Jump to content

svchost trojan


ExuShen

Recommended Posts

Hello, lately I was trying to use incognito chrome and regular chrome together but I've been getting blue-screens and thought that I should scan. I was correct on my assumptions. After finding that out, I have noticed that my computer was slowing down on start up and still wouldn't let me incognito chrome and normal chrome as it continues to BSoD. I appreciate the help.

attach.txt

dds.txt

Link to post
Share on other sites

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

---------

Link to post
Share on other sites

Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
    items.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

Link to post
Share on other sites

Hi,

Run TDSSKiller again.

When you see the following:

\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c )

\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c )

be sure to select Cure

Post the new log.

Link to post
Share on other sites

Hi,

Download Combofix from the link below, and save it to your desktop.

Link

**Note: It is important that it is saved directly to your desktop**

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

----------

Link to post
Share on other sites

It was running fine and normal, I could now open Chrome and incognito Chrome and I restarted my PC again to check up on the speed and it's fast (as fast as I remember) and upon opening Google Chrome and reactivating some extensions, I couldn't connect to the internet. So far it's been inactive for about 8 hours and I attempted to use the desktop doctor to fix it. No dice. Only my PC isn't connecting to the internet, the other in the household can go online. Other than not being able to get online. Everything looks find and dandy.

Link to post
Share on other sites

Ok....you may need to transfer this file to your infected system.

Are you able to connect to the internet in Safe Mode with Networking?

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

----------

Link to post
Share on other sites

I was unable to access the internet in safe mode with networking.

Farbar Service Scanner Version: 10-12-2012

Ran by Shen (administrator) on 16-12-2012 at 11:08:42

Running from "C:\Users\Shen\Desktop"

Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open afd registry key. The service key does not exist.

Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-15 01:18] - [2012-12-15 12:04] - 0022368 ____A (AVG Technologies CZ, s.r.o. ) 42B7E1AA0C7EC54652A50585793F1885

ATTENTION!=====> C:\Windows\System32\drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll

[2012-12-11 12:06] - [2012-08-21 05:09] - 0219136 ____A (Microsoft Corporation) 136760C1E9697BAF4ECDEAE5590A0806

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Link 1

Link 2

  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content within the following codebox into the main textfield:

    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Here is the systemlook log.

SystemLook 30.07.11 by jpshortstuff

Log created at 17:13 on 16/12/2012 by Shen

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\Windows\System32\drivers\AFD.SYS --a---- 22368 bytes [09:18 15/02/2012] [20:04 15/12/2012] 42B7E1AA0C7EC54652A50585793F1885

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [05:20 23/02/2011] [09:23 20/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys --a---- 499200 bytes [19:19 16/06/2011] [02:34 25/04/2011] D5B031C308A409A0A576BFF4CF083D30

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [09:18 15/02/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys --a---- 499200 bytes [19:19 16/06/2011] [03:09 25/04/2011] F4AD06143EAC303F55D0E86C40802976

C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [09:18 15/02/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB

-= EOF =-

Link to post
Share on other sites

First open an elevated command prompt > Click Start and type cmd in Start Search.

When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the code box > right click in the command window and select paste >> Press Enter (do one line at a time if there are more than one)


copy C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys C:\Windows\System32\drivers\AFD.SYS

Close the Command Prompt box.

----------

Download the file found here directly to your Desktop. Right-click on the file and select Merge.

Reboot your system.

Run a new scan with Farbar Service Scanner and let me know if you can access the internet.

Link to post
Share on other sites

I am still unable to access the internet. Here is the log after doing what you have told me to do.

Farbar Service Scanner Version: 10-12-2012

Ran by Shen (administrator) on 16-12-2012 at 18:47:05

Running from "C:\Users\Shen\Desktop"

Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Dhcp Service is not running. Checking service configuration:

The start type of Dhcp service is OK.

The ImagePath of Dhcp service is OK.

The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:

The start type of afd service is OK.

The ImagePath of afd service is OK.

Checking LEGACY_afd: ATTENTION!=====> Unable to open LEGACY_afd\0000 registry key. The key does not exist.

Connection Status:

==============

Localhost is accessible.

There is no connection to network.

Attempt to access Google IP returned error.

Attempt to access Google.com returned error: Other errors

Attempt to access Yahoo IP returned error.

Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:

The start type of BITS service is OK.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-15 01:18] - [2010-11-20 01:23] - 0499712 ____A (Microsoft Corporation) D31DC7A16DEA4A9BAF179F3D6FBDB38C

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll

[2012-12-11 12:06] - [2012-08-21 05:09] - 0219136 ____A (Microsoft Corporation) 136760C1E9697BAF4ECDEAE5590A0806

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Hi,

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

Right-Click Root and select Permissions...

Click Advanced.

Under Owner tab select the entry starting with you user name, example: Farbar(Farbar-PC\Farbar)

Put a check mark next to Replace owner on subcontainers and objects and click Apply.(You will get notified: " Registry Editor could not set owner on the key currently selected, or some of its subkeys")

Repeat this step, this time select Administrators(your pc name\your user name).

Put a check mark next to Replace owner on subcontainers and objects and click Apply (You will get notified: " Registry Editor could not set owner on the key currently selected, or some of its subkeys").

Click OK.

Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.

Click Apply and OK.

Download the attached .zip file and then extract all contents to your Desktop so it is easy to find.

Now double-click LEGACY_AFD.reg and confirm the prompt.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry editor.

Reboot your system.

Once complete and your system has been restarted, check your internet connection and let me know if it is working. If it is not please post a fresh log with Farbar Service Scanner.

LEGACY_AFD.zip

Link to post
Share on other sites

I did as asked and found that afd.sys wasn't detected in farbar scanner so I re-use your afd.sys replacement directions again and rebooted after doing your legacy afd regedit. My internet is now working! I do hope that I didn't do anything wrong and went a little bit ahead. Here is the log after the fact.

Farbar Service Scanner Version: 10-12-2012

Ran by Shen (administrator) on 17-12-2012 at 11:02:29

Running from "C:\Users\Shen\Desktop"

Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo IP is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Action Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys

[2012-02-15 01:18] - [2010-11-20 01:23] - 0499712 ____A (Microsoft Corporation) D31DC7A16DEA4A9BAF179F3D6FBDB38C

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll

[2012-12-11 12:06] - [2012-08-21 05:09] - 0219136 ____A (Microsoft Corporation) 136760C1E9697BAF4ECDEAE5590A0806

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

Great!

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.

---------

Link to post
Share on other sites

Everything seems to be running nice and smoothly now
Good to hear. Let's be sure there is not anything hiding still.

I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp

-------------

Clear Java Cache

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Other Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

----------

Download TFC to your desktop

  • Close any open windows.
  • Right-click and Run as Administrator the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

----------

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------

Link to post
Share on other sites

Ok, Temporary Files ask me to delete Trace and Log Files, Cached Applications and Applets, and Installed Application and Applets. None which you listed but I assume will be the same either way. Also updated Java and Adobe Flash Player updated too after rebooting from TFC. Here is the Malwarebytes log and ESET threats found. My PC still runs normal, not much problems and I don't use Firefox too much.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.12.18.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Shen :: SHEN-PC [administrator]

Protection: Enabled

12/18/2012 2:08:10 PM

mbam-log-2012-12-18 (14-08-10).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 238266

Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

C:\Downloads\RockMan X8\RX8DISK1.iso probably a variant of Win32/Agent.KKDOXPA trojan

C:\ProgramData\Microsoft\Windows\DRM\D1D6.tmp.dat a variant of Win32/Kryptik.AQQU trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.RG trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AN trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AFK trojan

C:\TDSSKiller_Quarantine\14.12.2012_17.09.32\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.AK trojan

C:\Users\All Users\Microsoft\Windows\DRM\D1D6.tmp.dat a variant of Win32/Kryptik.AQQU trojan

C:\Users\Shen\AppData\Roaming\Auslogics\Rescue\One Button Checkup\121214012508588.rsc multiple threats

C:\Users\Shen\AppData\Roaming\Mozilla\Firefox\Profiles\0z20neu4.default\extensions\esrhtpzxqt@esrhtpzxqt.org.xpi JS/Redirector.NCI trojan

C:\Users\Shen\AppData\Roaming\Mozilla\Firefox\Profiles\44bbsx3a.Default User\extensions\esrhtpzxqt@esrhtpzxqt.org.xpi JS/Redirector.NCI trojan

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.