Jump to content

Reoccuring infection


Recommended Posts

Recently got my computer functional again after professional help to remove a virus & it seems that I'm right back where I started. Avira & Microsoft Security Essentials are blocked from running or updating by this virus & freshly updated MB didn't find anything. In the last 3 days I have been hit with: Win32/Pdfjsc.AEB, Win32/Sirefef!cfg, Win32/Kargany.E & Hiloti.F.

Below are my dds logs.

DDS (Ver_2012-10-19.01) - NTFS_x86 NETWORK

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by phoenix at 19:37:49 on 2012-11-24

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1518.874 [GMT -6:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://xfinity.comcast.net/?cid=insDate06112012

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop

uProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [bitTorrent] rundll32.exe c:\users\phoenix\appdata\local\bittorrent\lnvgkvpz.dll,vlc_entry__1_0_0e

uRun: [Advanced SystemCare 5] "c:\program files\iobit\advanced systemcare 5\ASCTray.exe" /AutoStart

uRun: [svñhîst] c:\users\phoenix\appdata\local\temp\cccccc.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: NameServer = 75.75.76.76 75.75.75.75

TCP: Interfaces\{36937FF7-1F22-4576-8665-B5965D4D3BCC} : DHCPNameServer = 75.75.76.76 75.75.75.75

TCP: Interfaces\{E19F283A-040B-4D88-8320-26E6997DD217} : DHCPNameServer = 75.75.76.76 75.75.75.75

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\phoenix\appdata\roaming\mozilla\firefox\profiles\itie7kdd.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.rense.com

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll

FF - ExtSQL: !HIDDEN! 2009-09-02 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-9-29 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-29 269480]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-25 66616]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-22 21504]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]

S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-9-12 25760]

S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-1-22 987648]

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-1-22 251904]

S3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-1-1 156928]

S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-11-7 913792]

S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-29 115168]

S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

.

=============== Created Last 30 ================

.

2012-11-22 17:45:59 -------- d-----w- c:\users\phoenix\appdata\local\BitTorrent

2012-11-20 08:34:05 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll

2012-11-20 08:34:04 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{630d8651-2e29-45b5-a5b3-364de76112f2}\gapaengine.dll

2012-11-20 08:33:30 6918632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-11-20 08:33:01 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{30afc8c1-f8df-4ebf-86f1-95e8d02af95f}\mpengine.dll

2012-11-08 02:54:48 -------- d-----w- c:\program files\Microsoft Security Client

2012-11-08 02:29:33 21888 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe

2012-11-08 02:10:25 -------- d-----w- c:\users\phoenix\appdata\local\360Amigo

2012-11-08 02:10:18 -------- d-----w- c:\program files\360Amigo

2012-11-08 02:02:47 -------- d-----w- c:\programdata\IObit

2012-11-08 02:02:40 -------- d-----w- c:\users\phoenix\appdata\roaming\IObit

2012-11-08 02:02:27 -------- d-----w- c:\program files\IObit

2012-11-02 23:56:01 -------- d-----w- c:\programdata\mtgcijbuigdymhb

.

==================== Find3M ====================

.

2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-13 13:28:08 2048 ----a-w- c:\windows\system32\tzres.dll

2012-08-29 11:27:41 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-08-29 11:27:41 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

.

============= FINISH: 19:38:49.41 ===============

DDS (Ver_2012-10-19.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 12/10/2007 9:43:00 AM

System Uptime: 11/24/2012 11:45:45 AM (8 hours ago)

.

Motherboard: Intel Corporation | | D101GGC

Processor: Intel® Celeron® D CPU 3.20GHz | | 3200/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 288 GiB total, 13.906 GiB free.

D: is FIXED (NTFS) - 10 GiB total, 1.32 GiB free.

E: is FIXED (NTFS) - 298 GiB total, 1.661 GiB free.

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}

Description: Enhanced Multimedia PS/2 Keyboard

Device ID: ACPI\PNP0303\4&3348267E&0

Manufacturer: HP

Name: Enhanced Multimedia PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&3348267E&0

Service: i8042prt

.

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\4&3348267E&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\4&3348267E&0

Service: i8042prt

.

