TechSpot

Win.32 Heur and Rootkid.TDSS.d giving me tons of trouble

By Shutupnoob
Jun 12, 2010
  1. Somehow my computer contracted a Win32.HEUR virus off of an accidental spam site visit, and now my computer is full of infections.

    At first I tried using AVG, but the virus basically overpowered it and tried to uninstall it.. So I got Kaspersky's virus removal tool. It seems to have taken care of the heur for the most part, but now I have a rootkit.tdss that just won't go away.

    The problem is, I can't kill any processes, it's locked my taskbar out, I can hardly open any programs, it just says "This file does not have a program associated with it for performing this action. Please install a program or, if one is alread yinstalled, create an association in the Default Programs control panel." I can run programs if I select "run as administrator" but thats the only way they will work right now..

    There are other symptoms as well, the whole pc is a complete mess right now, for example, when running malwarebytes or kasperskys virus removal, before I can complete the scan, the computer forces a shutdown. I've been working on it all day and night trying to get the infections cleared out. I just ran Hijackthis and have a log that is posted below.

    Is there anything else that I can do get this thing off of my computer??


    Hijackthis log:


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:37:28 PM, on 6/11/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Fmecaxelayote] rundll32.exe "C:\Users\Jackie and Thalen\AppData\Local\arozexiz.dll",Startup
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Jackie and Thalen\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Jrilimonusi] rundll32.exe "C:\Users\Jackie and Thalen\AppData\Local\ptacsd32.dll",Startup
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Startup: setup_9.0.0.722_11.06.2010_23-36.lnk = C:\Users\Jackie and Thalen\Desktop\Virus Removal Tool\setup_9.0.0.722_11.06.2010_23-36\startup.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

    --
    End of file - 6273 bytes
     
  2. Broni

    Broni Malware Annihilator Posts: 52,905   +344

  3. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    I have completed the 8 steps, here are the logs requested. Mbam Log is posted below, all other logs are attached.

    After I was finally able to run Malwarebytes all the way through, it found tons of items including the rootkit.tdss that it has quarantined now. The log I have now is after a fresh scan this morning. My machine is showing no signs of infection that I can tell, but some of the problems I had with it are not gone just yet.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/12/2010 2:45:08 PM
    mbam-log-2010-06-12 (14-45-08).txt

    Scan type: Quick scan
    Objects scanned: 112717
    Time elapsed: 7 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    In the future, you should always post initial log, so I can see what was removed.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    Okay I found my original malware log, also I have finished running combofix and have the log for that as well.

    I will say that after running combofix, my machine is notably faster, and I can finally connect to the internet on it once again, instead of having to use my secondary desktop for its internet connection.

    Anyways, here are the logs.

    Original malwarebytes log is posted below, combofix log will be attached.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.1.7600 (Safe Mode)
    Internet Explorer 8.0.7600.16385

    6/12/2010 12:43:37 AM
    mbam-log-2010-06-12 (00-43-37).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 246158
    Time elapsed: 37 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 2
    Registry Data Items Infected: 4
    Folders Infected: 1
    Files Infected: 11

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaqqrbivtncr (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmecaxelayote (Trojan.Agent.U) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrilimonusi (Trojan.Agent.U) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Windows\PRAGMAqqrbivtncr (Trojan.DNSChanger) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Windows\System32\drivers\49888611.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.
    C:\Windows\PRAGMAqqrbivtncr\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\PRAGMAqqrbivtncr\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\PRAGMAqqrbivtncr\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\PRAGMAqqrbivtncr\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Windows\PRAGMAqqrbivtncr\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Users\Jackie and Thalen\AppData\Local\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Windows\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\Users\Jackie and Thalen\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Users\Jackie and Thalen\AppData\Local\arozexiz.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.
    C:\Users\Jackie and Thalen\AppData\Local\ptacsd32.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.
    -----
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\49888612.sys
    c:\windows\system32\drivers\4988861.sys
    c:\users\Jackie and Thalen\AppData\Local\Vnexanitesuzupi.bin
    c:\users\Jackie and Thalen\AppData\Local\Ijemo.dat
    c:\windows\system32\ezsidmv.dat
    c:\windows\PowerReg.dat
    c:\windows\system32\DRIVERS\49888611.sys
    
    
    Driver::
    49888611
    49888612
    setup_9.0.0.722_11.06.2010_23-36drv
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  7. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    Okay, got that all done, here's the next log
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Looks good :)
    How is computer doing?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    Everything seems to be back in order now, I haven't seen any strange processes, the computers memory seems to be operating fine, it isn't running sluggish anymore.

    I've attached the OTL and Extras log to this post, hopefully we'll be in the clear soon, haha
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ======================================================================

    You're running extremely low on a free disk space:
    I have to warn you, your computer may not boot anymore, one day.
    You need to move some stuff out.
    Windows likes to operate at 15% of a free space (~20GB in your case).

    =====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      @Alternate Data Stream - 171 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A8ADE5D8
      
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  11. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    Alright, all done with that, here are the OTL logs.
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Did you start moving some stuff out of your hard drive already?


    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  13. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    I've got a ton of stuff off the computer now, ran TFC again, but I haven't completed the kaspersky online scan yet, every time I get on there, it runs up until about 65% (which takes over 5 hours somehow) then won't continue, it just sits at 65% for at least another hour.

    Is there any alternative to this step at all?
     
  14. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Yes.

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  15. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    This is what the ESET txt log produced:


    C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.1.7600.16385_none_f26e7ae968595905\mountmgr.sys Win32/Olmarik.ZC trojan error while cleaning
     
  16. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:

    - C:\Windows\winsxs\x86_microsoft-windows-mountpointmanager_31bf3856ad364e35_6.1.7600.16385_none_f26e7ae968595905\mountmgr.sys

    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  17. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    mountmgr.sys is nowhere to be found, could this be because i am using windows 7? if so is there another file i need to upload instead?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    It looks, like the file was removed by Eset. That's fine.


    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =================================================================


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Any word about your computer?
     
  20. Shutupnoob

    Shutupnoob TS Rookie Topic Starter

    Looks like everything is doing just fine now, moved a bunch of things out, and got the new norton installed as well as WOT now. Hopefully things will go well for awhile, thank you so much for the help, it is greatly appreciated!
     
  21. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    You're very welcome [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...