Results 1 to 4 of 4

Thread: Pls help!!! Trojan horse Rootkit-Agent.EF!!!

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Location
    Malaysia
    Posts
    11

    Default Pls help!!! Trojan horse Rootkit-Agent.EF!!!

    Hello,

    My AVG recently found a trojan horse rootkit-agent.ef on my D:\WINDOWS\system32\drivers\atapi.sys. Pls help me to remove this trojan as AVG was unable to remove it properly. It will just reappear the next time i turn on my pc.

    Below is my HJT log. Thank you.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:25 PM, on 2/21/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.21020)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\PROGRA~1\AVG\AVG8\avgemc.exe
    D:\PROGRA~1\AVG\AVG8\avgrsx.exe
    D:\PROGRA~1\AVG\AVG8\avgnsx.exe
    D:\WINDOWS\system32\igfxtray.exe
    D:\WINDOWS\system32\hkcmd.exe
    D:\WINDOWS\system32\igfxpers.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\PROGRA~1\AVG\AVG8\avgtray.exe
    D:\WINDOWS\system32\igfxsrvc.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Windows Live\Messenger\msnmsgr.exe
    D:\Program Files\AVG\AVG8\avgcsrvx.exe
    D:\Program Files\DAEMON Tools Lite\DTLite.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\DOCUME~1\User\LOCALS~1\Temp\RtkBtMnt.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Windows Live\Contacts\wlcomm.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Program Files\AVG\AVG8\avgcsrvx.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AzMixerSel] D:\Program Files\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1236088508911
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1236088423849
    O17 - HKLM\System\CCS\Services\Tcpip\..\{17DCFA97-0F62-455C-B29D-F109138B8947}: NameServer = 208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{17DCFA97-0F62-455C-B29D-F109138B8947}: NameServer = 208.67.220.220
    O17 - HKLM\System\CS2\Services\Tcpip\..\{17DCFA97-0F62-455C-B29D-F109138B8947}: NameServer = 208.67.220.220
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - D:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 7999 bytes

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Feb 2008
    Location
    Malaysia
    Posts
    11

    Default

    Thank you for the reply. Here's the DDS log.


    DDS (Ver_09-09-29.01) - NTFSx86
    Run by User at 10:10:07.42 on Fri 02/26/2010
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.419 [GMT 8:00]


    ============== Running Processes ===============

    D:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    D:\WINDOWS\System32\svchost.exe -k netsvcs
    D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    svchost.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\WINDOWS\System32\svchost.exe -k HPZ12
    D:\WINDOWS\System32\svchost.exe -k HPZ12
    D:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\PROGRA~1\AVG\AVG8\avgemc.exe
    D:\PROGRA~1\AVG\AVG8\avgrsx.exe
    D:\WINDOWS\system32\igfxtray.exe
    D:\WINDOWS\system32\igfxpers.exe
    D:\WINDOWS\RTHDCPL.EXE
    D:\PROGRA~1\AVG\AVG8\avgtray.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\WINDOWS\system32\igfxsrvc.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Windows Live\Messenger\msnmsgr.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\AVG\AVG8\avgcsrvx.exe
    D:\DOCUME~1\User\LOCALS~1\Temp\RtkBtMnt.exe
    D:\WINDOWS\System32\svchost.exe -k HTTPFilter
    D:\Program Files\Windows Live\Contacts\wlcomm.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    D:\PROGRA~1\AVG\AVG8\avgnsx.exe
    D:\Documents and Settings\User\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    uRun: [MsnMsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Google Update] "d:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
    mRun: [Persistence] d:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AzMixerSel] d:\program files\realtek\installshield\AzMixerSel.exe
    mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
    IE: &D&ownload &with BitComet - d:\program files\bitcomet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - d:\program files\bitcomet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - d:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236088508911
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236088423849
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {17DCFA97-0F62-455C-B29D-F109138B8947} = 208.67.220.220
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-3-15 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-3-15 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-3-15 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-3-15 908056]
    R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-15 297752]
    S3 GarenaPEngine;GarenaPEngine;\??\d:\docume~1\user\locals~1\temp\eqe4b.tmp --> d:\docume~1\user\locals~1\temp\EQE4B.tmp [?]

    =============== Created Last 30 ================

    2010-02-23 13:37 <DIR> --d-h--- D:\erData
    2010-02-23 13:36 <DIR> --dsh--- D:\$RECYCLE.BIN
    2010-02-08 20:27 <DIR> --d----- d:\windows\system32\appmgmt
    2010-02-08 12:53 <DIR> --d----- d:\windows\Performance
    2010-02-05 10:14 161,792 a------- d:\windows\system32\CNMLM84.DLL
    2010-02-03 10:39 <DIR> --d----- d:\docume~1\user\applic~1\PrimoPDF
    2010-02-03 10:33 176,235 a------- d:\windows\system32\Primomonnt.dll

    ==================== Find3M ====================

    2009-12-11 18:17 411,368 a------- d:\windows\system32\deploytk.dll
    2009-03-04 23:47 32,768 ac-sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
    2009-03-03 21:31 32,768 ac-sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030320090304\index.dat
    2009-03-04 23:47 32,768 ac-sh--- d:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

    ============= FINISH: 10:10:41.00 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    BitComet


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    After that:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •