Multiple serious infections

Page 1 of 2 12 LastLast

  1. gregrocker
    Posts : 50,642
       New #1

    Multiple serious infections


    Trying to help a friend whose system was frozen with files hidden. Avast boot scan found numerous infections which it doesn't seem to fix since I've run it three times. So did Combofix after rKill, which unhid the files and otherwise restored performance. Still we get a popup at every boot from PC Optimizer Pro claiming numerous infections.

    Avast boot scan log:
    Code:
    10/26/2011 17:41
Scan of all local drives

File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$zordo.class is infected by Java:Agent-TB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux.class is infected by Java:Agent-WY [Expl], Deleted

----------------------------------------
08/08/2012 20:38
Scan of all local drives

File C:\ProgramData\IzoeBi1ZSaHfSx.exe is infected by Win32:Dropper-gen [Drp], Deleted
File C:\Users\David\AppData\Local\myoieyec.exe is infected by Win32:MalOb-GF [Cryp], Deleted
File C:\Users\David\AppData\Local\Temp\eEPJSrKBEl07iN.exe.tmp is infected by Win32:Rootkit-gen [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\39db9912-13fb5790 is infected by Win32:MalOb-GF [Cryp], Deleted
Number of searched folders: 44301
Number of tested files: 265580
Number of infected files: 4

----------------------------------------
08/09/2012 10:03
Scan of all local drives

File C:\ProgramData\AVAST Software\Avast\log\unp192751541.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC000007B {Bad Image}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Delete: Error 0xC0000034 {Object Name not found.}, Move to chest: Error 0xC0000034 {Object Name not found.}
File C:\ProgramData\AVAST Software\Avast\log\ Error 0xC000000D {An invalid parameter was passed to a service or function.}
File C:\ProgramData\AVAST Software\Avast\log\unp49058768.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp53929307.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp70394681.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\ProgramData\AVAST Software\Avast\log\unp80668799.tmp.mdmp is infected by MBR:Alureon-K [Rtk], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Glocker.class is infected by Java:Agent-ZY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\zalux$1.class is infected by Java:Agent-ZX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zo666.class is infected by Java:Agent-ZZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom.class is infected by Java:Agent-ZW [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\3ef65551-76154ae1|>rotor\Zom2.class is infected by Java:Agent-ATN [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\armin.class is infected by Java:Agent-AIY [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\erandus.class is infected by Java:Agent-AIZ [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\lindsa.class is infected by Java:Agent-AJA [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\opkat.class is infected by Java:Agent-AIX [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\oplef.class is infected by Java:Agent-AJC [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\10bca31e-7083159b|>xmltree\rekona.class is infected by Java:Agent-AJB [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\300446c-1c88125b|>Wiki.class is infected by Java:Agent-AOY [Trj], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\4911143c-1642ce2b|>notana.class is infected by Java:Agent-ANE [Expl], Deleted
File C:\Users\David\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\5b0baa7e-7e37a8aa|>main.class is infected by Java:Agent-AXI [Expl], Deleted
File C:\Windows\temp\_avast_\unp231066075.tmp|>nsis.hdr is infected by NSIS:Malware-gen [Trj], Deleted
Number of searched folders: 15948
Number of tested files: 453402
Number of infected files: 20
    Even after all scans a popup appears at every boot on desktop for PC Optimizer Pro saying there are numerous Critical errors found. I have uninstalled PCOP in Control Panel but it persists.

    So I run rkill followed by Combofix. As Combofix is loading I get a popup from Avast saying rootkit found MBR:Alureo whose file name is Rootkit.narr. It wants me to Delete it and run the Boot scan again.

