Europol virus - Hitman Pro kickstart

[Fiery]

Upload a File to Virustotal
Please visit www.virustotal.com

• Click the Choose file... button
• Navigate to the file c:\windows\system32\termsrv.dll
• Click the Open button
• Click the Scan It button
• Copy and paste the results back here.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

:filefind
termsrv.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[debdon]

Virustotal results belw, systemlook txt file to follow

Virustotal
SHA256: 96d84e0416ce5f7daefcb3b047989ef4b6551e619b651e13e9fae93085ecb191
SHA1: eeb71cf5a4fe016e6369d2c98a1c6bc9ecc2bcf1
MD5: 06c8b39afd2cf1cf6a8fc7352bec7ced
File size: 288.5 KB ( 295424 bytes )
File name: termsrv.exe
File type: Win32 DLL
Tags: pedll
Detection ratio: 0 / 46
Analysis date: 2013-05-01 17:07:01 UTC ( 1 minute ago )

0 0 More details Analysis File detail
Additional information Comments Votes Antivirus Result Update
Agnitum  20130501
AhnLab-V3  20130501
AntiVir  20130501
Antiy-AVL  20130501
Avast  20130501
AVG  20130501
BitDefender  20130501
ByteHero  20130430
CAT-QuickHeal  20130430
ClamAV  20130501
Commtouch  20130501
Comodo  20130501
DrWeb  20130501
Emsisoft  20130501
eSafe  20130501
ESET-NOD32  20130501
F-Prot  20130501
F-Secure  20130501
Fortinet  20130501
GData  20130501
Ikarus  20130501
Jiangmin  20130501
K7AntiVirus  20130430
K7GW  20130430
Kaspersky  20130501
Kingsoft  20130422
Malwarebytes  20130501
McAfee  20130501
McAfee-GW-Edition  20130501
Microsoft  20130501
MicroWorld-eScan  20130501
NANO-Antivirus  20130501
Norman  20130501
nProtect  20130501
Panda  20130501
PCTools  20130501
Sophos  20130501
SUPERAntiSpyware  20130501
Symantec  20130501
TheHacker  20130430
TotalDefense  20130501
TrendMicro  20130501
TrendMicro-HouseCall  20130501
VBA32  20130430
VIPRE  20130501
ViRobot  20130501

An error occurred
An error occurred
An error occurred ssdeep6144:6Ub4QerW7bcH7bR/FKDag7zednX8kY0cGU4yBnmeB6ULCNe:6U0Qn7bcR0GYednJUhBnRIe
TrIDWin32 Dynamic Link Library (generic) (38.4%)
Win32 Executable (generic) (38.0%)
Generic Win/DOS Executable (11.7%)
DOS Executable Generic (11.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ExifToolSubsystemVersion.........: 4.0
InitializedDataSize......: 69120
ImageVersion.............: 5.1
ProductName..............: Microsoft Windows Operating System
FileVersionNumber........: 5.1.2600.2180
UninitializedDataSize....: 0
LanguageCode.............: English (U.S.)
FileFlagsMask............: 0x003f
CharacterSet.............: Unicode
LinkerVersion............: 7.1
OriginalFilename.........: termsrv.exe
MIMEType.................: application/octet-stream
Subsystem................: Windows command line
FileVersion..............: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
TimeStamp................: 2004:08:04 08:56:45+01:00
FileType.................: Win32 DLL
PEType...................: PE32
InternalName.............: termsrv.exe
FileAccessDate...........: 2013:05:01 18:07:08+01:00
ProductVersion...........: 5.1.2600.2180
FileDescription..........: Terminal Server Service
OSVersion................: 5.1
FileCreateDate...........: 2013:05:01 18:07:08+01:00
FileOS...................: Windows NT 32-bit
LegalCopyright...........: Microsoft Corporation. All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Microsoft Corporation
CodeSize.................: 260096
FileSubtype..............: 0
ProductVersionNumber.....: 5.1.2600.2180
EntryPoint...............: 0x2192e
ObjectFileType...........: Executable application
Sigcheckpublisher................: Microsoft Corporation
product..................: Microsoft_ Windows_ Operating System
internal name............: termsrv.exe
copyright................: (c) Microsoft Corporation. All rights reserved.
original name............: termsrv.exe
file version.............: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
description..............: Terminal Server Service
Portable Executable structural informationCompilation timedatestamp.....: 2004-08-04 07:56:45
Target machine................: Intel 386 or later processors and compatible processors
Entry point address...........: 0x0002192E

