Jump to content

Rootkit.TDSS Infection!!!!


Recommended Posts

Someone please help!!

I have what seems to be the Rootkit.TDSS infection on my computer. It's allowing various adware to infiltrate, from pop-ups to audio adware pop-ups. It prohibits norton from working, system restore from working, as well as prevents access to the network connection. It took some time to get installed and running, but I ran Malwarebytes and the GMER Rootkit scanner. It may be worth mentioning that it took several attempts to run the Rootkit scanner, as my computer would freeze several times. THANK YOU!

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.44

Database version: 3579

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

1/18/2010 5:57:45 PM

mbam-log-2010-01-18 (17-57-45).txt

Scan type: Quick Scan

Objects scanned: 122597

Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Ara Ayeras\Local Settings\Temp\H8SRT4ca8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTpamrfprpph.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTqjlogvdjkd.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTwsawqpmyye.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTswuthwbrfq.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

DDS TEXT:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Ara Ayeras at 20:13:22.14 on Sun 01/17/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.234 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Vongo\VongoService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

G:\dds.scr

C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll

uRun: [Aim6]

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [<NO NAME>]

mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

StartupFolder: c:\docume~1\araaye~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\araaye~1\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\ara ayeras\application data\leadertech\powerregister\Seagate 2GEWCD5G Product Registration.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

Trusted Zone: turbotax.com

DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\araaye~1\applic~1\mozilla\firefox\profiles\sfyuwl9v.default\

FF - prefs.js: browser.startup.homepage - www.isohunt.com

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\ara ayeras\application data\mozilla\firefox\profiles\sfyuwl9v.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2010-1-17 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2010-1-17 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2010-1-17 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100116.002\IDSXpx86.sys [2010-1-16 329592]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2010-1-17 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-16 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100117.019\NAVENG.SYS [2010-1-17 84912]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100117.019\NAVEX15.SYS [2010-1-17 1323568]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-16 38224]

S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]

=============== Created Last 30 ================

2010-01-18 02:11:54 0 ----a-w- c:\documents and settings\ara ayeras\defogger_reenable

2010-01-16 23:00:20 0 d-----w- c:\program files\Norton Support

2010-01-16 22:51:57 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-01-16 21:22:18 0 d-----w- c:\docume~1\araaye~1\applic~1\Malwarebytes

2010-01-16 20:56:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-16 20:56:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-16 20:56:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-16 20:56:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-16 20:39:18 0 d-----w- c:\program files\CCleaner

2010-01-10 23:01:21 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2010-01-10 22:18:48 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-01-10 22:18:48 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-01-10 22:18:48 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-01-10 22:18:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-01-10 22:18:47 0 d-----w- c:\program files\Symantec

2010-01-10 22:16:23 0 d-----w- c:\windows\system32\drivers\NIS

2010-01-10 22:16:09 0 d-----w- c:\program files\Norton Internet Security

2010-01-10 22:12:14 0 d-----w- c:\program files\NortonInstaller

==================== Find3M ====================

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-04-01 18:30:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040120090402\index.dat

============= FINISH: 20:14:31.78 ===============

Attach.zip

Link to post
Share on other sites

This is interesting. I re-ran malwarebytes and now it does not detect anything. As I said before, it took me several attempts to run the GMER scanner, as my computer would freeze several times. Each time I restarted my computer, I would run malwarebytes, it would find new viruses, I would choose to have them removed, then run GMER. Somewhere during this mess, Norton was able to run. I decided to let it scan and it was able to find a couple viruses, which it quarantined. I did the scan a few more times, and it doesn't seem to find anything else wrong now. I've also tried restarting my computer and re-running malwarebytes a few times, both quick and full scans, and now it seems like there is no more infection. However, I now consistently get the Active Desktop Recovery error on my desktop.

I'm not really sure where to go from here. Should I trust that the infection was cleared by Norton? Why do I get this active desktop recovery error? Should I re-enable the Defogger drivers now?

Thanks for all your help.

Here is the information on what Norton found:

Category: Quarantine

Date & Time,Severity,Activity,Status,Recommended Action,Component,Definitions Version,ERASER Version,Risk Name,Risk Category,Risk Type,Risk State

1/21/2010 12:20 PM,High,JS.SecurityToolFraud.B detected by Auto-Protect,Quarantined,Resolved - No Action,Auto-Protect,2010.01.17.019,109.2.3.12,JS.SecurityToolFraud.B,Heuristic Virus,File Based,Fully removed

1/18/2010 5:33 PM,High,Packed.Generic.277 detected by Auto-Protect,Quarantined,Resolved - No Action,Auto-Protect,2010.01.17.019,109.2.3.12,Packed.Generic.277,Heuristic Virus,File Based,Fully removed

1/18/2010 5:32 PM,High,Hacktool.Rootkit detected by Auto-Protect,Quarantined,Resolved - No Action,Auto-Protect,2010.01.17.019,109.2.3.12,Hacktool.Rootkit,Virus,File Based,Fully removed

1/17/2010 6:13 PM,High,Trojan.FakeAV!gen detected by Virus scanner,Quarantined,Resolved - No Action,Virus scanner,2010.01.16.005,109.2.3.12,Trojan.FakeAV!gen,Heuristic Virus,File Based,Fully removed

Latest Malwarebytes Scan:

Malwarebytes' Anti-Malware 1.44

Database version: 3579

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.11

1/22/2010 2:38:31 PM

mbam-log-2010-01-22 (14-38-31).txt

Scan type: Quick Scan

Objects scanned: 122679

Time elapsed: 25 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

I'm not really sure where to go from here. Should I trust that the infection was cleared by Norton?

It was actually already cleared by malwarebytes as I can see in your first log. A reboot and rescan then fixes the rest.

For the active desktop recovery thing, it looks like an active desktop was set here (most probably by malware), but the related active content got deleted.

To fix this, just disable active desktop.

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab

Select everything you find in there (except for "My current home page") and press the delete button on the right.

Then, to disable active desktop, make sure all checkboxes in this window are un-checked.

Hit ok below > apply in previous window.

If that didn't work, do the following instead..

Go to start > run and copy and paste next command in the field:

regedit /e C:\backupdesktop.reg "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop"

This will create a backup first (you won't see it do anything, it will just place the backupdesktop.reg on your C:\ as a backup.

Then, Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components]

"DeskHtmlVersion"=dword:00000000

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this: reg.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that fixed it.

Link to post
Share on other sites

Your instructions worked perfectly! I was wondering, is it common for viruses to respawn and take several scans to finally remove completely? Because I ran malwarebytes several times and each time it would keep finding some variant of rootkit.tdss.

Should I go ahead and re-enable the defogger drivers?

Also, are there any good programs you would suggest to help clean up and speed up my computer? It's about as fast as a rock and there seems to be a lot of background nonsense that I try to stop from running by disabling them in the startup list but they keep coming back.

Thank you for all your help!

Link to post
Share on other sites

  • Staff

Hi,

Yes, especially for this variant, it requires multiple scans, so the malware doesn't have the time to reload again. The way to deal with this one is a scan, then followed with an immediate reboot and then a scan or two again until the scan triggers the other malicious components, which it did in your case. Once it can trigger these, then a final scan will kill the infection.

No need for defogger anymore.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.