Author Topic: Badly infected computer (Read 7025 times)

nottheoneyouknow · « **on:** January 31, 2010, 06:28:06 PM »

I'm working on a friend's Windows XP computer that has, at the very least, a Security Tool infection. I've successfully cleaned a couple of other computers, but this one has me stymied. Because Security Tool is intercepting the commands, I can't install mbam or HJT on it. I can't get it to go into safe mode. I tried booting it to an Fsecure boot cd and to UBCD, but it hangs - just get a black screen and all drive activity stops if I press a key during bootup. (If I don't press a key with a CD in, it boots to XP.) I've tested the cds on other computers and they work fine.

Any ideas how to get around this?

SuperDave · « **Reply #1 on:** January 31, 2010, 07:22:54 PM »

Hello nottheoneyouknow and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Quote

it boots to XP

What does this mean? Are you able to boot and access the internet? Are you sure that the F-Secure CD is burned properly. It's an ISO image and must be burned with an ISO burner.Please don't take these questions the wrong way. I'm just trying to get all the information I need to help you.

nottheoneyouknow · « **Reply #2 on:** February 01, 2010, 03:55:44 PM »

Thanks, SD. I'll try to give you as much information as I can - some of it may be useless, but hopefully I can get enough for you.

Other computers boot fine off the CDs, so I don't believe that is the issue.

When I say it boots into XP, I mean that it goes through the normal login process. After login, I get a rundll error saying it can't find exacuvuhoxuquxoj.dll, then a few seconds later all items on the desktop disappear and Security Tool opens. I can get to the desktop from the startbar and everything is still there, it's just hidden at this point. I can put in a USB drive, and it will recognize the drive and allow me to access the files - the same is true for CDs. I don't know if it can access the internet, because I don't want it on my network since I have no idea what malware is on it beyond Security Tool, though if you think it's an important test, I can shut everything else down and put it on alone.

When I try to run a program, like MBAM or AVG for example, Security Tool is intercepting the command and puts up a warning that the file is infected. It does that for restore, cmd and task manager as well. It will allow Internet Explorer to run, though as I mentioned, it was not online.

I have tried every method I've ever heard of to get it into safe mode or into BIOS, all without success. I've tried esc, del, f2, f8, f10, and f12, both tapping them throughout boot, and holding them throughout boot. I've tried shutting the computer off in the middle of a boot and restarting it, to get into safe mode.

The computer is an old Dell desktop - not sure how old, but it was running Windows XP satisfactorily until sometime last summer, when my friend first started complaining about virus issues. She continued to use it until it became unusable, and finally brought it over to me. System Information is one of the programs it's intercepting, so I can't tell you much more about the machine without opening it up.

As I was typing this, it bluescreened, but I did not catch the information on the screen before it rebooted. If it does it again, I will get you that info.

Thanks for your help, and let me know what other information you need.

SuperDave · « **Reply #3 on:** February 01, 2010, 04:39:36 PM »

Let's take a chance and go on-line to run this.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper.

Please download exeHelper from Raktor to your desktop.

Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

nottheoneyouknow · « **Reply #4 on:** February 01, 2010, 11:02:33 PM »

I can't get it online. I connected it to the network and got an IP, but IE won't connect to anything.

I downloaded the files, and put them on a flash drive. AVG flagged exehelper and I was not able to copy it to the computer. I tried to shut down AVG, but can't open AVG to do that. I ran the rkill files - they open a DOS window for a second, then it goes away and I get a message that the file is infected, but I can't detect that any other changes happen. I tried running exehelper from the flash, also without luck.

evilfantasy · « **Reply #5 on:** February 02, 2010, 02:20:12 PM »

Have you turned off your antivirus before running RKill and exeHelper?

Also try this please. Use the flash drive to transfer it over. Turn off your antivirus before running.

Please run TDSSKiller per the below steps:

* Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any sub-folder of the Desktop.
* Click Start > Run and copy/paste the following Red text into Run box and hit Enter on your keyboard.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive called 'TDSSKiller.txt' please add this log to your next reply.

nottheoneyouknow · « **Reply #6 on:** February 02, 2010, 05:12:38 PM »

I have tried to shut down AVG, but Security Tool is intercepting avgui.exe and preventing it from running. Is there a command I can run to shut down AVG?

Tried TDSSKiller.exe - the first time I ran it, I got a message that said I didn't have the proper privileges to run it. Sidenote: This computer was originally set up to log in from home to a corporate network (when they parted ways, they left her the computer but didn't wipe it, so her account has whatever privileges were set by the corporate IT guy), and I don't know the administrator password on it. And with Security Tool intercepting most of the things I try, I'm not sure how to even check what her account privileges are.

I tried it again, and got a CMD window for a second or so, which then disappeared, followed by a message from Security Tool that TDSSKiller was a virus. The log from that run is here:

15:49:10:312 2152   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
15:49:10:312 2152   ================================================================================
15:49:10:312 2152   SystemInfo:

15:49:10:312 2152   OS Version: 5.1.2600 ServicePack: 2.0
15:49:10:312 2152   Product type: Workstation
15:49:10:312 2152   ComputerName: N16468
15:49:10:312 2152   UserName: eduffy
15:49:10:312 2152   Windows directory: C:\WINDOWS
15:49:10:312 2152   Processor architecture: Intel x86
15:49:10:312 2152   Number of processors: 2
15:49:10:312 2152   Page size: 0x1000
15:49:10:312 2152   Boot type: Normal boot
15:49:10:312 2152   ================================================================================
15:49:10:328 2152   UnloadDriverW: NtUnloadDriver error 2
15:49:10:328 2152   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:49:10:359 2152   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:49:10:437 2152   UtilityInit: KLMD drop and load success
15:49:10:437 2152   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
15:49:10:437 2152   UtilityInit: KLMD open success
15:49:10:437 2152   UtilityInit: Initialize success
15:49:10:437 2152
15:49:10:437 2152   Scanning   Services ...
15:49:10:437 2152   CreateRegParser: Registry parser init started
15:49:10:437 2152   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:49:10:437 2152   CreateRegParser: DisableWow64Redirection error
15:49:10:437 2152   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:49:10:437 2152   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:49:10:437 2152   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:49:10:437 2152   wfopen_ex: Trying to KLMD file open
15:49:10:437 2152   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:49:10:437 2152   wfopen_ex: File opened ok (Flags 2)
15:49:10:437 2152   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: AC4908
15:49:10:437 2152   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:49:10:437 2152   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:49:10:437 2152   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:49:10:437 2152   wfopen_ex: Trying to KLMD file open
15:49:10:437 2152   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:49:10:453 2152   wfopen_ex: File opened ok (Flags 2)
15:49:10:453 2152   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: AC49B0
15:49:10:453 2152   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:49:10:453 2152   CreateRegParser: EnableWow64Redirection error
15:49:10:453 2152   CreateRegParser: RegParser init completed

I tried a couple of times, and got similar logs. I decided to try running rkill immediately before the command and it ran longer, but never reached the point where it prompted me to delete anything. I got the following log:

15:49:56:234 2160   TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
15:49:56:234 2160   ================================================================================
15:49:56:234 2160   SystemInfo:

15:49:56:234 2160   OS Version: 5.1.2600 ServicePack: 2.0
15:49:56:234 2160   Product type: Workstation
15:49:56:234 2160   ComputerName: N16468
15:49:56:234 2160   UserName: eduffy
15:49:56:234 2160   Windows directory: C:\WINDOWS
15:49:56:234 2160   Processor architecture: Intel x86
15:49:56:234 2160   Number of processors: 2
15:49:56:234 2160   Page size: 0x1000
15:49:56:234 2160   Boot type: Normal boot
15:49:56:234 2160   ================================================================================
15:49:56:250 2160   UnloadDriverW: NtUnloadDriver error 2
15:49:56:250 2160   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:49:56:250 2160   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:49:56:296 2160   UtilityInit: KLMD drop and load success
15:49:56:296 2160   KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
15:49:56:296 2160   UtilityInit: KLMD open success
15:49:56:296 2160   UtilityInit: Initialize success
15:49:56:296 2160
15:49:56:296 2160   Scanning   Services ...
15:49:56:296 2160   CreateRegParser: Registry parser init started
15:49:56:296 2160   DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
15:49:56:296 2160   CreateRegParser: DisableWow64Redirection error
15:49:56:296 2160   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:49:56:296 2160   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
15:49:56:296 2160   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:49:56:296 2160   wfopen_ex: Trying to KLMD file open
15:49:56:296 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
15:49:56:296 2160   wfopen_ex: File opened ok (Flags 2)
15:49:56:296 2160   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: AC4908
15:49:56:296 2160   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:49:56:296 2160   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
15:49:56:296 2160   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:49:56:296 2160   wfopen_ex: Trying to KLMD file open
15:49:56:296 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
15:49:56:296 2160   wfopen_ex: File opened ok (Flags 2)
15:49:56:296 2160   CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: AC49B0
15:49:56:296 2160   EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
15:49:56:296 2160   CreateRegParser: EnableWow64Redirection error
15:49:56:296 2160   CreateRegParser: RegParser init completed
15:49:56:781 2160   GetAdvancedServicesInfo: Raw services enum returned 315 services
15:49:56:796 2160   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:49:56:796 2160   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:49:56:796 2160
15:49:56:796 2160   Scanning   Kernel memory ...
15:49:56:796 2160   KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
15:49:56:796 2160   DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8638D920
15:49:56:796 2160   DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
15:49:56:796 2160
15:49:56:796 2160   DetectCureTDL3: DEVICE_OBJECT: 85BA6C68
15:49:56:796 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 85BA6C68
15:49:56:796 2160   KLMD_ReadMem: Trying to ReadMemory 0x85BA6C68[0x38]
15:49:56:796 2160   DetectCureTDL3: DRIVER_OBJECT: 8638D920
15:49:56:796 2160   KLMD_ReadMem: Trying to ReadMemory 0x8638D920[0xA8]
15:49:56:796 2160   KLMD_ReadMem: Trying to ReadMemory 0xE15BFB58[0x18]
15:49:56:796 2160   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:49:56:796 2160   DetectCureTDL3: IrpHandler (0) addr: F7653C30
15:49:56:796 2160   DetectCureTDL3: IrpHandler (1) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (2) addr: F7653C30
15:49:56:796 2160   DetectCureTDL3: IrpHandler (3) addr: F764DD9B
15:49:56:796 2160   DetectCureTDL3: IrpHandler (4) addr: F764DD9B
15:49:56:796 2160   DetectCureTDL3: IrpHandler (5) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (6) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (7) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (

addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (9) addr: F764E366
15:49:56:796 2160   DetectCureTDL3: IrpHandler (10) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (11) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (12) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (13) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (14) addr: F764E44D
15:49:56:796 2160   DetectCureTDL3: IrpHandler (15) addr: F7651FC3
15:49:56:796 2160   DetectCureTDL3: IrpHandler (16) addr: F764E366
15:49:56:796 2160   DetectCureTDL3: IrpHandler (17) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (18) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (19) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (20) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (21) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (22) addr: F764FEF3
15:49:56:796 2160   DetectCureTDL3: IrpHandler (23) addr: F7654A24
15:49:56:796 2160   DetectCureTDL3: IrpHandler (24) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (25) addr: 804F9709
15:49:56:796 2160   DetectCureTDL3: IrpHandler (26) addr: 804F9709
15:49:56:796 2160   TDL3_FileDetect: Processing driver: Disk
15:49:56:796 2160   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:796 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:859 2160   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:49:56:859 2160
15:49:56:859 2160   DetectCureTDL3: DEVICE_OBJECT: 85C91AB8
15:49:56:859 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 85C91AB8
15:49:56:859 2160   DetectCureTDL3: DEVICE_OBJECT: 85C5DC50
15:49:56:859 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 85C5DC50
15:49:56:859 2160   KLMD_ReadMem: Trying to ReadMemory 0x85C5DC50[0x38]
15:49:56:859 2160   DetectCureTDL3: DRIVER_OBJECT: 85EA7030
15:49:56:859 2160   KLMD_ReadMem: Trying to ReadMemory 0x85EA7030[0xA8]
15:49:56:859 2160   KLMD_ReadMem: Trying to ReadMemory 0xE7D0BCF0[0x1E]
15:49:56:859 2160   DetectCureTDL3: DRIVER_OBJECT name: \Driver\usbstor, Driver Name: usbstor
15:49:56:859 2160   DetectCureTDL3: IrpHandler (0) addr: F78AA218
15:49:56:859 2160   DetectCureTDL3: IrpHandler (1) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (2) addr: F78AA218
15:49:56:859 2160   DetectCureTDL3: IrpHandler (3) addr: F78AA23C
15:49:56:859 2160   DetectCureTDL3: IrpHandler (4) addr: F78AA23C
15:49:56:859 2160   DetectCureTDL3: IrpHandler (5) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (6) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (7) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (

addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (9) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (10) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (11) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (12) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (13) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (14) addr: F78AA180
15:49:56:859 2160   DetectCureTDL3: IrpHandler (15) addr: F78A59E6
15:49:56:859 2160   DetectCureTDL3: IrpHandler (16) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (17) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (18) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (19) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (20) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (21) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (22) addr: F78A95F0
15:49:56:859 2160   DetectCureTDL3: IrpHandler (23) addr: F78A7A6E
15:49:56:859 2160   DetectCureTDL3: IrpHandler (24) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (25) addr: 804F9709
15:49:56:859 2160   DetectCureTDL3: IrpHandler (26) addr: 804F9709
15:49:56:859 2160   KLMD_ReadMem: Trying to ReadMemory 0xF78A6F26[0x400]
15:49:56:859 2160   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:49:56:859 2160   TDL3_FileDetect: Processing driver: usbstor
15:49:56:859 2160   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:49:56:859 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:49:56:890 2160   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:49:56:890 2160
15:49:56:890 2160   DetectCureTDL3: DEVICE_OBJECT: 86351C68
15:49:56:890 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 86351C68
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0x86351C68[0x38]
15:49:56:890 2160   DetectCureTDL3: DRIVER_OBJECT: 8638D920
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0x8638D920[0xA8]
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0xE15BFB58[0x18]
15:49:56:890 2160   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:49:56:890 2160   DetectCureTDL3: IrpHandler (0) addr: F7653C30
15:49:56:890 2160   DetectCureTDL3: IrpHandler (1) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (2) addr: F7653C30
15:49:56:890 2160   DetectCureTDL3: IrpHandler (3) addr: F764DD9B
15:49:56:890 2160   DetectCureTDL3: IrpHandler (4) addr: F764DD9B
15:49:56:890 2160   DetectCureTDL3: IrpHandler (5) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (6) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (7) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (

addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (9) addr: F764E366
15:49:56:890 2160   DetectCureTDL3: IrpHandler (10) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (11) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (12) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (13) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (14) addr: F764E44D
15:49:56:890 2160   DetectCureTDL3: IrpHandler (15) addr: F7651FC3
15:49:56:890 2160   DetectCureTDL3: IrpHandler (16) addr: F764E366
15:49:56:890 2160   DetectCureTDL3: IrpHandler (17) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (18) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (19) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (20) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (21) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (22) addr: F764FEF3
15:49:56:890 2160   DetectCureTDL3: IrpHandler (23) addr: F7654A24
15:49:56:890 2160   DetectCureTDL3: IrpHandler (24) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (25) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (26) addr: 804F9709
15:49:56:890 2160   TDL3_FileDetect: Processing driver: Disk
15:49:56:890 2160   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:890 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:890 2160   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:49:56:890 2160
15:49:56:890 2160   DetectCureTDL3: DEVICE_OBJECT: 8633FC68
15:49:56:890 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 8633FC68
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0x8633FC68[0x38]
15:49:56:890 2160   DetectCureTDL3: DRIVER_OBJECT: 8638D920
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0x8638D920[0xA8]
15:49:56:890 2160   KLMD_ReadMem: Trying to ReadMemory 0xE15BFB58[0x18]
15:49:56:890 2160   DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
15:49:56:890 2160   DetectCureTDL3: IrpHandler (0) addr: F7653C30
15:49:56:890 2160   DetectCureTDL3: IrpHandler (1) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (2) addr: F7653C30
15:49:56:890 2160   DetectCureTDL3: IrpHandler (3) addr: F764DD9B
15:49:56:890 2160   DetectCureTDL3: IrpHandler (4) addr: F764DD9B
15:49:56:890 2160   DetectCureTDL3: IrpHandler (5) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (6) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (7) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (

addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (9) addr: F764E366
15:49:56:890 2160   DetectCureTDL3: IrpHandler (10) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (11) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (12) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (13) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (14) addr: F764E44D
15:49:56:890 2160   DetectCureTDL3: IrpHandler (15) addr: F7651FC3
15:49:56:890 2160   DetectCureTDL3: IrpHandler (16) addr: F764E366
15:49:56:890 2160   DetectCureTDL3: IrpHandler (17) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (18) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (19) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (20) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (21) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (22) addr: F764FEF3
15:49:56:890 2160   DetectCureTDL3: IrpHandler (23) addr: F7654A24
15:49:56:890 2160   DetectCureTDL3: IrpHandler (24) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (25) addr: 804F9709
15:49:56:890 2160   DetectCureTDL3: IrpHandler (26) addr: 804F9709
15:49:56:890 2160   TDL3_FileDetect: Processing driver: Disk
15:49:56:890 2160   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:890 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
15:49:56:906 2160   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:49:56:906 2160
15:49:56:906 2160   DetectCureTDL3: DEVICE_OBJECT: 863A6AB8
15:49:56:906 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 863A6AB8
15:49:56:906 2160   DetectCureTDL3: DEVICE_OBJECT: 863E1908
15:49:56:906 2160   KLMD_GetLowerDeviceObject: Trying to get lower device object for 863E1908
15:49:56:906 2160   KLMD_ReadMem: Trying to ReadMemory 0x863E1908[0x38]
15:49:56:906 2160   DetectCureTDL3: DRIVER_OBJECT: 863489C8
15:49:56:906 2160   KLMD_ReadMem: Trying to ReadMemory 0x863489C8[0xA8]
15:49:56:906 2160   KLMD_ReadMem: Trying to ReadMemory 0xE1017B28[0x1A]
15:49:56:906 2160   DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
15:49:56:906 2160   DetectCureTDL3: IrpHandler (0) addr: F755A572
15:49:56:906 2160   DetectCureTDL3: IrpHandler (1) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (2) addr: F755A572
15:49:56:906 2160   DetectCureTDL3: IrpHandler (3) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (4) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (5) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (6) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (7) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (

addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (9) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (10) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (11) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (12) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (13) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (14) addr: F755A592
15:49:56:906 2160   DetectCureTDL3: IrpHandler (15) addr: F75567B4
15:49:56:906 2160   DetectCureTDL3: IrpHandler (16) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (17) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (18) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (19) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (20) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (21) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (22) addr: F755A5BC
15:49:56:906 2160   DetectCureTDL3: IrpHandler (23) addr: F7561164
15:49:56:906 2160   DetectCureTDL3: IrpHandler (24) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (25) addr: 804F9709
15:49:56:906 2160   DetectCureTDL3: IrpHandler (26) addr: 804F9709
15:49:56:906 2160   KLMD_ReadMem: Trying to ReadMemory 0xF75577C6[0x400]
15:49:56:906 2160   TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
15:49:56:906 2160   TDL3_FileDetect: Processing driver: atapi
15:49:56:906 2160   TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:49:56:906 2160   KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
15:49:56:921 2160   TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:49:56:921 2160
15:49:56:921 2160   Completed
15:49:56:921 2160
15:49:56:921 2160   Results:
15:49:56:921 2160   Memory objects infected / cured / cured on reboot:   0 / 0 / 0
15:49:56:921 2160   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
15:49:56:921 2160   File objects infected / cured / cured on reboot:   0 / 0 / 0
15:49:56:921 2160
15:49:56:921 2160   MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
15:49:56:921 2160   UtilityDeinit: KLMD(ARK) unloaded successfully

As always, I appreciate any help you can give me.

evilfantasy · « **Reply #7 on:** February 02, 2010, 05:20:49 PM »

Well that did help some.