    Combofix report:
    Code:
    ComboFix 12-08-09.01 - David 08/09/2012  11:31:56.2.2 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2975.2120 [GMT -7:00]
Running from: c:\users\David\Desktop\svchost.exe.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
.
---- Previous Run -------
.
c:\users\David\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PC Optimizer Pro.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\users\David\Desktop\System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-09 to 2012-08-09  )))))))))))))))))))))))))))))))
.
.
2012-08-09 05:48 . 2012-07-16 09:41    6891424    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AFD2CF20-1D69-4B5A-90E5-AEFC5E1D024A}\mpengine.dll
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Microsoft Antimalware
2012-08-09 04:14 . 2012-08-09 04:14    --------    d-----w-    c:\windows\Windows Defender Offline
2012-08-09 03:34 . 2012-08-09 05:45    --------    d-----w-    C:\ComboFix
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2011-04-09 04:54    54232    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-03-24 00:31    44784    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2012-07-03 16:21 . 2011-04-09 04:54    21256    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2011-04-09 04:54    353688    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2011-04-09 04:54    721000    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-04-09 04:54    57656    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2011-04-09 04:53    41224    ----a-w-    c:\windows\avastSS.scr
2012-07-03 16:21 . 2011-04-09 04:53    227648    ----a-w-    c:\windows\system32\aswBoot.exe
2012-05-31 19:25 . 2011-04-09 01:31    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-03-26 01:47 . 2011-05-31 05:55    97208    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-08-09_06.29.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuauclt.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wudriver.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:16    47104              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\NBMapTIP.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.21955_none_4fff0713f624080b\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7601.17803_none_4fa97950dcdfa9de\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.21179_none_4e06e199f90a6f78\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..ournalnotewriterqfe_31bf3856ad364e35_6.1.7600.16988_none_4d719c76dff59f06\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.21955_none_44cbbc6cc484b691\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7601.17803_none_44762ea9ab405864\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.21179_none_42d396f2c76b1dfe\jnwdui.dll
+ 2009-07-13 23:47 . 2009-07-14 01:14    48640              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\PDIALOG.exe
+ 2009-07-13 23:47 . 2009-07-14 01:15    22528              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwppr.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    19968              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwmon.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    84480              c:\windows\winsxs\x86_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16988_none_423e51cfae564d8c\jnwdui.dll
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpvideominiport.sys
+ 2011-06-02 06:15 . 2010-11-20 10:21    15872              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpvideominiport.sys
+ 2012-01-16 22:33 . 2011-11-17 05:34    15872              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:29    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsass.exe
+ 2012-01-16 22:33 . 2011-11-17 05:39    15360              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspisrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    99840              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\sspicli.dll
+ 2012-01-16 22:33 . 2011-11-17 05:39    22016              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\secur32.dll
+ 2012-01-16 22:33 . 2011-11-17 05:36    22528              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsass.exe
+ 2012-08-09 15:09 . 2012-06-02 22:19    45080              c:\windows\System32\wups2.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    35864              c:\windows\System32\wups.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    88576              c:\windows\System32\wudriver.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    53784              c:\windows\System32\wuauclt.exe
- 2011-06-02 06:14 . 2010-11-20 12:17    33792              c:\windows\System32\wuapp.exe
+ 2012-08-09 15:09 . 2012-06-02 22:12    33792              c:\windows\System32\wuapp.exe
+ 2011-04-09 03:55 . 2012-08-09 18:01    34332              c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-08-09 18:01    41164              c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    32768              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-31 05:38 . 2012-08-09 18:15    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-31 05:38 . 2012-08-09 06:09    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-06-02 22:19 . 2012-06-02 22:19    73088              c:\windows\SoftwareDistribution\SelfUpdate\Handler\WuSetupV.exe
+ 2009-07-14 04:34 . 2012-08-09 17:02    87696              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.22012_none_8afce0390e381ffd\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17857_none_8a4d2d0df5363b68\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.21227_none_8910b4b911154eb5\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7600.17036_none_887b45d1f800b45e\msxml6r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7601.22012_none_8afd24910e37d31a\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.21227_none_8910f911111501d2\msxml3r.dll
+ 2009-07-14 00:19 . 2009-07-14 01:07    2048              c:\windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.1.7600.17036_none_887b8a29f800677b\msxml3r.dll
+ 2011-04-09 01:14 . 2012-08-09 18:01    8152              c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3806059188-2109455386-291866110-1001_UserData.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    9560              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_48.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    4280              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_32.bin
+ 2012-08-09 15:13 . 2012-08-09 15:13    2456              c:\windows\System32\NetworkList\Icons\{782278D8-8ED0-4BF4-92AF-C144556D75C2}_24.bin
