Possible hijack - IE6, Task Manager, connection speed affected - help with this log?

[GeorgieBoy]

I think my system has been infected. This began a few days ago. It's a Dell with XP. Very quickly after startup, the WiFi connection speed drops from 54 MB/s to 18-24 MB/s and stays that way. This has never happened before and I've confirmed that my two other computers on the same WiFi are still at 54 MB/s, as normal! In addition, Internet Explorer 6 will not fully load...the green progress bar gets nearly all the way but the page never gets functional. This even happens if I try to use IE6 to read a static .html page. I can use Firefox 2 -- only IE is affected (I tried this as an experiment). Finally, Task Manager is acting really strange, as it tells me that all processes are using 0% of resources!

I ran a complete virus scan with AVG but it found nothing. I also ran Hijack This. Attached is the logfile. Does anyone see anything that could be spyware/malware/hijackers or other bad stuff???

 

[Daveskater]

Hello, GeorgieBoy, and welcome to Techspot :wave:

Please take a look at the following threads to make your experience here as enjoyable as possible

Message for all newcomers

SNGX1275's Guide to making a good post/thread

The Techspot FAQ

If you could take a minute to fill in some of your profile information that would be helpful to all members of the forum
Knowing someone's location in the world can be extremely helpful, even if you just put a country.

Also remember to post any problems or questions that you have in the appropriate forums

With regards to your log, you're running an old version of hjt, download the latest version from the link here and follow the instructions for moving and renaming it. I'll look through the current log though and see if i find anything

Have hjt fix these entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O15 - Trusted Zone: *.doginhispen.com

O15 - Trusted Zone: *.whataboutadog.com

O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab (if you do not know webshots.com otherwise it should be ok)

Post back with a log from the latest version anyway and i'll look through that one too after fixing these, of course

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Tried your suggestions...here's the latest log

Hello, GeorgieBoy, and welcome to Techspot :wave:

I'll look through the current log though and see if i find anything

Have hjt fix these entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O15 - Trusted Zone: *.doginhispen.com

O15 - Trusted Zone: *.whataboutadog.com

O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) -

Post back with a log from the latest version anyway and i'll look through that one too after fixing these, of course

Thanks for replying. I downloaded the latest version of Hijack This and renamed it, etc. I ran it again and had it fix the entries you suggested. I'm now very suspicious about the O15 Trusted Zone entries above. HJT fixed them, but then after I rebooted, they reappeared in the next scan!

I just now had HJT fix them yet a second time, but I suspect they may reappear each time I reboot. What would cause that? And unfortunately the same problems are present.

The log attached is the latest HJT (but before another reboot, so it those Trusted Zone entries are not listed in the attached).

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewpointService.exe
ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - Global Startup: Digital Line Detect.lnk = ?

O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: (no name) - https://www.documents.usaa.com/ddrint/servlet/docviewer?formType=23&hashKey=EDD_ DOCUMENT_SERVER----JNF7B99I++-20070115111255-002691211+002691211++++++4119800000 0000000002&tuid=1170738964989&sessionID=1

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as Combofix and AVG Antispyware logs.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

After many hours of work, following all your advice, I am fairly discouraged to report that the problem still exists. I have installed and run numerous programs: AVG Antispyware, Panda Anti-rootkit, Combofix, etc. I've followed the instructions carefully. Much to my amazement, after the final reboot, same issues occur: Internet Explorer 6 is prevented from full loading and my internet connection speed is still showing at half of normal. And amazingly, in the Hijack This log (attached), the "Trusted Site" I've removed about five times is still showing back up. I don't know if this is significant, but it's awfully strange.

Any advice on where to go from here? Is there any possibility that downloading Internet Explorer 7 might fix the problem by overwriting files that have been possible corrupted or replaced by a virus?

Or will I need to consider a complete reinstallation of the operating system?

If you or anyone else is up for a challenge, I've attached the Hijack This, ComboFix, Panda, and AVG Anti-Spy most recent logs. ARGGHHHH!!

I just went to the Microsoft site (using Firefox 2; I can't use IE6). I decided that I would see what happens if I were to download and install Internet Explorer 7.