Try this. Use the flash drive to transfer it if necessary. Be sure to rename it before running it.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link #1
Link #2

Rename ComboFix to Combo-Fix before saving it to the desktop.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

nottheoneyouknow · « **Reply #8 on:** February 03, 2010, 06:19:44 PM »

OK, after a lot of head scratching I finally got the computer into safe mode. The problem was it had a video card - I had it hooked up to the motherboard graphics. I've never seen this before, but during boot, the add on card ran the graphics, and once Windows booted normally, it switched to the motherboard graphics. So when I tried to go into Safe Mode, the computer would appear to freeze - nothing on the display, and hard drive activity would stop after a few seconds. I had to switch everything over to the motherboard graphics to be able to see everything, but I can deal with that.

Anyway, Safe Mode allowed me to run exeHelper, SD's first suggestion. That cleared up the Security Tool infection. A couple runs of Mbam, some time with HJT and your settings tool, and some OS repair later, I apparently have a clean computer.

Latest Mbam log:
Malwarebytes' Anti-Malware 1.44
Database version: 3685
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/3/2010 6:42:28 PM
mbam-log-2010-02-03 (18-42-28).txt

Scan type: Quick Scan
Objects scanned: 178594
Time elapsed: 14 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Latest HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:58 PM, on 2/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03A89EFD-E023-8600-A22D-45F77558EB4C} (ILINCInstall86 Class) - https://content.ilinc.com/clientdownload/download/ilinci86.dll
O16 - DPF: {03CC02A3-6098-4D0E-89D9-71041E7F5F86} (WTPClient Class) - https://secure2.positivenetworks.net/webtop/OCX/56.5/WTP.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {29385CF1-A8CF-420E-BD90-E0E04D84541A} (GetInfo.ctlGetInfo) - http://twister.nationstitle.com/cabs/GetInfo.CAB
O16 - DPF: {2D752DD2-5BDD-4ADA-900A-F916E5B13BA6} (CompositeView Control) - http://www.harrisoncounty-ms.gov/pro/landrecords/Client/IrcViewer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {39222BC2-A728-4899-B570-7ADF4FA8289A} (Searcher.ocxSearcher) - http://searcher.apticonline.com/Searcher.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137626604506
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.38.38/ttinst.cab
O16 - DPF: {D0B04920-41E0-4EBD-8832-F7AF7B4E90B5} (prjImgViewerWeb.ImgViewerWeb) - http://ccpv.westchesterclerk.com/ImgViewerWeb.cab
O16 - DPF: {EAC4DA12-B6EA-4A51-B455-1B506043C718} (DTViewer) - http://www.docedge.com/dtviewer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: nosobora.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7187 bytes

I haven't installed WOT yet, but plan to do that in a few minutes. Guess I'll update MSIE too. Let me know if there is anything else I should do.

Thanks!

evilfantasy · « **Reply #9 on:** February 03, 2010, 06:35:00 PM »

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O20 - AppInit_DLLs: nosobora.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Can you get one of the online scans to run now and post the log?

nottheoneyouknow · « **Reply #10 on:** February 03, 2010, 11:42:18 PM »

I ran 3 different online scans. ESET reported no infections. BitDefender reported Trojan.Shock.D on c:\\Windows\CSC\d3\80000D4A=>[attachment], that it deleted the file, that an update failed and that the computer is still infected. Oddly, when I continued and sent a report to BitDefender, it stated that 1 threat was eliminated, and that no viruses were found on my computer. Housecall reported No Threats Found.

evilfantasy · « **Reply #11 on:** February 04, 2010, 12:04:51 AM »

Sounds like we got everything.

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: Badly infected computer (Read 7025 times)

nottheoneyouknow

Badly infected computer

SuperDave

Re: Badly infected computer

nottheoneyouknow

Re: Badly infected computer

SuperDave

Re: Badly infected computer

nottheoneyouknow

Re: Badly infected computer

evilfantasy

Re: Badly infected computer

nottheoneyouknow

Re: Badly infected computer

evilfantasy

Re: Badly infected computer

nottheoneyouknow

Re: Badly infected computer

evilfantasy

Re: Badly infected computer

nottheoneyouknow

Re: Badly infected computer

evilfantasy

Re: Badly infected computer