Jump to content

Resistant Rootkit.Agent


Recommended Posts

After a malware infection, Malwarebytes succesfully removed all threats except these two:

Rootkit.Agent (category File) c:\WINDOWS\system32\ipsecndis.sys

Rootkit.Agent (category File) c:\WINDOWS\system32\Drivers\ntndis.sys

The action supposedly taken by Malwarebytes (delete on reboot) never takes place and the two infected files (which are hidden in such a manner they can't be located where they're supposed to be) still remain. Currently I have disabled WiFi on my infected laptop; if Internet connection is enabled, in some minutes another threat (called Gootkit if I remember well) is detected by Malwarebytes.

I've attached the log created by GMER. As far as I can see, the stuff under the files section is harmless material (SVN auxiliary files), don't really know why GMER spotted them.

Thank you,

attach.zip

Link to post
Share on other sites

Hello joaquin! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Step 1:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

Download DDS and save it to your desktop from here or here or here.

Double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. DDS log with Attach.txt

Link to post
Share on other sites

Don't worry!

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.0 - Espaсol
  2. Adobe Reader 7.0.5 - Espaсol

You can read, how to this in:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites

Hi, this is how it went:

Step 1: No problem.

Step 2: I uninstalled J2SE (v 5.0 if I remember well) and then proceeded to enable WiFi to try to download JavaRa. When I did this, however, infections began to crop up and DNS stopped working, so that I couldn't finally download JavaRa. I disabled WiFi again and ran MBAM, which detected several instances of Trojan.Gootkit, removed them and rebooted the machine (log attached). I downloaded JavaRa in a clean computer, transferred it with a memory stick to the infected laptop and ran it as instructed, log attached. I also manually looked for the indicated folders and deleted them when found.

Step 3: I downloaded ComboFix as instructed directly into my infected laptop (I had to temporarily re-enable Wifi on it to do that) and ran it. During the process ComboFix detected rootkit activity and rebooted the machine. Produced log attached.

mbam_log_2010_05_23__11_59_37_.txt

JavaRa.txt

Combo_Fix.txt

Link to post
Share on other sites

After six hours or so of scanning, when it seemed about to finish, GMER stuck and became unresponsive, and further attempts to close it or shut down the system didn't work. I rebooted the hard way and produced a GMER log with all the options except IAT/EAT and Files (the latter being the culprit for the process taking hours). Log attached. As I'm writing this I've initiatiated another full scan with Files included just in case it manages to complete succesfully (in six hours), please tell me if we should wait or whether we can progress from the limited log attached here.

GMER.txt

Link to post
Share on other sites

Please keep your Wi-Fi turned on, while working to see when there will be change. Please turn it on and let's check what is the situation.

OK, I canceled GMER scan, turned WiFi on and did a fast analysis with MBAM, which yielded 5 infected objects, including the resistant ipsecndis and ntndis. Log attached. Awaiting your instructions :D Thank you for your help.

mbam_log_2010_05_23__18_32_46_.txt

Link to post
Share on other sites

Step 1

Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Step 2

Delete your copy of ComboFix and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

  1. RootRepeal log
  2. ComboFix log

Link to post
Share on other sites

I can't download directly into my infected computer because by now DNS is non-working (it works again after MBAM disinfection, but I refrained from doing so so as to keep to your instructions). Instead I downloaded it in a clean computer, transferred with a memory stick and launched it as instructed; after some minutes of work the program has stuck and is unresponsive. The likely reason for this is (in my opinion) that it's listing thousands of hidden files and it ran out of internal resources or something. As for the huge numbers of hidden files reported, the reason is that I have some very big SVN projects which typically create large numbers of hidden files for instrumentation purposes. I think these files are harmless, in any case.

Shall I rerun RootRepeal without checking the Files section? Shall I delete those folders and try again?

Link to post
Share on other sites

I can't download directly into my infected computer because by now DNS is non-working (it works again after MBAM disinfection, but I refrained from doing so so as to keep to your instructions). Instead I downloaded it in a clean computer, transferred with a memory stick and launched it as instructed; after some minutes of work the program has stuck and is unresponsive. The likely reason for this is (in my opinion) that it's listing thousands of hidden files and it ran out of internal resources or something. As for the huge numbers of hidden files reported, the reason is that I have some very big SVN projects which typically create large numbers of hidden files for instrumentation purposes. I think these files are harmless, in any case.

Shall I rerun RootRepeal without checking the Files section? Shall I delete those folders and try again?

While waiting for your instructions on ths one, I disabled WiFi (given that DNS is not working I feel it safer to disconnect the laptop from the Internet) and tried the following:

1. Run RootRepeal scan with the following sections:

# Drivers

# Processes

# SSDT

# Stealth Objects

# Hidden Services

That is, the sections you mentioned except Files. RootRepeal crash within the SSDT section

2. Run RootRepeal scan with the following sections:

# Drivers

# Processes

# Stealth Objects

# Hidden Services

That is, as in 1 but without SSDT. The report produces was:

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/05/23 19:46

Program Version: Version 2.0.0.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

DRIVERS

-------------------

Hidden <empty> 0x00000000 <empty>, 4084 bytes

File Invisible dump_atapi.sys 0xf4050000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes

File Invisible dump_WMILIB.SYS 0xf7b2c000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes

File Invisible rootrepeal.sys 0xb9837000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES

-------------------

4 - System

392 - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE

516 - C:\WINDOWS\system32\smss.exe

544 - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

576 - C:\WINDOWS\system32\csrss.exe

604 - C:\WINDOWS\system32\winlogon.exe

648 - C:\WINDOWS\system32\services.exe

664 - C:\WINDOWS\system32\lsass.exe

848 - C:\WINDOWS\system32\svchost.exe

896 - C:\WINDOWS\system32\svchost.exe

956 - C:\WINDOWS\system32\svchost.exe

1024 - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

1088 - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1140 - C:\WINDOWS\system32\svchost.exe

1220 - C:\WINDOWS\system32\svchost.exe

1264 - C:\WINDOWS\system32\nvsvc32.exe

1312 - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

1412 - C:\WINDOWS\system32\svchost.exe

1440 - C:\WINDOWS\system32\spoolsv.exe

1480 - C:\WINDOWS\system32\scardsvr.exe

1532 - C:\WINDOWS\system32\svchost.exe

1572 - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

1584 - C:\WINDOWS\system32\svchost.exe

1628 - C:\WINDOWS\system32\wscntfy.exe

1684 - C:\WINDOWS\system32\wdfmgr.exe

1736 - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

1844 - C:\WINDOWS\ehome\ehrecvr.exe

1880 - C:\WINDOWS\ehome\ehSched.exe

1924 - C:\WINDOWS\system32\gearsec.exe

1976 - C:\WINDOWS\explorer.exe

2000 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

2272 - C:\WINDOWS\ehome\mcrdsvc.exe

2552 - C:\WINDOWS\system32\wuauclt.exe

2600 - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

2624 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

2700 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

3180 - C:\WINDOWS\system32\dllhost.exe

3436 - C:\WINDOWS\system32\alg.exe

3468 - C:\WINDOWS\system32\svchost.exe

3476 - C:\WINDOWS\system32\svchost.exe

3484 - C:\WINDOWS\system32\svchost.exe

3492 - C:\WINDOWS\system32\svchost.exe

5320 - C:\WINDOWS\system32\wbem\wmiprvse.exe

5416 - C:\WINDOWS\system32\wuauclt.exe

5504 - C:\Documents and Settings\Joaqu

Link to post
Share on other sites

Hi again, this is how step 2 went:

Step 2: As my infected laptop didn't have a properly running DNS service, I had to do a fast analysis with MBAM to restore the machine to a more or less working condition (log attached). Then I proceeded with the rest of step 2 as instructed. The produced log is attached.

mbam_log_2010_05_24__19_08_17_.txt

Combo_Fix.txt

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

Did as instructed. No hidden services detected, no need to reboot the system. Log follows:

19:56:09:339 5356 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17

19:56:09:339 5356 ================================================================================

19:56:09:339 5356 SystemInfo:

19:56:09:339 5356 OS Version: 5.1.2600 ServicePack: 2.0

19:56:09:339 5356 Product type: Workstation

19:56:09:339 5356 ComputerName: YOUR-5E21EC80DE

19:56:09:339 5356 UserName: Joaqu

Link to post
Share on other sites

Please follow these instructions:

http://www.updatexp.com/scannow-sfc.html

Then delete your copy of ComboFix and:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Please post a new fresh RootRepeal log.

Here it is. Note that I did not include the following in the report:

* Files (too many otherwise harmless hidden files, the tool stucks after some scanning)

* SSDT (crashes it this is included)

* Shadow SSDT, Callbacks (you didn't request those yesterday).

Log follows. If you want I can try with some other scanner of your choice.

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/05/24 22:12

Program Version: Version 2.0.0.0

Windows Version: Windows XP Media Center Edition SP2

==================================================

DRIVERS

-------------------

File Invisible catchme.sys 0xf7892000 C:\DOCUME~1\JOAQUN~1\LOCALS~1\Temp\catchme.sys, 31744 bytes

File Invisible dump_atapi.sys 0xf3eb2000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes

File Invisible dump_WMILIB.SYS 0xf7afc000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes

File Invisible mbr.sys 0xf78c2000 C:\DOCUME~1\JOAQUN~1\LOCALS~1\Temp\mbr.sys, 20864 bytes

File Invisible PROCEXP113.SYS 0xf7b94000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS, 7872 bytes

File Invisible rootrepeal.sys 0xb9837000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES

-------------------

4 - System

136 - C:\WINDOWS\system32\nvsvc32.exe

192 - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

292 - C:\WINDOWS\system32\svchost.exe

332 - C:\WINDOWS\system32\svchost.exe

360 - C:\WINDOWS\system32\wdfmgr.exe

368 - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

440 - C:\WINDOWS\system32\smss.exe

508 - C:\WINDOWS\system32\csrss.exe

532 - C:\WINDOWS\system32\winlogon.exe

580 - C:\WINDOWS\system32\services.exe

596 - C:\WINDOWS\system32\lsass.exe

720 - C:\WINDOWS\ehome\mcrdsvc.exe

724 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

740 - C:\WINDOWS\explorer.exe

768 - C:\WINDOWS\system32\svchost.exe

832 - C:\WINDOWS\system32\svchost.exe

872 - C:\WINDOWS\system32\svchost.exe

920 - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

956 - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

992 - C:\WINDOWS\system32\svchost.exe

1108 - C:\WINDOWS\system32\svchost.exe

1264 - C:\WINDOWS\system32\spoolsv.exe

1304 - C:\WINDOWS\system32\scardsvr.exe

1360 - C:\WINDOWS\system32\svchost.exe

1508 - C:\WINDOWS\ehome\ehrecvr.exe

1528 - C:\WINDOWS\ehome\ehSched.exe

1676 - C:\WINDOWS\system32\gearsec.exe

1744 - C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

1936 - C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE

2000 - C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

2204 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

2260 - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

2672 - C:\WINDOWS\system32\dllhost.exe

2848 - C:\WINDOWS\system32\wscntfy.exe

2888 - C:\WINDOWS\system32\alg.exe

3472 - C:\WINDOWS\system32\wuauclt.exe

4740 - C:\WINDOWS\system32\svchost.exe

4868 - C:\Documents and Settings\Joaqu

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

To be sure of this, let's check:

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.