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-09 18:00 . 2012-08-09 18:00    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-09 05:37 . 2012-08-09 05:37    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.6.7600.256_none_09f272fb52ab0c3f\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_7.6.7600.256_none_5fe7b2baacf3da43\wuapi.dll
+ 2011-06-02 06:15 . 2010-11-20 12:29    187776              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_b52e5147c4a202d7\FWPKCLNT.SYS
+ 2009-07-13 23:12 . 2009-07-14 01:20    187472              c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_b2f57423c7b8dea8\FWPKCLNT.SYS
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.21955_none_1a1855541c176f4a\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.21179_none_18202fda1efdd6b7\InkSeg.dll
+ 2009-07-13 23:47 . 2009-07-14 01:15    484352              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\MSPVWCTL.DLL
+ 2009-07-13 23:47 . 2009-07-14 01:15    672768              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\InkSeg.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.21955_none_ccf754dbae8e9b38\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.21179_none_caff2f61b17502a5\InkDiv.dll
+ 2009-07-13 23:46 . 2009-07-14 01:16    126464              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\rtscom.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    216064              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkEd.dll
+ 2009-07-13 23:46 . 2009-07-14 01:15    274944              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkDiv.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.21982_none_31d187047f696dc4\rdpudd.dll
+ 2011-06-02 06:16 . 2010-11-20 10:24    134656              c:\windows\winsxs\x86_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17830_none_317bf94166250f97\rdpudd.dll
+ 2012-01-16 22:33 . 2011-11-17 05:34    100352              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\sspicli.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    171904              c:\windows\System32\wuwebv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    577048              c:\windows\System32\wuapi.dll
+ 2009-07-14 02:05 . 2012-08-09 18:06    624178              c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    624178              c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2012-08-09 18:06    106522              c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2012-08-09 05:41    106522              c:\windows\System32\perfc009.dat
+ 2009-07-14 04:47 . 2012-08-09 17:59    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:47 . 2012-08-09 05:36    396356              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-06-02 06:15 . 2010-11-05 01:53    1736536              c:\windows\winsxs\x86_presentationcore_31bf3856ad364e35_6.1.7601.17755_none_ae0e4090ee55e5f0\wpfgfx_v0300.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\winsxs\x86_microsoft-windows-windowsupdateclient-ui_31bf3856ad364e35_7.6.7600.256_none_f7839c193937c3f1\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.6.7600.256_none_79d6786e99338140\wuaueng.dll
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_7.1.7601.17803_none_0b3343d68db9b9ec\Journal.exe
+ 2011-06-02 06:15 . 2010-11-20 12:17    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17803_none_19c2c79102d3111d\Journal.exe
+ 2009-07-13 23:49 . 2009-07-14 01:14    1785344              c:\windows\winsxs\x86_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7600.16988_none_178aeab705e90645\Journal.exe
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7601.17803_none_cca1c718954a3d0b\InkObj.dll
+ 2009-07-14 00:02 . 2009-07-14 01:15    1415168              c:\windows\winsxs\x86_microsoft-windows-t..platform-comruntime_31bf3856ad364e35_6.1.7600.16988_none_ca69ea3e98603233\InkObj.dll
+ 2012-01-16 22:33 . 2011-11-17 05:32    1038848              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17856_none_a828bb43bb2beb28\lsasrv.dll
+ 2012-01-16 22:33 . 2011-11-17 05:38    1037312              c:\windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.1.7600.17035_none_a656d407bdf6641e\lsasrv.dll
+ 2012-08-09 15:09 . 2012-06-02 22:12    2422272              c:\windows\System32\wucltux.dll
+ 2012-08-09 15:09 . 2012-06-02 22:19    1933848              c:\windows\System32\wuaueng.dll
+ 2009-07-14 02:03 . 2012-08-09 15:29    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2012-03-14 14:27    7340032              c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 04:34 . 2012-03-14 14:31    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:34 . 2012-08-09 16:48    5980439              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-04-09 04:38 . 2012-08-09 17:59    2253476              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-12288.dat
+ 2011-04-09 03:51 . 2012-08-09 17:59    38633760              c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806059188-2109455386-291866110-1001-8192.dat
+ 2011-05-31 05:55 . 2012-08-09 15:18    127004364              c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21    121528    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38    34672    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-02-12 02:26    171032    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-02-12 02:26    137752    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-02-12 02:26    172568    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 21:49    249064    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2010-05-28 05:31    1721640    ----a-w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2010-03-23 21:53    495708    ----a-w-    c:\program files\IDT\WDM\sttray.exe
.
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_9691412ff1876250\aestsrv.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-26 01:47]
.
2012-08-09 c:\windows\Tasks\PC Optimizer Pro startups.job
- c:\program files\PC Optimizer Pro\StartApps.exe [2011-06-10 07:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\oydg7dbs.default\
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2776)
c:\windows\system32\igd10umd32.dll
.
Completion time: 2012-08-09  12:17:23
ComboFix-quarantined-files.txt  2012-08-09 19:17
.
Pre-Run: 99,225,088,000 bytes free
Post-Run: 99,066,867,712 bytes free
.
- - End Of File - - 05F2A8773531733AF926981080DED708
    The weird thing is that performance is good, fast and snappy so I'd like to save this install for the owner if possible.
    Multiple serious infections Attached Files
      My Computer
    Quote Quote