Class GUID: {4d36e97d-e325-11ce-bfc1-08002be10318}

Description: Consumer IR Devices

Device ID: ROOT\SYSTEM\0001

Manufacturer: Microsoft

Name: Consumer IR Devices

PNP Device ID: ROOT\SYSTEM\0001

Service: circlass

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

µTorrent

360Amigo System Speedup Free

AbiWord 2.6.8

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.1.0

Advanced SystemCare 5

Any Video Converter 3.2.7

Apple Application Support

Apple Software Update

Audacity 1.3.13 (Unicode)

AVI ReComp 1.5.5

Avira AntiVir Personal - Free Antivirus

AviSynth 2.5

Cards_Calendar_OrderGift_DoMorePlugout

Compatibility Pack for the 2007 Office system

Content Transfer

Convergys Health Checker

CyberLink DVD Suite Deluxe

DivX Converter

DivX Plus DirectShow Filters

DivX Setup

DivX Version Checker

DVD Decrypter (Remove Only)

Enhanced Multimedia Keyboard Solution

ffdshow [rev 2583] [2009-01-05]

Free AVI MPEG WMV MP4 FLV Video Joiner 3.7.2.1

Free Download Manager 2.5

Freecorder 5

GoldWave v5.55

Grab & Burn, Version 4.0.1 ( Build 2005-09-21, Win32, CSS )

Haali Media Splitter

Hardware Diagnostic Tools

Hewlett-Packard Active Check

Hewlett-Packard Asset Agent for Health Check

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Active Support Library

HP Customer Experience Enhancements

HP Customer Feedback

HP Easy Setup - Frontend

HP On-Screen Cap/Num/Scroll Lock Indicator

HP Photosmart Essential 2.5

HP Picasso Media Center Add-In

HP Total Care Advisor

HP Update

HPPhotoSmartPhotobookWebPack1

Java Auto Updater

Java 6 Update 26

Java 6 Update 3

Java SE Runtime Environment 6 Update 1

LabelPrint

LightScribe System Software 1.10.16.1

LightScribe Template Labeler

Logitech GamePanel Software 2.00

magicJack

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 3.5 SP1

Microsoft Antimalware

Microsoft Corporation

Microsoft LifeCam

Microsoft Office Home and Student 60 day trial

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Miro

Mozilla Firefox 17.0 (x86 en-US)

Mozilla Maintenance Service

MP3 Remix for Winamp

muvee autoProducer 6.1

My HP Games

NVIDIA Drivers

NWZ-E340 WALKMAN Guide

OpenOffice.org 2.3

Power2Go

PowerDirector

PSSWCORE

Python 2.5

QuickTime

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Skype Click to Call

Skype™ 5.10

Snapfish Picture Mover

Soft Data Fax Modem with SmartCP

Sothink Movie DVD Maker

Trillian

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

VC80CRTRedist - 8.0.50727.4053

Ventrilo Client

VideoLAN VLC media player 0.8.6e

VideoToolkit01

VirtualDJ Home FREE

VirtualDubMOD 1.5.10.3 US

VobSub 2.23

WeatherBug Gadget

Winamp

Windows Live installer

Windows Media Player Firefox Plugin

WinRAR archiver

WinZip 11.2

XEQ Winamp plugin (remove only)

Xvid 1.3.0

Xvid Video Codec

Yahoo! Detect

.

==== End Of File ===========================

Link to post
Share on other sites

Welcome to the forum.

Before we proceed further, please uninstall or disable uTorrent and any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against the forums policy concerning P2P programs:

http://forums.malwar...showtopic=97700

----------------------------------------

Then........

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller V8.3.1 [Nov 25 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Safe mode with network support

User : phoenix [Admin rights]

Mode : Remove -- Date : 11/25/2012 11:27:11

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][NOTFOUND] HKCU\[...]\Run : BitTorrent (rundll32.exe C:\Users\phoenix\AppData\Local\BitTorrent\lnvgkvpz.dll,vlc_entry__1_0_0e) -> DELETED

[RUN][sUSP PATH] HKCU\[...]\Run : svñhîst (C:\Users\phoenix\AppData\Local\temp\cccccc.exe) -> DELETED

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)

[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[WALLP] HKCU\[...]\Desktop : Wallpaper (C:\Users\phoenix\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg) -> REPLACED (C:\Users\phoenix\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp)

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4196169661-3248010569-1916152541-1000\$e2bc573bd6af5595b63a310eacfe0b6a\U --> REMOVED

[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4196169661-3248010569-1916152541-1000\$e2bc573bd6af5595b63a310eacfe0b6a\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAJS-65VWA0 ATA Device +++++

--- User ---

[MBR] e235f2ec69159c8bdf6821d07cb58a12

[bSP] c5b9dc4d4edaf6efac57e13321f2a738 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD3200AAJS-65VWA0 ATA Device +++++

--- User ---

[MBR] 542bb5ad18176a54948742d3d705a757

[bSP] 309fdfd200901d3359dd1e035123a213 : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 295415 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 605011680 | Size: 9826 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_11252012_02d1127.txt >>

RKreport[1]_S_11252012_02d1125.txt ; RKreport[2]_D_11252012_02d1127.txt

Link to post
Share on other sites

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-----------------------------------------

Please create a new system restore point before running Malwarebytes Anti-Rootkit.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.