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 259690 260096 6.61 571983960a885ab7c451cea5a252310e
.data 266240 38968 4608 5.41 b6f46a64f3515283049d0afa87288aef
.rsrc 307200 15968 16384 3.25 39d3d9c93594b5868500536d35c7df36
.reloc 323584 12992 13312 6.19 12ab2d7046bd30c66e6b657741a2dfce

PE Imports....................:

[[SHLWAPI.dll]]
PathAppendA

[[AUTHZ.dll]]
AuthzFreeResourceManager, AuthziInitializeAuditParamsWithRM, AuthzInitializeResourceManager, AuthziInitializeAuditEventType, AuthziFreeAuditParams, AuthzFreeAuditEvent, AuthziAllocateAuditParams, AuthziLogAuditEvent, AuthziFreeAuditEventType, AuthziInitializeAuditEvent

[[SETUPAPI.dll]]
SetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList

[[ICAAPI.dll]]
IcaChannelOpen, IcaStackConnectionClose, IcaClose, IcaStackTerminate, IcaChannelClose, IcaChannelIoControl, IcaStackIoControl, IcaOpen, IcaStackConnectionRequest, IcaStackUnlock, IcaStackConnectionWait, IcaStackDisconnect, _IcaStackIoControl, IcaPushConsoleStack, IcaIoControl, IcaStackClose, IcaStackOpen, IcaStackReconnect, IcaStackCallback, IcaStackConnectionAccept

[[WINTRUST.dll]]
CryptCATAdminReleaseCatalogContext, CryptCATCatalogInfoFromContext, WTHelperGetProvSignerFromChain, WinVerifyTrust, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, CryptCATAdminAcquireContext

[[SHELL32.dll]]
SHGetFolderPathA

[[KERNEL32.dll]]
LocalSize, ReleaseMutex, FileTimeToSystemTime, WaitForSingleObject, GetDriveTypeA, DebugBreak, GetLocalTime, DeleteCriticalSection, GetCurrentProcess, OpenFileMappingW, LocalAlloc, GetVolumeInformationW, lstrcatW, WideCharToMultiByte, InterlockedExchange, WriteFile, GetProfileIntW, GetSystemTimeAsFileTime, GetDiskFreeSpaceA, FreeLibrary, LocalFree, FormatMessageW, ResumeThread, GetLogicalDriveStringsA, InitializeCriticalSection, InterlockedDecrement, QueryDosDeviceW, OutputDebugStringA, SetLastError, IsBadWritePtr, GetSystemTime, IsDebuggerPresent, HeapAlloc, lstrcmpiW, GetVolumeInformationA, LoadLibraryExA, SetThreadPriority, DelayLoadFailureHook, GetSystemDefaultLCID, MultiByteToWideChar, VerifyVersionInfoW, GetModuleHandleA, CreateThread, GetSystemDirectoryW, GetExitCodeThread, SetUnhandledExceptionFilter, CreateMutexW, ExitThread, TerminateProcess, GetVersion, SetWaitableTimer, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, HeapFree, EnterCriticalSection, LoadLibraryW, GetVersionExW, SetEvent, QueryPerformanceCounter, GetTickCount, DisableThreadLibraryCalls, GetVersionExA, LoadLibraryA, GetWindowsDirectoryW, GetFileSize, OpenProcess, GetDateFormatW, WaitForMultipleObjects, GetProcessHeap, CreateWaitableTimerW, GetProfileStringW, lstrcpyW, lstrcpyA, ResetEvent, GetComputerNameExW, GetComputerNameA, GlobalMemoryStatus, GetProcAddress, GetProcessAffinityMask, CreateEventW, CreateFileW, CreateFileA, InterlockedIncrement, GetLastError, SystemTimeToFileTime, GetComputerNameW, GetSystemInfo, lstrlenA, lstrlenW, UnregisterWait, GetCurrentProcessId, ProcessIdToSessionId, RegisterWaitForSingleObject, SetThreadAffinityMask, InterlockedCompareExchange, GetCurrentThread, lstrcpynW, UnhandledExceptionFilter, MapViewOfFile, SetFilePointer, ReadFile, PulseEvent, CloseHandle, OpenMutexW, GetACP, GetCurrentThreadId, CompareFileTime, UnmapViewOfFile, OpenEventW, CreateProcessW, Sleep, IsBadReadPtr

