|
RootRepeal report and ODG / Olmarik trojans |
Post Reply 
|
Page 12> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
Oddjob10 
Newbie 
Joined: 07 September 2009 Online Status: Offline Posts: 6 |
 Post Options
 Quote Reply
 Topic: RootRepeal report and ODG / Olmarik trojansPosted: 10 September 2009 at 3:21pm |
|
Cool.
Thanks a lot for all the tips. The trojans seem to be gone and a lot of other malware cleared out too. Everything behaving normally now. The Secunia threw up some old vulnerable installations of a couple of progs like Realplayer, so I've updated those. Cheers for all the tips. Much appreciated.
|
|
 |
|
|
nullptr
Senior Member 
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 10 September 2009 at 10:53am |
It's your call, but assuming none of the restore points are corrupted, it doesn't really make sense to retain them when they'd potentially revert your pc to an infected state. If you have one of the latest builds of CCleaner installed you could use its Tools > System Restore to remove all but the last couple of restore points. Personally, I'd only keep any created after you used RootRepeal to remove the redundant service entry for kbiwkmjyoeoiya. |
|
|
|
|
Oddjob10
Newbie
Joined: 07 September 2009 Online Status: Offline Posts: 6 |
Post Options
Quote Reply
Posted: 09 September 2009 at 5:13pm |
|
Hi
Thanks for all the tips. The PC is (touch wood) running much more smoothly and no more BSODs. Yeah, i installed Nod32 here recently, having been pleased with it on other computers before. ZoneAlarms was on already, but mainly causing probs with too many scans using up VM. No probs showed up on the Nod32 deep scan I did this morning. Will do the Secunia now.. What's the thinking in removing system restore points? With all the changes like registry deletions, wouldn't it be safer to have a recovery point?
|
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 09 September 2009 at 1:16pm |
|
Hi,
open RootRepeal, select Tools >> Delete Registry Key and paste the following into the blank editbox: SYSTEM\CurrentControlSet\Services\kbiwkmjyoeoiya and Delete Key. If it throws an error let me know. It seems you have Nod32, Zone Alarm Pro?? and PcTools Threatfire installed. If this is not the case let me know. How is your pc now running? Does an in depth scan with Nod32 show anything? Run a Secunia OSI scan to make sure you have the latest versions of java and flash available. It will also alert you to any vulnerable software installed. If everything seems to be OK then it would also be an idea to remove all system restore points. Right click My Computer >> Properties >>System Restore tab. Put a check in 'Turn off system restore on all drives', apply then OK. Repeat this procedure but uncheck the 'Turn off ....', apply and OK. |
|
|
|
|
Oddjob10
Newbie
Joined: 07 September 2009 Online Status: Offline Posts: 6 |
Post Options
Quote Reply
Posted: 09 September 2009 at 12:20pm |
|
Here you are. thanks nullptr.
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/09/09 11:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF1DEA000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79CF000 Size: 8192 File Visible: No Signed: - Status: - Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xF7B66000 Size: 2560 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEEFE9000 Size: 49152 File Visible: No Signed: - Status: - Name: srescan.sys Image Path: srescan.sys Address: 0xF7166000 Size: 81920 File Visible: No Signed: - Status: - Name: xlscg.sys Image Path: xlscg.sys Address: 0xF7487000 Size: 61440 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: c:\windows\system32\drivers\fidbox.dat Status: Size mismatch (API: 1024837664, Raw: 1024830496) Path: D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP956\A0218867.LNK Status: Visible to the Windows API, but not on disk. Path: D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP956\A0218868.LNK Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Temp\~WRD0004.doc Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\14\185-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\15\184-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\16\186-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\17\187-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\18\188-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. SSDT ------------------- #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "<unknown>" at address 0x86731630 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f64c80 #: 041 Function Name: NtCreateKey Status: Hooked by "PCTCore.sys" at address 0xf7276514 #: 047 Function Name: NtCreateProcess Status: Hooked by "PCTCore.sys" at address 0xf7265282 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "PCTCore.sys" at address 0xf7265474 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f65210 #: 063 Function Name: NtDeleteKey Status: Hooked by "PCTCore.sys" at address 0xf7276d00 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "PCTCore.sys" at address 0xf7276fb8 #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f7ff10 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f7ff90 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f65070 #: 119 Function Name: NtOpenKey Status: Hooked by "PCTCore.sys" at address 0xf72753fa #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0x86730a60 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0x86730e80 #: 192 Function Name: NtRenameKey Status: Hooked by "PCTCore.sys" at address 0xf7277422 #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f80150 #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f80540 #: 224 Function Name: NtSetInformationFile Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf1f65440 #: 247 Function Name: NtSetValueKey Status: Hooked by "PCTCore.sys" at address 0xf72767d8 #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x86731460 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x86731280 #: 257 Function Name: NtTerminateProcess Status: Hooked by "PCTCore.sys" at address 0xf7264f32 #: 258 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x867310b0 Stealth Objects ------------------- Object: Hidden Code [ETHREAD: 0x86bae778] Process: System Address: 0x8672f790 Size: 1000 Hidden Services ------------------- Service Name: kbiwkmjyoeoiya Image Path: C:\WINDOWS\system32\drivers\kbiwkmqejuyfts.sys ==EOF== |
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 08 September 2009 at 4:57pm |
|
Any chance that you could run another report scan - select all options to scan for - and also drives C and D ?
Things look somewhat better from what you've posted, but I'd prefer to see the full report. Thanks again  |
|
|
|
|
Oddjob10
Newbie
Joined: 07 September 2009 Online Status: Offline Posts: 6 |
Post Options
Quote Reply
Posted: 08 September 2009 at 3:57pm |
|
oops, copied and pasted the wrong one. Here's the new scan:
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/09/08 11:30 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP955\A0218814.ver Status: Could not get file information (Error 0xc0000008) Path: D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP955\A0218815.ver Status: Could not get file information (Error 0xc0000008) Path: d:\documents and settings\!\local settings\temp\etilqs_aa55yftxiewppvr4o8cz Status: Allocation size mismatch (API: 32768, Raw: 0) Path: d:\documents and settings\!\local settings\temp\etilqs_bmciftzndanwwc7m44c9 Status: Allocation size mismatch (API: 8192, Raw: 0) Path: D:\Documents and Settings\!\Local Settings\Temporary Internet Files\Content.IE5\4F2J5X5L\109[5] Status: Invisible to the Windows API! Path: D:\Documents and Settings\!\Local Settings\Temporary Internet Files\Content.IE5\N0QHFXHU\109[6] Status: Visible to the Windows API, but not on disk. Path: d:\documents and settings\!\local settings\application data\google\chrome\user data\default\history index 2009-06-journal Status: Size mismatch (API: 70280, Raw: 66176) Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\14\185-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\15\184-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\16\186-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\17\187-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\18\188-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. |
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 08 September 2009 at 12:57pm |
|
Hi Oddjob,
It seems that you have posted the same RootRepeal report as shown in your first post: Scan Start Time: 2009/09/07 22:19 Could you please rerun RootRepeal and get an updated report, thanks |
|
|
|
|
Oddjob10
Newbie
Joined: 07 September 2009 Online Status: Offline Posts: 6 |
Post Options
Quote Reply
Posted: 08 September 2009 at 11:31am |
|
Thanks for the tips, nullptr.
Have followed your instructions. Before start-up on the reboot the checkdisk made some changes. MalwareBytes picked up and deleted a few problems, including rootkits. the next RRepeal report below. ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/09/07 22:19 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: 00000E73 Image Path: 00000E73 Address: 0x85E01000 Size: 41218 File Visible: No Signed: - Status: - Name: 00000E73 Image Path: 00000E73 Address: 0xEE813000 Size: 75008 File Visible: No Signed: - Status: Hidden from the Windows API! Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF1871000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79F5000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xEF492000 Size: 49152 File Visible: No Signed: - Status: - Name: srescan.sys Image Path: srescan.sys Address: 0xF7189000 Size: 81920 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\kbiwkmhxqcemci.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmkytpxuod.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmnlqppofj.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmorcrjqqf.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmtadtsvsk.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmwecxgoiq.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmwinmyqxw.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\kbiwkmxoufnlnq.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\drivers\kbiwkmqejuyfts.sys Status: Invisible to the Windows API! Path: D:\Documents and Settings\!\Application Data\Skype\E3AAB9EBd01 Status: Locked to the Windows API! Path: d:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc Status: Size mismatch (API: 2624, Raw: 2556) Path: D:\Documents and Settings\!\Application Data\Skype\monikabell\BEB55D62d01 Status: Locked to the Windows API! Path: d:\documents and settings\!\application data\skype\monikabell\user16384.dbb Status: Allocation size mismatch (API: 53248, Raw: 57344) Path: d:\documents and settings\!\local settings\temp\is-9j26r.tmp\item12.ztmp Status: Size mismatch (API: 519270, Raw: 345088) Path: D:\Documents and Settings\!\Local Settings\Temp\is-9J26R.tmp\item13.ztmp Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Temp\is-9J26R.tmp\item14.ztmp Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Temp\is-9J26R.tmp\item15.ztmp Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Temp\is-9J26R.tmp\item16.ztmp Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Temp\is-9J26R.tmp\item17.ztmp Status: Visible to the Windows API, but not on disk. Path: d:\documents and settings\!\local settings\application data\google\chrome\user data\default\current session Status: Size mismatch (API: 189820, Raw: 189359) Path: D:\Documents and Settings\!\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\soundData.sol Status: Locked to the Windows API! Path: d:\documents and settings\!\local settings\application data\google\chrome\user data\default\cache\f_000048 Status: Allocation size mismatch (API: 7081984, Raw: 7077888) Path: D:\Documents and Settings\!\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000081 Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000082 Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000083 Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\14\185-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\15\184-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\16\186-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\17\187-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: D:\Documents and Settings\!\Local Settings\Application Data\Microsoft\Messenger\zanderbell@hotmail.com\SharingMetadata\jenibeejay@hotmail.co.uk\DFSR\Staging\CS{5D15539E-8102-C2E9-B21D-F171C5D7757C}\18\188-{E~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. SSDT ------------------- ServiceTable Hooked [0x85eaae40]! #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0x8659ca60 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0x8659ce80 #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x8659d460 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x8659d280 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x8659cc90 #: 258 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x8659d0b0 Stealth Objects ------------------- Object: Hidden Thread [ETHREAD: 0x86719da8, TID: 3124] Process: svchost.exe (PID: 1388) Address: 0x00f01f3c Size: - Object: Hidden Module [Name: kbiwkmorcrjqqf.dll] Process: svchost.exe (PID: 1388) Address: 0x10000000 Size: 57344 Object: Hidden Module [Name: kbiwkmnlqppofj.dll] Process: Explorer.EXE (PID: 280) Address: 0x10000000 Size: 28672 Object: Hidden Code [ETHREAD: 0x86b613c8] Process: System Address: 0x8659b790 Size: 1000 Hidden Services ------------------- Service Name: kbiwkmjyoeoiya Image Path: C:\WINDOWS\system32\drivers\kbiwkmqejuyfts.sys Service Name: xsxnjzp Image Path: C:\WINDOWS\system32\drivers\szbvfkwujqekj.sys ==EOF== |
|
|
|
|
nullptr
Senior Member
Joined: 06 April 2008 Location: Australia Online Status: Offline Posts: 553 |
Post Options
Quote Reply
Posted: 08 September 2009 at 12:58am |
|
Hi Oddjob,
Run RootRepeal, select the files tab and scan for hidden/locked files again. Locate this entry: C:\WINDOWS\system32\drivers\kbiwkmqejuyfts.sys (note extension must be .sys) - right click this entry and select wipe file. Reboot your pc immediately. Download MalwareBytes AntiMalware, install and update the definitions. Then run a quick scan and let it remove everything it finds. Finally run another RootRepeal report scan and include that in your next post. Best of luck. |
|
|
|
|
Post Reply
|
Page 12> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
