windows 6.0.6002 Service Pack 2
    Running: yq7cwrf3.exe; Driver: C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp\fxldqpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0x90535F8E]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcConnectPort [0x90536F5C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcCreatePort [0x90536174]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0x905353FA]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0x90535BF4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0x905352DC]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0x90535A82]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0x90536C16]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0x90534EA2]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0x90534CD4]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0x90536898]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0x9053567E]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0x90535DD0]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0x90534A04]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0x9053590E]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0x90534B7C]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0x905373C6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0x90536634]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0x90536A46]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0x90535618]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0x90535802]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0x905351A6]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0x90535074]
    SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThreadEx [0x90536280]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x843E9BAE]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 119 83CB287C 4 Bytes [8E, 5F, 53, 90] {MOV DS, [EDI+0x53]; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 13D 83CB28A0 8 Bytes [5C, 6F, 53, 90, 74, 61, 53, ...] {POP ESP; OUTSD ; PUSH EBX; NOP ; JZ 0x67; PUSH EBX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1C1 83CB2924 4 Bytes [FA, 53, 53, 90] {CLI ; PUSH EBX; PUSH EBX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 1D9 83CB293C 4 Bytes [F4, 5B, 53, 90] {HLT ; POP EBX; PUSH EBX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 205 83CB2968 4 Bytes [DC, 52, 53, 90] {FCOM QWORD [EDX+0x53]; NOP }
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83DDD28F 5 Bytes JMP 843E55D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 83E36063 5 Bytes JMP 843E6FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 83E9790A 7 Bytes JMP 843E9BB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ---- Devices - GMER 1.0.15 ----

    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD1200BEVS-22UST0___________________01.01A01#4&9de862a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9A 0x6D 0xF7 0x65 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x4E 0x95 0x60 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xE0 0x49 0x31 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9A 0x6D 0xF7 0x65 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x4E 0x95 0x60 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xE0 0x49 0x31 ...
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9A 0x6D 0xF7 0x65 ...
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE3 0x4E 0x95 0x60 ...
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xE0 0x49 0x31 ...

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- EOF - GMER 1.0.15 ----
    Demianwulf, Nov 2, 2010
    #57

  18. Demianwulf Newcomer, in training Posts: 74

    can't seem to run combofix it won't start
    Demianwulf, Nov 2, 2010
    #58

  19. Broni Malware Annihilator Posts: 39,320   +175

    Yeah, something is still hiding there.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ======================================================================

    • Please download Rootkit Unhooker . Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Checkmark Drivers, Stealth. Uncheck the rest. Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • Save the report to some known location. Click Close.
    Copy the entire content of the report and paste it in a reply here.

    Note. You may get this warning it is ok, just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"
    Broni, Nov 2, 2010
    #59

  20. Demianwulf Newcomer, in training Posts: 74

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4982

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18943

    11/2/2010 9:42:23 PM
    mbam-log-2010-11-02 (21-42-23).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 361307
    Time elapsed: 1 hour(s), 42 minute(s), 14 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    C:\Users\WulfTop\AppData\Roaming\hotfix.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Users\WulfTop\AppData\Local\temp\90f283c8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\WulfTop\AppData\Roaming\Microsoft\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\WulfTop\AppData\Roaming\hotfix.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    Demianwulf, Nov 2, 2010
    #60
Page 3 of 5
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.