[[msvcrt.dll]]
strncmp, _purecall, malloc, _wcsupr, _ftol, wcschr, _stricmp, _snwprintf, swprintf, strncpy, _except_handler3, wcscmp, ??2@YAPAXI@Z, qsort, _mbslen, wcslen, mktime, wcsncat, sprintf, _snprintf, mbstowcs, wcsrchr, _adjust_fdiv, __CxxFrameHandler, _wcsicmp, _wcsnicmp, wcsncpy, ??3@YAXPAX@Z, gmtime, free, wcscat, _wtol, memmove, swscanf, wcscpy, iswdigit, wcstok, time, _initterm

[[Secur32.dll]]
GetUserNameExW

[[CRYPT32.dll]]
CertEnumCertificatesInStore, CertOpenStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFreeCertificateContext, CertGetIssuerCertificateFromStore, CertCloseStore, CertFindExtension, CertDuplicateCertificateContext, CertVerifyCertificateChainPolicy, CryptDecodeObject, CertCreateCertificateContext, CryptBinaryToStringW, CertVerifySubjectCertificateContext, CryptVerifyCertificateSignature

[[ntdll.dll]]
RtlConvertSharedToExclusive, RtlCreateSecurityDescriptor, NtRequestPort, RtlSetGroupSecurityDescriptor, NtOpenThreadToken, NtCreateEvent, RtlWriteRegistryValue, RtlInitializeCriticalSection, RtlDeleteAce, RtlAllocateAndInitializeSid, NtDelayExecution, NtOpenSymbolicLinkObject, RtlInsertElementGenericTable, RtlLengthRequiredSid, RtlCreateRegistryKey, RtlAddAccessAllowedAce, NtCreatePort, RtlAllocateHeap, RtlIntegerToUnicodeString, RtlNtStatusToDosError, NtWaitForSingleObject, RtlFreeUnicodeString, RtlAppendUnicodeToString, RtlInitializeSid, NtReplyWaitReceivePort, NtDuplicateToken, RtlLengthSecurityDescriptor, NtSetTimer, RtlpNtEnumerateSubKey, NtSetEvent, NtQueryDirectoryObject, RtlAcquireResourceExclusive, NtQueryValueKey, NtQueryVirtualMemory, VerSetConditionMask, NtCompleteConnectPort, NtResetEvent, NtDeviceIoControlFile, RtlCopySid, NtCreateDirectoryObject, RtlGetAce, NtQuerySystemInformation, RtlDeleteResource, RtlLookupElementGenericTable, NtQuerySystemTime, RtlQueryInformationAcl, NtConnectPort, RtlEnterCriticalSection, RtlDeleteCriticalSection, NtQueryMutant, DbgBreakPoint, RtlSetDaclSecurityDescriptor, RtlFreeSid, NtReleaseMutant, RtlAdjustPrivilege, NtCreateTimer, RtlCompareMemory, RtlInitUnicodeString, RtlSubAuthoritySid, RtlConvertExclusiveToShared, NtReplyPort, NtTerminateProcess, RtlAcquireResourceShared, RtlSetProcessIsCritical, NtSetSecurityObject, NtWaitForMultipleObjects, NtAllocateVirtualMemory, RtlInitializeGenericTable, RtlCreateEnvironment, RtlAnsiStringToUnicodeString, RtlGetDaclSecurityDescriptor, RtlMapGenericMask, RtlExtendedLargeIntegerDivide, NtRequestWaitReplyPort, RtlLeaveCriticalSection, RtlLengthSid, RtlEqualSid, NtCreateSection, RtlInitAnsiString, NtOpenProcessToken, RtlCreateAcl, NtDuplicateObject, NtOpenProcess, NtClose, NtQueryInformationToken, NtSetInformationThread, NtFreeVirtualMemory, DbgPrint, RtlQueryRegistryValues, RtlDeleteElementGenericTable, RtlPrefixUnicodeString, RtlGetOwnerSecurityDescriptor, NtAcceptConnectPort, RtlCreateUserSecurityObject, RtlFreeHeap, RtlGetGroupSecurityDescriptor, NtCreateMutant, NtOpenKey, RtlInitializeResource, NtQuerySecurityObject, RtlReleaseResource, RtlCopySecurityDescriptor, NtQueryInformationProcess

[[ADVAPI32.dll]]
CryptDestroyKey, RegCreateKeyExW, RegCloseKey, LookupAccountSidW, RegQueryValueExA, GetAce, SetServiceBits, CryptVerifySignatureW, LsaNtStatusToWinError, RegOpenKeyExW, RegNotifyChangeKeyValue, OpenThreadToken, CryptHashData, GetAclInformation, RegQueryValueExW, CryptImportKey, CryptCreateHash, SetSecurityDescriptorDacl, GetSidSubAuthorityCount, GetSidSubAuthority, RegisterEventSourceW, OpenProcessToken, DeregisterEventSource, MakeAbsoluteSD, SetServiceStatus, AddAccessAllowedAce, RegEnumKeyW, LsaStorePrivateData, LsaCreateSecret, LsaDelete, RegOpenKeyW, GetSidIdentifierAuthority, RegOpenKeyExA, LsaSetSecret, LsaOpenPolicy, I_ScSendTSMessage, CheckTokenMembership, GetTokenInformation, LsaFreeMemory, CryptReleaseContext, GetUserNameW, IsValidSid, AccessCheckAndAuditAlarmW, RegisterServiceCtrlHandlerW, GetSecurityDescriptorDacl, CryptGenRandom, LsaOpenSecret, CryptAcquireContextW, GetUserNameA, RegEnumKeyExW, GetLengthSid, ElfReportEventW, RegEnumKeyExA, CryptDestroyHash, ElfRegisterEventSourceW, LsaQueryInformationPolicy, SetEntriesInAclW, LogonUserW, RegSetValueExW, RegDeleteValueW, MakeSelfRelativeSD, GetCurrentHwProfileA, ReportEventW, AllocateAndInitializeSid, InitializeSecurityDescriptor, LsaClose, InitializeAcl, EqualSid, IsValidSecurityDescriptor, LsaRetrievePrivateData, LsaQuerySecret, AddAce, GetEventLogInformation

[[RPCRT4.dll]]
I_RpcBindingIsClientLocal, RpcRevertToSelf, NdrServerCall2, RpcServerRegisterIfEx, RpcServerRegisterIf, RpcStringBindingParseW, RpcSsContextLockExclusive, RpcBindingToStringBindingW, RpcImpersonateClient, RpcServerListen, I_RpcBindingInqLocalClientPID, RpcServerRegisterAuthInfoW, RpcRaiseException, RpcStringFreeW, RpcServerInqDefaultPrincNameW, RpcServerUseProtseqEpW

[[mstlsapi.dll]]
Ord(132), Ord(134), Ord(24), Ord(39), Ord(33), Ord(40), Ord(35), Ord(131), Ord(133), Ord(43), Ord(135), Ord(6), Ord(34), Ord(25), Ord(26), Ord(36), Ord(10), Ord(38), Ord(30), Ord(29), Ord(32), Ord(41)

[[WS2_32.dll]]
Ord(12), getaddrinfo, Ord(11), Ord(111), Ord(115), Ord(52)

[[USER32.dll]]
GetCursorPos, wsprintfA, GetSystemMetrics, BroadcastSystemMessageA, LoadStringW, wvsprintfA, wsprintfW, GetMessageTime, MessageBeep, ExitWindowsEx

[[OLEAUT32.dll]]
Ord(24), Ord(149), Ord(23), Ord(6), Ord(16), Ord(4), Ord(15), Ord(8), Ord(2), Ord(9)


PE Exports....................:

ServiceMain


PE Resources..................:

Resource type Number of resources
RT_STRING 5
RT_MESSAGETABLE 1
RT_VERSION 1

Resource language Number of resources
ENGLISH US 7
Symantec ReputationSuspicious.Insight
ClamAV PUA EnginePossibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .
First seen by VirusTotal2010-08-12 16:32:28 UTC ( 2 years, 8 months ago )
Last seen by VirusTotal2013-05-01 17:07:01 UTC ( 1 minute ago )
File names (max. 25)termsrv.dll 06c8b39afd2cf1cf6a8fc7352bec7ced termsrv.dll termsrv.exe 06c8b39afd2cf1cf6a8fc7352bec7ced 06C8B39AFD2CF1CF6A8FC7352BEC7CED termsrv.dll.tmp

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so! More comments Leave your comment...? Rich Text AreaToolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼
Remove Formatting


Post comment You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votes. No one has voted on this item yet, be the first one to do so! More votes Blog | Twitter | contact@virustotal.com| Google groups | ToS | Privacy policy scan results as follows;

 

[debdon]

SystemLook 30.07.11 by jpshortstuff
Log created at 18:21 on 01/05/2013 by donniematheson
Administrator - Elevation successful

========== filefind ==========

Searching for "termsrv.dll"
C:\WINDOWS\system32\termsrv.dll --a---- 295424 bytes [19:12 30/01/2006] [13:35 15/08/2010] 06C8B39AFD2CF1CF6A8FC7352BEC7CED
C:\WINDOWS\system32\dllcache\termsrv.dll --a--c- 295424 bytes [19:12 30/01/2006] [07:10 24/08/2010] 06C8B39AFD2CF1CF6A8FC7352BEC7CED

-= EOF =-

 

[Fiery]

Update malwarebytes anti-malware and do a scan if you haven't.

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

 

[debdon]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=410ff6ae77085a42bc3ff96cf9466d3f
# engine=13739
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-02 01:37:24
# local_time=2013-05-02 02:37:24 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# scanned=92884
# found=9
# cleaned=0
# scan_time=2557
sh=323FABC0B4B375EFD17102FF1C128D04B681B9D7 ft=1 fh=88fbdd4afbf7156f vn="a variant of Win32/Injector.AESS trojan" ac=I fn="C:\Qoobox\Quarantine\C\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe.vir"
sh=09D50268FDB8110DD4F39B2373AFA150BDD0E60F ft=1 fh=c29d844616a0d1ed vn="a variant of Win32/Kryptik.AMWD trojan" ac=I fn="C:\System Volume Information\_restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1124\A0111813.exe"
sh=EE93D10FB203FE72C629B8318A246F69233DF343 ft=1 fh=c71c0011e92e5206 vn="Win32/Boaxxe.G trojan" ac=I fn="C:\System Volume Information\_restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1139\A0113681.old"
sh=323FABC0B4B375EFD17102FF1C128D04B681B9D7 ft=1 fh=88fbdd4afbf7156f vn="a variant of Win32/Injector.AESS trojan" ac=I fn="C:\System Volume Information\_restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1145\A0121213.exe"
sh=C6D863CA13669C95F145173D4566FDB97018D3DA ft=1 fh=64bf97dbf0560e68 vn="Win32/Boaxxe.G trojan" ac=I fn="C:\_OTL\MovedFiles\04262013_105954\C_Documents and Settings\Donnie\7276495.exe"
sh=301DEA79D6D75D889F815B0CA6206398C4953B27 ft=1 fh=e3653f4ff856a297 vn="Win32/LockScreen.APR trojan" ac=I fn="C:\_OTL\MovedFiles\04262013_105954\C_Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe"
sh=301DEA79D6D75D889F815B0CA6206398C4953B27 ft=1 fh=e3653f4ff856a297 vn="Win32/LockScreen.APR trojan" ac=I fn="C:\_OTL\MovedFiles\04262013_105954\C_Documents and Settings\Donnie\Application Data\skype.dat"
sh=09C18499EFB53D9FF857C38443A42EC0B563D1EC ft=1 fh=18bad95da1dee8c8 vn="a variant of Win32/Boaxxe.P.Gen trojan" ac=I fn="C:\_OTL\MovedFiles\04262013_105954\C_Documents and Settings\Donnie\Local Settings\Application Data\Yahoo\nlqvmaix.dll"
sh=67DA9F91803F43F31DBE0160216A923E1CA1A249 ft=1 fh=e5e6027f30617ee0 vn="a variant of Win32/Rootkit.Kryptik.TW trojan" ac=I fn="C:\_OTL\MovedFiles\04262013_105954\C_WINDOWS\system32\drivers\e48c6df33eed4299.sys"

 

[Fiery]

Those are OK, they are already quarantined so they pose no threat. Your system restore points are infected but we can purge them easily.

How is your PC now?

 

[debdon]

It seems to be fine

 

[Fiery]

If you are no longer experiencing any other issues, your PC is now clean!

Uninstall Combofix.

• Turn off all active protection software
• Goto Start, then Run. (Alternatively, you can press the "windows key" + "R")
• Copy and past the following into the box ComboFix /Uninstall and click OK.
  Note the space between the X and the /Uninstall, it needs to be there.

Next, double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

---

Keep your system updated
Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:

• Download and install Update Checker. It will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

Other steps that you may want to do to further protect your system/files:

• Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
• Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
​

 

[debdon]

Thanks for all your help Fiery

Much appreciated