Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Multiple serious infections

09 Aug 2012   #1
gregrocker

 
Multiple serious infections

Trying to help a friend whose system was frozen with files hidden. Avast boot scan found numerous infections which it doesn't seem to fix since I've run it three times. So did Combofix after rKill, which unhid the files and otherwise restored performance. Still we get a popup at every boot from PC Optimizer Pro claiming numerous infections.

Avast boot scan log:
Code:
10/26/2011 17:41
Scan of all local drives

File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$zordo.class is infected by Java:Agent-TB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux.class is infected by Java:Agent-WY [Expl], Deleted

----------------------------------------
08/08/2012 20:38
Scan of all local drives

File C:\ProgramData\IzoeBi1ZSaHfSx.exe is infected by Win32:Dropper-gen [Drp], Deleted
File C:\Users\David\AppData\Local\myoieyec.exe is infected by Win32:MalOb-GF [Cryp], Deleted
File C:\Users\David\AppData\Local\Temp\eEPJSrKBEl07iN.exe.tmp is infected by Win32:Rootkit-gen [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\39db9912-13fb5790 is infected by Win32:MalOb-GF [Cryp], Deleted
Number of searched folders: 44301
Number of tested files: 265580
Number of infected files: 4

----------------------------------------
08/09/2012 10:03
Scan of all local drives

File C:\ProgramData\AVAST Software\Avast\log\unp192751541.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC000007B {Bad Image}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\ProgramData\AVAST Software\Avast\log\ Error 0xC000000D {An invalid parameter was passed to a service or function.}
File C:\ProgramData\AVAST Software\Avast\log\unp49058768.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp53929307.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp70394681.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp80668799.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Glocker.class is infected by Java:Agent-ZY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$1.class is infected by Java:Agent-ZX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zo666.class is infected by Java:Agent-ZZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom.class is infected by Java:Agent-ZW [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom2.class is infected by Java:Agent-ATN [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\armin.class is infected by Java:Agent-AIY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\erandus.class is infected by Java:Agent-AIZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\lindsa.class is infected by Java:Agent-AJA [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\opkat.class is infected by Java:Agent-AIX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\oplef.class is infected by Java:Agent-AJC [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\rekona.class is infected by Java:Agent-AJB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\300446c-1c88125b|>Wiki.class is infected by Java:Agent-AOY [Trj], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4911143c-1642ce2b|>notana.class is infected by Java:Agent-ANE [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\5b0baa7e-7e37a8aa|>main.class is infected by Java:Agent-AXI [Expl], Deleted
File C:\Windows\temp\_avast_\unp231066075.tmp|>nsis.hdr is infected by NSIS:Malware-gen [Trj], Deleted
Number of searched folders: 15948
Number of tested files: 453402
Number of infected files: 20
Even after all scans a popup appears at every boot on desktop for PC Optimizer Pro saying there are numerous Critical errors found. I have uninstalled PCOP in Control Panel but it persists.

So I run rkill followed by Combofix. As Combofix is loading I get a popup from Avast saying rootkit found MBR:Alureo whose file name is Rootkit.narr. It wants me to Delete it and run the Boot scan again.

Combofix report:
Code:
ComboFix 12-08-09.01 - David 08/09/2012  11:31:56.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2975.2120 [GMT -7:00]
Running from: c:\users\David\Desktop\svchost.exe.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
.
---- Previous Run -------
.
c:\users\David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC Optimizer Pro.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\David\Desktop\System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-09 to 2012-08-09  )))))))))))))))))))))))))))))))
.
.
2012-08-09 05:48 . 2012-07-16 09:41    6891424    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFD2CF20-1D69-4B5A-90E5-AEFC5E1D024A}\mpengine.dll
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Microsoft Antimalware
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Windows Defender Offline
2012-08-09 03:34 . 2012-08-09 05:45    --------    d-----w-    C:\ComboFix
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2011-04-09 04:54    54232    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-03-24 00:31    44784    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2012-07-03 16:21 . 2011-04-09 04:54    21256    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2011-04-09 04:54    353688    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2011-04-09 04:54    721000    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-04-09 04:54    57656    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2011-04-09 04:53    41224    ----a-w-    c:\windows\avastSS.scr
2012-07-03 16:21 . 2011-04-09 04:53    227648    ----a-w-    c:\windows\system32\aswBoot.exe
2012-05-31 19:25 . 2011-04-09 01:31    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-03-26 01:47 . 2011-05-31 05:55    97208    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-08-09_06.29.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuauclt.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wudriver.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwdui.dll
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpvideominiport.sys
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpvideominiport.sys
+ 2012-01-16 22:33 . 2011-11-17 05:34    15872              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:29    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsass.exe
+ 2012-01-16 22:33 . 2011-11-17 05:39    15360              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    99840              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspicli.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:36    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsass.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\System32\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\System32\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\System32\wudriver.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\System32\wuauclt.exe
- 2011-06-02 06:14 . 2010-11-20 12:17    33792              c:\windows\System32\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\System32\wuapp.exe
+ 2011-04-09 03:55 . 2012-08-09 18:01    34332              c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-08-09 18:01    41164              c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-06-02 22:19 . 2012-06-02 22:19    73088              c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2009-07-14 04:34 . 2012-08-09 17:02    87696              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.22012_none_8afce0390e381ffd\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17857_none_8a4d2d0df5363b68\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.21227_none_8910b4b911154eb5\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.17036_none_887b45d1f800b45e\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.22012_none_8afd24910e37d31a\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.21227_none_8910f911111501d2\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.17036_none_887b8a29f800677b\msxml3r.dll
+ 2011-04-09 01:14 . 2012-08-09 18:01    8152              c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3806059188-2109455386-291866110-1001_UserData.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    9560              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_48.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    4280              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_32.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    2456              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_24.bin
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wuapi.dll
+ 2011-06-02 06:15 . 2010-11-20 12:29    187776              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_b52e5147c4a202d7\FWPKCLNT.SYS
+ 2009-07-13 23:12 . 2009-07-14 01:20    187472              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_b2f57423c7b8dea8\FWPKCLNT.SYS
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\InkSeg.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkDiv.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpudd.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpudd.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    100352              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspicli.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\System32\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\System32\wuapi.dll
+ 2009-07-14 02:05 . 2012-08-09 18:06    624178              c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    624178              c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2012-08-09 18:06    106522              c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    106522              c:\windows\System32\perfc009.dat
+ 2009-07-14 04:47 . 2012-08-09 17:59    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2012-08-09 05:36    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-02 06:15 . 2010-11-05 01:53    1736536              c:\windows\winsxs\x86_presentationcore_31bf3856ad364e35_6.1.7601.17755_none_ae0e4090ee55e5f0\wpfgfx_v0300.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.6.7600.256_none_f7839c193937c3f1\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuaueng.dll
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_7.1.7601.17803_none_0b3343d68db9b9ec\Journal.exe
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\Journal.exe
+ 2009-07-13 23:49 . 2009-07-14 01:14    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\Journal.exe
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkObj.dll
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkObj.dll
+ 2012-01-16 22:33 . 2011-11-17 05:32    1038848              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsasrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:38    1037312              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsasrv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\System32\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\System32\wuaueng.dll
+ 2009-07-14 02:03 . 2012-08-09 15:29    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2012-03-14 14:27    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2012-03-14 14:31    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2012-08-09 16:48    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-04-09 04:38 . 2012-08-09 17:59    2253476              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-12288.dat
+ 2011-04-09 03:51 . 2012-08-09 17:59    38633760              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-8192.dat
+ 2011-05-31 05:55 . 2012-08-09 15:18    127004364              c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21    121528    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38    34672    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-12 02:26    171032    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-12 02:26    137752    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-12 02:26    172568    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 21:49    249064    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-05-28 05:31    1721640    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2010-03-23 21:53    495708    ----a-w-    c:\program files\IDT\WDM\sttray.exe
.
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\PC Optimizer Pro startups.job
- c:\program files\PC Optimizer Pro\StartApps.exe [2011-06-10 07:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\oydg7dbs.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2776)
c:\windows\system32\igd10umd32.dll
.
Completion time: 2012-08-09  12:17:23
ComboFix-quarantined-files.txt  2012-08-09 19:17
.
Pre-Run: 99,225,088,000 bytes free
Post-Run: 99,066,867,712 bytes free
.
- - End Of File - - 05F2A8773531733AF926981080DED708
The weird thing is that performance is good, fast and snappy so I'd like to save this install for the owner if possible.




Attached Files
File Type: txt aswBoot.txt (4.3 KB, 2 views)
My System SpecsSystem Spec
.
09 Aug 2012   #2
OldMX

Microsoft Windows 10 Professional
 
 

My System SpecsSystem Spec
09 Aug 2012   #3
gregrocker

 

OK Thanks, running that now.

I rooted PC Optimizer Pro out by searching registry for PCOpt and deleting a dozen listings, then found a Program File which I deleted, rooting out a stubborn tray item by ending it's Process.
My System SpecsSystem Spec
.

09 Aug 2012   #4
OldMX

Microsoft Windows 10 Professional
 
 

been there...done that brother, good luck
My System SpecsSystem Spec
09 Aug 2012   #5
gregrocker

 

TDSS killer won't run, either from desktop or flash stick. I don't see any process for it opening in Task Manager either.

I tried to rename it svchost.exe which will sometimes sneak ComboFix past an infection, but it fails the Remote Procedural Call.
My System SpecsSystem Spec
09 Aug 2012   #6
shawn77

32 bit
 
 

Try this tool-fixtdss

Backdoor.Tidserv Removal Tool | Symantec

Do you have a 10 mb partition in disk management?
My System SpecsSystem Spec
09 Aug 2012   #7
gregrocker

 

No why would there be such a partition?

Where do you see that there is Backdoor.tidserv on this PC? I must be missing it.
My System SpecsSystem Spec
10 Aug 2012   #8
shawn77

32 bit
 
 

why do you ask questions before trying running the tools? just joking

Let me ask you question.Can you guess which infection blocked you from running tdsskiller?

Do you say that you need to have backdoor.tidserv in your logs to run this tool? What did Avast show you? MBR alureon?
What is MBR alureon? Why did Avast do that?

Research and you will get the answer
My System SpecsSystem Spec
10 Aug 2012   #9
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
 
 

Quote   Quote: Originally Posted by gregrocker View Post
No why would there be such a partition?
Alureon usually puts a hidden boot partition on the the infected system. Sometimes it shows up in disk management, most times it doesn't.

If you d/l G Parted, boot from that & examine the drive, you'll probably find a hidden partition between 1 - 10 MB (although the usual size is 1 - 3 MB). Delete this partition & then run TDSKiller again, make sure to click the "change parameters" option & make sure all the boxes are checked. This should clean out any leftover files.

A follow up with Windows Defender offline would be a good idea to see if it introduced any other viruses.
My System SpecsSystem Spec
10 Aug 2012   #10
OldMX

Microsoft Windows 10 Professional
 
 

greg, its time to remove that disk and use an adapter so you can clean it with another computer, or perform a clean install
My System SpecsSystem Spec
Reply

 Multiple serious infections




Thread Tools





Similar help and support threads
Thread Forum
HAPPILI and possible other infections/redirects
I recently came here to the forums to remove HAPPILI. I followed several of the steps in a certain thread but still got redirected to HAPPILI. Now (a couple days later) I have stopped seeing HAPPILI redirect but am getting redirected to another fake search results page...very generic looking,...
Performance & Maintenance
Infections EVEN after formatting and installation?
Hello, I've had a lot of problems with my computer recently, for example, not being able to boot up and system repair not working and many more. I reinstalled my system, transferred my files from the external hard drive back onto the computer but still the problem occured, only even worse. This...
System Security
Does anyone recognize these three infections? Google doesn't
c:\users\rusty\appdata\local\ojimocin.dll c:\users\rusty\appdata\local\ehevurijanoxoz.dll c:\users\rusty\appdata\local\ayimeqaguvi.dll The last one got caught by NIS when I booted this morning. The other two got caught together a week ago. After the first incident I did full scans with...
System Security
AVG or Windows Defender came up informing me of 2 infections
Hi all, I'm not sure if repair install could help me but I've never had anything of the sort occur with my computer before. Last night I was surfing away, just looking at a few websites. I opened a new one (from google search) and either AVG or Windows Defender came up informing me of 2...
System Security
virus infections
hey gang. I work at a service depot as a depot technician. I'm studying the MCTS, and a few of my collegues were discussing infections and how they're related to having or not having a NAT firewall device (hardware; i.e. router). Their argument was that not having a router vs. having a router...
System Security
Have you ever lost data due to infections?
I'm just curious to know: How many of you have ever lost information due to an infection of some sort? Did you manage to recover all or any of your data? How has it changed your approach to system security now? Multiple answers are allowed, if you only choose 1 otion, please make it the...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 16:08.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App