[Active] Trojan WAR

**mskmsk** · 07-07-2009

Hi Team,

The error: C:Windows\System32\nmdfgds0.dll is shown very frequently. Hence I have installed a-squared Free setup- ver: 4.5.0.0 and updated it. When scanned my PC, found the following high risk files:

1) Trojan-Banker.Win32.Banker!IK
2) Trojan-Downloader.Win32.Frethog!IK
3) Win32.SuspectCrc!IK

Hence deleted the above files immediately through the interface. Now, when scanned again,
2) Trojan-Downloader.Win32.Frethog!IK is again found . Also I am unable to open my drives by double click.

System Config: Pentium Dual Core 2.80 GHz / Win XP-SP2 / 512MB Ram

Please help me.

**broni** · 07-07-2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

**mskmsk** · 08-07-2009

How can I deactivate a-squared Free ver: 4.5.0.0

**broni** · 08-07-2009

It shouldn't be running in real mode. Don't worry about it.

**mskmsk** · 08-07-2009

Hi broni,

As per your instructions, please find the following :

ComboFix 09-07-08.01 - Satish 07/08/2009 23:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.183 [GMT -7:00]
Running from: c:\documents and settings\Satish\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090708-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVPsys

((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-07 22:37 . 2009-07-08 15:22 -------- d-----w- c:\program files\a-squared Free
2009-07-07 21:28 . 2009-07-08 15:33 -------- d-----w- C:\Spyware Cleaner 2009
2009-07-07 20:50 . 2009-07-09 05:59 95744 ----a-w- c:\documents and settings\All Users\Application Data\SpeedBit\DAP\Updates\Condition.dll
2009-07-06 16:00 . 2009-07-06 16:00 -------- d-----w- c:\program files\ArzooSoft Solutions
2009-07-05 19:29 . 2009-07-05 19:29 12328 ----a-w- c:\documents and settings\Satish\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 22:19 . 2009-07-02 22:19 -------- d-----w- c:\windows\OPTIONS
2009-07-02 22:17 . 2009-07-09 06:09 -------- d-----w- c:\windows\system32\Lang
2009-07-02 22:13 . 2006-01-04 11:27 86016 ------r- c:\windows\SoundMan.exe
2009-07-02 22:13 . 2005-10-21 13:49 356352 ------r- c:\windows\RtlUpd.exe
2009-07-02 22:13 . 2006-01-06 16:39 9710592 ------r- c:\windows\RTLCPL.exe
2009-07-02 22:13 . 2006-01-13 17:13 4137984 ------r- c:\windows\system32\drivers\RtkHDAud.Sys
2009-07-02 22:13 . 2006-01-11 17:23 15961088 ------r- c:\windows\RTHDCPL.exe
2009-07-02 22:13 . 2006-01-09 14:32 2158592 ------r- c:\windows\MicCal.exe
2009-07-02 22:13 . 2009-07-02 22:13 -------- d-----w- c:\program files\Realtek
2009-07-02 22:13 . 2006-01-04 11:29 2809856 ------r- c:\windows\alcwzrd.exe
2009-07-02 22:13 . 2005-05-03 18:43 69632 ------r- c:\windows\Alcmtr.exe
2009-07-02 22:13 . 2005-04-16 22:20 487424 ------r- c:\windows\RtlExUpd.dll
2009-07-02 22:12 . 2009-07-02 22:12 -------- d-----w- c:\documents and settings\Satish\Local Settings\Application Data\ATI
2009-07-02 22:12 . 2009-07-02 22:12 -------- d-----w- c:\documents and settings\Satish\Application Data\ATI
2009-07-02 22:10 . 2009-07-02 22:10 -------- d-----w- c:\program files\ATI Technologies
2009-07-02 22:07 . 2006-01-26 15:57 520192 ------w- c:\windows\system32\ati2sgag.exe
2009-07-02 22:07 . 2006-01-15 22:04 307200 ----a-r- c:\windows\system32\atiiiexx.dll
2009-07-02 22:07 . 2005-12-08 17:01 112421 ----a-r- c:\windows\system32\atiicdxx.dat
2009-07-02 22:00 . 2009-07-02 22:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-02 22:00 . 2009-07-02 22:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-02 22:00 . 2009-07-02 22:00 -------- d-----w- c:\program files\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-09 06:09 . 2009-07-02 11:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-06 19:33 . 2009-07-02 21:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-02 21:52 . 2009-07-02 21:52 -------- d-----w- c:\program files\microsoft frontpage
2009-07-02 21:48 . 2009-07-02 21:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-02 11:05 . 2009-07-02 11:03 -------- d-----w- c:\program files\DAP
2009-07-02 11:03 . 2009-07-02 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit
2009-07-02 11:03 . 2009-07-02 11:03 50688 ----a-w- c:\windows\system32\wbhelp2.dll
2009-07-02 10:20 . 2009-07-02 10:20 -------- d-----w- c:\program files\Alwil Software
2009-07-02 10:04 . 2009-07-02 10:04 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2009-07-02 3061248]
"USB Threat Defender"="c:\program files\ArzooSoft Solutions\USB Threat Defender\utdefender.exe" [2009-06-22 1215488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-11 15961088]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/2/2009 3:20 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [7/2/2009 3:20 AM 20560]
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
FF - ProfilePath - c:\documents and settings\Satish\Application Data\Mozilla\Firefox\Profiles\p2xw49rb.default\
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-08 23:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\a-squared Free\a2service.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-07-09 23:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 06:12