Well, surprise, surprise...my system is definitely infected... Once I attempted to download from Microsoft, the process was stopped and I could see on the lower left side of the browser that I had been redirected from a Microsoft page to another page. It said something like, "Sending data from "spe.atdmt.com" It just sat like that for awhile and the download never happened. Finally I got nervous and shut it down.

I also messed around trying to download some other Microsoft XP components -- same thing! Except this time, it said "m.webtrends.com."

Can anyone tell me what's going on?

 

[howard_hopkinso]

Please follow the instructions below, very carefully.

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Uninstall the Folderlock programme, if you have it.

Copy the contents of the following quote box into Notepad:

QUOTE
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000003
"https"=dword:00000003
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001
"shell"=dword:00000000



Save it to the desktop as fixme.reg

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Now <double-click> the fixme.reg file on the desktop.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O15 - Trusted Zone: *.whataboutadog.com

Click on the fix checked button.

Close HJT and reboot your system.

Run Panda Antirootkit and have it fix whatever it finds(if anything).

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, Combofix and AVG Antispyware log.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Followed the steps precisely...here are the results

I gotta tell you...either some of various programs out there designed to fix these problems just don't work or I've got a very pesky problem... I followed the latest steps and yet, after another hour of work, there is absolutely no change in the system's behavior. And to add insult to injury, the same "Trusted Site" ("whataboutadog.com") appeared in the fresh HJT scan!

While running ComboFix this last time, there were a few glitches where a window popped up which said "WINDOWS - NO DISK - Exception Processing Message."

Also, it resulted in another IE6 icon appearing on my desktop. But still, neither icon results in anything different: IE6 is still messed up, my connection speed is cut in half, and I'm probably relaying spam as I write this.

The latest results are attached....

I'm wondering if this is why most SysAdmins just reformat the hard drive when this stuff happens.

 

[howard_hopkinso]

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Done...attached is the AWF log

I've also attached the latest ComboFix log which I had neglected to do last post.

So is this any closer to disinfection or is it looking like time to reinstall an operating system? :blackeye:

 

[howard_hopkinso]

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Messenger\bak\msmsgs.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Canon\BJPV\bak\TVMon.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"
"C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
"C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
"C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Then do the following.

Click start/run and type regedit into the run box and hit the enter button.

Navigate to the following reg key and in the right hand pane, right click on it and select delete.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\whataboutadog.com

Download the attached Fix.zip file and save it to your desktop. Unzip the file and double click on the fix.reg file. Click yes when asked if you want to merge it.

Post a fresh HJT log as well as the awf.txt into your next reply.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Attached are the latest AWF and HJT logs. I followed all instructions precisely. However, I have not yet rebooted...

I assume I should reboot to see if anything is different? (At the moment, there is nothing different happening with the system).

Well after a reboot, my Internet Explorer 6 now appears to be functioning normally. It opens and loads quickly as it used to, and there is no overt evidence of a problem. I suppose that's good!

However...my network connection speed is still showing as anywhere from 18MB/s - 24 MB/s. This is highly unusual since my other computers in the same room and on same network are at 54 MB/s. This suggests to me that some process is still occurring that is interfering with the connection speed.

So I now have a working IE6 but I might still be getting used as a drone! Any thoughts on what's going on and how to stop it altogether?

 

[howard_hopkinso]

Your HJT log is now clean.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\bak
C:\Program Files\iTunes\bak
C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Canon\BJPV\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Sony\SonicStage\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

Edit: I never told you to reboot. In future, please follow the instructions exactly. If I require you to reboot, I`ll tell you to do so.

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Latest result...AWF log attached

Okay, I followed your procedure exactly. No reboots, nothing. ;-)

Attached is the logfile you requested.

I am quite impressed that IE6 is now working again. Yesterday, this appeared rather hopeless.

Though the issue with my network connection speed being dropped in half bothers me. That happened when the rest of the problem occurred, so it would seem to me that it is somehow related... How can I know that the system is still not being exploited?

 

[howard_hopkinso]

There`s still one bak entry showing up.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

I`d also like you to post a fresh Combofix log.

Regards Howard

 

[GeorgieBoy]

Here is the latest...and some info

I followed the latest directions. This info might be trivial but figured I would mention:

1) During my previous reboot (the one you didn't ask me to do), at restart there was a message to the effect of: Access Violation at Linksys USB (this is obviously in reference to my wireless network adaptor on this machine). Figured I should mention, considering the reduced connection speed.

As for most recent procedures:

2) While AWF was running, at some point an error message popped up that said: Windows-No Disk. Exception Processing Message C0000013 Parameters (bunch of numbers). I had to click Continue several times for this to go away.

3) During the execution of ComboFix, a message popped up saying "Google has blocked an attempt by another program to change your default search settings. Attempt made to change default search from Google.com to: http://www.microsoft.com/isapi/redir.dll?pd=iear=iesearch I realized that I had the browser open when I ran ComboFix. Is that a problem???

 

[howard_hopkinso]

You must not have any browsers open while running any of the fixes tools.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Intel\Intel Matrix Storage Manager\bak
C:\Program Files\ScanSoft\OmniPageSE2.0\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Now do the following.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combifix log and the awf.txt.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

As requested...

AWF still had that same problem with the error message where I had to click "Continue" a bunch of times. Not sure if that's significant or not. But it did continue and finish.

All logs attached.

 

[howard_hopkinso]

All your log files are clean.

Are you still having problems with your internet speed?

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Nothing odd EXCEPT for the connection speed

Thanks for all your help getting me to this point!

But yes, my Wireless Network connection speed is currently showing 24 Mbps on this system, and every so often it drops down to 18 Mbps. As noted previously, this change occured at the same time when the other issues with IE6 began. This had never happened before. Moreover, I have two other computers here which are on this same network and they are both showing the normal WiFi speed I get, 54 Mbps, right now. This seems very odd.

Have you heard of something like this? Could a setting simply have been messed up by the previous problems? Or could this indicate that some type of "backdoor" is still active?

Is there any way of checking this?

 

[howard_hopkinso]

As far as I can tell, your system looks clean. Of course I can`t guarantee it 100%.

I have a feeling, it`s probably some setting that`s got messed up.

Try resetting everything to how it should be and see if that helps. If it doesn`t, I suggest you open a new thread in our Storage and networking forum.

When and only if you`re satisfied that your problems are solved, please do the following.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Thanks for your help - one final question

Everything does seem to be working okay; the only mystery is why my WiFi connection speed is showing itself as reduced. I am going to wait to do the procedure you described regarding Restore Points after I have that resolved. I may have to post the issue as you suggested.

One final question: I have read some of the links provided on this site regarding decision to reformat verus disinfect, etc. Some of the articles are a year or two old. With respect to rootkits, "backdoor trojans" etc. -- is there any way currently possible to know for sure if some type of malicious process is still occurring on my system, or if there is some type of "backdoor" available to a hacker?

In other words, all of these programs that I now have installed, such as AVG Antivirus, AVG AntiSpyware, Hijack This, Ad-Aware, etc. etc. etc.: Would these programs very like detect something if it were present?

I'm asking because I recall one of the articles from a couple of years ago that said reformatting your hard drive is the only way to be 100% sure.... Is that still the consensus?

 

[howard_hopkinso]

Once a system has been infected, it`s almost impossible for anyone to guarantee 100% that it`s safe to use for the storing of personal or sensitive data, online banking etc.

That`s why, if any of the above is part of the system use, it is far safer to format and reinstall.

However, if the system is only used for gaming/music etc, then cleaning is possibly the better option. At the end of the day, only the systems owner can decide what course of action to take.

With the increase in rootkits, which by their very nature hide from conventional security programmes, this just makes it that much harder to give a clean bill of health to a system.

While those articles are quite old, the ideas they talk about are still very much valid.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[GeorgieBoy]

Looks like I got excited too soon...backdoor Trojan detected

I turned this system back on again to fiddle with the network speed issue, which is still an issue. For the heck of it, I ran Hijack This. Lo and behold, it said: Threat found in c\Windows\system32\windrvNT.sys

It identified it as Trojan horse BackDoor.Generic8.VNP

How can this be???

I clicked on "Heal" and have rebooted, but my network speed is still reduced and I am figuring there is a real good chance that this bug is still in my system... :suspiciou

Where do I go from here?

 

[howard_hopkinso]

As far as I`m aware, windrvNT.sys belongs to a programme called Folderlock and is not malicious. However, the Folderlock programme is known to cause problems.

Please post a fresh HJT and Combofix log.

Regards Howard

This thread is for the use of GeorgieBoy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.