  3. OldMX
    Posts : 687
    Microsoft Windows 10 Professional / Windows 7 Professional
       New #2

    How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

    See if that helps?
      My Computer
    Quote Quote

  4. gregrocker
    Posts : 50,642
    Thread Starter
       New #3

    OK Thanks, running that now.

    I rooted PC Optimizer Pro out by searching registry for PCOpt and deleting a dozen listings, then found a Program File which I deleted, rooting out a stubborn tray item by ending it's Process.
      My Computer
    Quote Quote

  6. OldMX
    Posts : 687
    Microsoft Windows 10 Professional / Windows 7 Professional
       New #4

    been there...done that brother, good luck
      My Computer
    Quote Quote

  7. gregrocker
    Posts : 50,642
    Thread Starter
       New #5

    TDSS killer won't run, either from desktop or flash stick. I don't see any process for it opening in Task Manager either.

    I tried to rename it svchost.exe which will sometimes sneak ComboFix past an infection, but it fails the Remote Procedural Call.
      My Computer
    Quote Quote

  8. shawn77
    Posts : 143
    32 bit
       New #6

    Try this tool-fixtdss

    Backdoor.Tidserv Removal Tool | Symantec

    Do you have a 10 mb partition in disk management?
      My Computer
    Quote Quote

  10. gregrocker
    Posts : 50,642
    Thread Starter
       New #7

    No why would there be such a partition?

    Where do you see that there is Backdoor.tidserv on this PC? I must be missing it.
      My Computer
    Quote Quote

  11. shawn77
    Posts : 143
    32 bit
       New #8

    why do you ask questions before trying running the tools? just joking

    Let me ask you question.Can you guess which infection blocked you from running tdsskiller?

    Do you say that you need to have backdoor.tidserv in your logs to run this tool? What did Avast show you? MBR alureon?
    What is MBR alureon? Why did Avast do that?

    Research and you will get the answer
      My Computer
    Quote Quote

  12. Borg 386
    Posts : 7,781
    Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
       New #9

    gregrocker said:
    No why would there be such a partition?
    Alureon usually puts a hidden boot partition on the the infected system. Sometimes it shows up in disk management, most times it doesn't.

    If you d/l G Parted, boot from that & examine the drive, you'll probably find a hidden partition between 1 - 10 MB (although the usual size is 1 - 3 MB). Delete this partition & then run TDSKiller again, make sure to click the "change parameters" option & make sure all the boxes are checked. This should clean out any leftover files.

    A follow up with Windows Defender offline would be a good idea to see if it introduced any other viruses.
    Last edited by Borg 386; 10 Aug 2012 at 09:06.
      My Computer
    Quote Quote

  13. OldMX
    Posts : 687
    Microsoft Windows 10 Professional / Windows 7 Professional
       New #10

    greg, its time to remove that disk and use an adapter so you can clean it with another computer, or perform a clean install
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
I recently came here to the forums to remove HAPPILI. I followed several of the steps in a certain thread but still got redirected to HAPPILI. Now (a couple days later) I have stopped seeing HAPPILI redirect but am getting redirected to another fake search results page...very generic looking,...
Hello, I've had a lot of problems with my computer recently, for example, not being able to boot up and system repair not working and many more. I reinstalled my system, transferred my files from the external hard drive back onto the computer but still the problem occured, only even worse. This...
virus infections
in System Security

hey gang. I work at a service depot as a depot technician. I'm studying the MCTS, and a few of my collegues were discussing infections and how they're related to having or not having a NAT firewall device (hardware; i.e. router). Their argument was that not having a router vs. having a router...
I'm just curious to know: How many of you have ever lost information due to an infection of some sort? Did you manage to recover all or any of your data? How has it changed your approach to system security now? Multiple answers are allowed, if you only choose 1 otion, please make it the...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 23:06.
Find Us