Pre-Run: 18,425,548,800 bytes free
Post-Run: 18,413,551,616 bytes free

113

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:12 PM, on 7/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [USB Threat Defender] C:\Program Files\ArzooSoft Solutions\USB Threat Defender\utdefender.exe /b
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2973 bytes

Adobe Flash Player 10 Plugin
a-squared Free 4.5
ATI Catalyst Control Center
ATI Display Driver
avast! Antivirus
Download Accelerator Plus (DAP)
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Microsoft .NET Framework 2.0
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 Parser and SDK
REALTEK Gigabit and Fast Ethernet NIC Driver
Realtek High Definition Audio Driver

**broni** · 09-07-2009

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Please, re-run Combofix, and this time DO ACCEPT recovery console installation.
You don't have to post new Combofix log, because nothing more malicious was found there.

When done with recovery console installation...

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

================================================== ============

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 4.
Post fresh HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**mskmsk** · 11-07-2009

Hi Broni,

Please analyze the following logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:34 AM, on 7/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2950 bytes

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 07/09/2009 at 10:00 PM

Application Version : 4.26.1006

Core Rules Database Version : 3983
Trace Rules Database Version: 1923

Scan type : Complete Scan
Total Scan Time : 03:42:49

Memory items scanned : 203
Memory threats detected : 0
Registry items scanned : 3205
Registry threats detected : 0
File items scanned : 27722
File threats detected : 2

Unclassified.Unknown Origin
F:\NARESH\01 LATEST SW\FLASH PROFESSIONAL CS3\KEYGEN.NFO
F:\NARESH\AUTODESK_MAYA_8.5__(WITH_CRACK__FULL_VER SION)\CRACK\KEYGEN.NFO

Malwarebytes' Anti-Malware 1.38
Database version: 2405
Windows 5.1.2600 Service Pack 2

7/11/2009 9:12:46 AM
mbam-log-2009-07-11 (09-12-46).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 105759
Time elapsed: 15 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**broni** · 11-07-2009

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

7. Download, and install WOT (Web OF Trust): Internet Security | WOT Web of Trust. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: How did I get infected?

10. Let me know, how is your computer doing.

[Active] Trojan WAR

[Active] Trojan WAR

Similar Threads

System Volume Information Trojan

[Active] Adware, Trojan, Spyware Invasion

[Active] DL.exe

[Active] help plz

Trojan.Agent.BI & Trojan.Downloaders.Agent.BQ Etc.