Tech Support Forum banner
Not open for further replies.
1 - 5 of 5 Posts

· Registered
4 Posts
My name is Laura and my 2 year old Toshiba Satellite L455D-S5976 has slowed to a crawl. Two of my four children currently rely on it to do their homework assignments. The other day I got a weird phone call from a man in India who identified himself as a Microsoft tech and told me that my laptop had so many Trojans that it was actually causing problems on their server. He said he wanted to help me get rid of them. He asked me to go into a CMD window and he was instructing me until I saw a line that stated their were more than 7,000 Trojans! I eventually figured out what I suspected all along. He did not actually represent MS but a separate company and for $177 he would clean them off and clean all the PCs in our home. Before this though, I gave him remote access to my laptop and when I realized he wasn't with MS I panicked and unplugged my laptop and disconnected the battery to shut it down as quickly as possible. I wish I knew more and could tell you more but I am not at all tech savvy. Thank you beforehand for your help!
Here are the results of the scans done as per instructed:

GMER 2.0.18454 - GMER - Rootkit Detector and Remover
Rootkit scan 2013-02-11 23:09:41
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 TOSHIBA_MK2555GSXN rev.GC002M 232.89GB
Running: gmer.exe; Driver: C:\Users\Peter\AppData\Local\Temp\kwtdypoc.sys

---- System - GMER 2.0 ----

SSDT 868C1190 ZwAlertResumeThread
SSDT 868AAF50 ZwAlertThread
SSDT 86A603D0 ZwAllocateVirtualMemory
SSDT 85F90B68 ZwAlpcConnectPort
SSDT 86A37BF0 ZwAssignProcessToJobObject
SSDT 86A59230 ZwCreateMutant
SSDT 86A60BF0 ZwCreateSymbolicLinkObject
SSDT 86A5E718 ZwCreateThread
SSDT 86A60CC0 ZwCreateThreadEx
SSDT 86A31048 ZwDebugActiveProcess
SSDT 86A60528 ZwDuplicateObject
SSDT 86A601E8 ZwFreeVirtualMemory
SSDT 868EA758 ZwImpersonateAnonymousToken
SSDT 868EA850 ZwImpersonateThread
SSDT 85F4A478 ZwLoadDriver
SSDT 86A60108 ZwMapViewOfSection
SSDT 860482E0 ZwOpenEvent
SSDT 86A5E600 ZwOpenProcess
SSDT 867F6C00 ZwOpenProcessToken
SSDT 86A2A110 ZwOpenSection
SSDT 86A605F8 ZwOpenThread
SSDT 86A60DA0 ZwProtectVirtualMemory
SSDT 8687D048 ZwResumeThread
SSDT 867F6048 ZwSetContextThread
SSDT 86A59740 ZwSetInformationProcess
SSDT 86A2C118 ZwSetSystemInformation
SSDT 86A176F0 ZwSuspendProcess
SSDT 8685F650 ZwSuspendThread
SSDT 868044B0 ZwTerminateProcess
SSDT 8685F330 ZwTerminateThread
SSDT 85EFE148 ZwUnmapViewOfSection
SSDT 86A602B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.0 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C4DA49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C874D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82C8E510 8 Bytes [90, 11, 8C, 86, 50, AF, 8A, ...] {NOP ; ADC [ESI+EAX*4-0x797550b0], ECX}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82C8E528 4 Bytes [D0, 03, A6, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82C8E534 4 Bytes [68, 0B, F9, 85]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82C8E588 4 Bytes [F0, 7B, A3, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82C8E604 4 Bytes [30, 92, A5, 86]
.text ...
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90233000, 0x2D5526, 0xE8000020]
? C:\Users\Peter\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- EOF - GMER 2.0 ----

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Peter at 21:35:04 on 2013-02-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1790.1015 [GMT -7:00]
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
============== Running Processes ================
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Norton Security Suite\Engine\\ccSvcHst.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Norton Security Suite\Engine\\ccSvcHst.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DailyBibleGuide\bar\2.bin\2vbrmon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\System32\svchost.exe -k LocalServicePeerNet
============== Pseudo HJT Report ===============
uStart Page = hxxp://
uDefault_Page_URL = hxxp://
mStart Page = hxxp://
mDefault_Page_URL = hxxp://
uURLSearchHooks: <No Name>: {f15ff29f-85a1-43cd-9674-e5ba40016c97} - c:\program files\dailybibleguide\bar\2.bin\2vSrcAs.dll
BHO: Search Assistant BHO: {0631bff0-6846-48ca-982d-d62d7f376e97} - c:\program files\dailybibleguide\bar\2.bin\2vSrcAs.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Toolbar BHO: {beea7fa9-d1f4-49a2-9b1f-6fb7a2d9bc2a} - c:\program files\dailybibleguide\bar\2.bin\2vbar.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: DailyBibleGuide: {2A942AB7-2073-49BC-A7E1-77E93835889A} - c:\program files\dailybibleguide\bar\2.bin\2vbar.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\\coieplg.dll
TB: DailyBibleGuide: {2a942ab7-2073-49bc-a7e1-77e93835889a} - c:\program files\dailybibleguide\bar\2.bin\2vbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [DailyBibleGuide Browser Plugin Loader] c:\progra~1\dailyb~2\bar\2.bin\2vbrmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://
TCP: NameServer =
TCP: Interfaces\{3541B93D-CD6A-43FC-B399-DE19D695BF71} : DHCPNameServer =
TCP: Interfaces\{7BEDF22F-6E07-4CBA-A651-49DFA1F7DC06} : DHCPNameServer =
TCP: Interfaces\{9A2C832A-3E88-42DB-8D70-FFA7F014AFC6} : DHCPNameServer =
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
Hosts: Spyware Info | Spyware Info | spyware software | spyware program | protection spyware
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0404000.00c\symds.sys [2011-10-31 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0404000.00c\symefa.sys [2011-10-31 173176]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20130116.013\BHDrvx86.sys [2013-1-15 997464]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0404000.00c\cchpx86.sys [2011-10-31 485512]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20130209.002\IDSvix86.sys [2013-2-11 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0404000.00c\ironx86.sys [2011-10-31 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0404000.00c\symtdiv.sys [2011-10-31 340088]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-16 176128]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 DailyBibleGuideService;DailyBibleGuide Service;c:\progra~1\dailyb~2\bar\2.bin\2vbarsvc.exe [2011-4-15 36864]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\\ccsvchst.exe [2011-10-31 126400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-29 1153368]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-15 106656]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-5-16 167936]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-5-16 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-7-2 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-22 1493352]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-5-16 171520]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-11-25 603240]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-8 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-29 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
=============== Created Last 30 ================
2013-02-07 04:04:58 -------- d-----w- c:\programdata\AMMYY
==================== Find3M ====================
2013-02-08 03:16:56 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-08 03:16:55 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 14:13:28 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-11-30 04:53:34 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:56:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-23 02:48:41 49152 ----a-w- c:\windows\system32\taskhost.exe
2012-11-22 04:45:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-20 04:51:09 220160 ----a-w- c:\windows\system32\ncrypt.dll
============= FINISH: 21:36:00.93 ===============


· TSF Security Manager, Emeritus
42,952 Posts
Hello Laura,

That was a very smart move, good for you for trusting your gut and doing an immediate disconnect.

Since this Windows 7, my first recommendation is to utilize System Restore. These are the restore points I see available to you:

==== System Restore Points ===================
RP162: 12/5/2012 7:12:44 PM - Scheduled Checkpoint
RP163: 12/12/2012 9:41:43 AM - Windows Update
RP164: 12/20/2012 2:05:43 AM - Scheduled Checkpoint
RP165: 1/1/2013 3:00:24 AM - Windows Update
RP166: 1/9/2013 10:35:07 PM - Scheduled Checkpoint
RP167: 1/10/2013 9:20:24 AM - Windows Update
RP168: 1/24/2013 1:00:22 AM - Scheduled Checkpoint
RP169: 2/3/2013 9:40:47 AM - Scheduled Checkpoint
RP170: 2/11/2013 9:06:18 PM - Scheduled Checkpoint
To minimize interference, it's best you perform the System Restore without Windows loaded. Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter language, keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight System Restore and press Enter.

Follow the prompts to restore to an earlier time. Select the date closest to just before they had remote access. Follow all prompts.

How did that work out for you?

· Registered
4 Posts
Discussion Starter · #3 ·
Dear Reid,
I guess my reply several days ago did not go through. Thank you for your help but this did not solve my problem. I still seem to be heavily infected and I still can not perform administrative tasks even though I am logged on as an Administrator. I apologize for neglecting yo tell you this in my first post.

· TSF Security Manager, Emeritus
42,952 Posts

You did try to use system restore from outside of Windows as I instructed, correct?

Ried said:
To minimize interference, it's best you perform the System Restore without Windows loaded. Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter language, keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight System Restore and press Enter.

Follow the prompts to restore to an earlier time. Select the date closest to just before the problem began. Follow all prompts.
If that did not work, then let's proceed.

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Double click the file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

· Registered
4 Posts
Discussion Starter · #5 ·
Dear Ried,
Thank you for your help. I ran the MWBs Anti-Root kit and the results were "0" across the board. The program that was informing me I did not have Admin rights was Spybot S&D, so I uninstalled it. It tried to resist being uninstalled, is there a way to double check and make certain it didn't leave anything behind? I am running Norton Security Suite (supplied by Comcast) and the Free version of MWBs is still installed. Should I make any changes?
1 - 5 of 5 Posts
Not open for further replies.