Jump to content


Photo
- - - - -

Rootkit.win32.zaccess!e2- says I need Emisoft to remove....


  • This topic is locked This topic is locked
30 replies to this topic

#1 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 19 November 2011 - 01:34 PM

Emisoft is what caught this what, virus? trojan? Someone please help me as I don't know
what the next step is. I followed the link to Emisoft and all it said was I needed to purchase it
which is silly as I have used Emisoft for quite some time.

Off topic a bit, I noticed this trojan(?) was caught and isolated when I visited a favorite blog page. Does this mean
that the bloggers site is infected somehow? I am afraid to click on that page again!

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 19 November 2011 - 03:36 PM

Download and run Win32kDiag per the below instructions:
  • Download Win32kDiag.exe and save to C:\Win32kDiag.exe. You must save it here!!!!
  • Now press and hold the Posted Image Windows key on your keyboard, then press the letter r on your keyboard.
  • Then copy the below text and paste it into the Open: text-field and press ENTER.
    C:\win32kdiag.exe -f -r
  • When it's finished, there will be a log named Win32kDiag.txt on your desktop.
 
Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application, then on Start Scan.

    Posted Image
  • If an infected file is detected, the default action will be Cure, click on Continue.

    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".
 
Close all windows

Do the following:
Start -> Run
type cmd
Click "OK"

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.
netsh int ip reset reset.log
netsh winsock reset catalog
ipconfig /flushdns
exit
Re-boot your PC.

 
Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • TDSSKiller (C:\TDSSKiller.(Version)_(Date)_(Time)_log.txt)
  • Win32kDiag.txt
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 19 November 2011 - 04:26 PM

Thanks for the quick reply! First of all let me say I followed the instructions on the START HERE page. I have those two logs, extas and otl attached.

I had to start in safe mode to get back my internet connection and to download the files. Nothing would respond on my laptop before this. I got the files and rebooted in regular mode and still nothing would work.

I restored my pc to a few days earlier and got the programs to work, and also got my internet connection back. Then I ran the first two steps.

I downloaded the Wind32diag.exe and ran it. Then I downloaded the TDSkiller and ran it. It found nothing after about 10 seconds! I changed the parameters and scanned again. It found a problem but not a threat. It closed and I have the log file attached.

Things seem to be working ok.

I don't understand how this happened. I thought Emisoft was supposed to stop this stuff from getting onto the computer in the first place? Could that blog site be infected and they don't know it? Do I need another version of Emisoft? How could a restore point help when the infection was present??

Thanks!!!!

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 19 November 2011 - 04:59 PM

The type of infection you have is designed to evade security applications. EAM is one of the very few security applications that can detect ZeroAccess post infection.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 
Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 12:32 AM

Well I tried the combofix and it was a mess! I ran it three times and when it was 'creating' a log, it sat like that for an hour or so. It never did end right. I also had no internet access at this time. I had to a system restore again, as I did earlier~! I am currently running my EAM scanner again to see what happens. BTW, during all this, I had to reinstall firefox and thunderbird as both got corrupted.

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 20 November 2011 - 01:01 AM

OK, let's look for partitions that are not supposed to be present.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 01:54 AM

okay here it is

#8 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 01:56 AM

sorry, here it is

#9 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 20 November 2011 - 02:00 AM

Nope, still didn't attach.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#10 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 02:15 AM

i will try again. i saved the screenshot in a word doc

#11 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 20 November 2011 - 04:00 AM

It didn't attach.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#12 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 01:32 PM

Is there another way to 'paste' the screen shot? I only know to put it into a word document. I am going to try to save it as a .jpg[attachment=8094:Clipboard01.jpg]

#13 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 20 November 2011 - 01:33 PM

Oh, also the EAM scan found nothing this time. Not sure what to believe at this point.

#14 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 20 November 2011 - 10:22 PM

I'm not sure of what to make of that 39MB OEM Partition.

Changing to a different tool since ComboFix isn't running correctly.

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#15 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 21 November 2011 - 01:22 PM

When I started the .exe, it was shut down immediately as unsafe. I am hoping this is just a mistake. If you tell me to try it again I will but that freaked me out!

#16 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 21 November 2011 - 04:21 PM

What shut it down as unsafe?
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#17 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 22 November 2011 - 01:58 PM

A program I actually forgot was running. Spybot Search and Destroy. When I clicked on 'ignore' and run anyway, it didn't. This happened twice and I wasn't sure it was a false alert or not.

#18 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 22 November 2011 - 06:13 PM

Shut down Spybot Search&Destroy. It is a false alert.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#19 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 12:20 AM

okay let me shutdown all anti virus stuff and I will try again

#20 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 12:28 AM

here it is

#21 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 23 November 2011 - 01:15 AM

AVZ log looks OK.

This next tool is going to dump a lot of information about your system. Hopefully, it will show something that the other tools are not seeing.

Download:
- ISeeYouXP by ShadowPuterDude

Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.

Double-click the ISeeYouXP shortcut to run ISeeYouXP.

Possible Error Messages
  • If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS

    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.


    To fix the above error message, choose the download below which is appropriate for your system
    • For Windows XP Pro: download and run: XPproFix
    • For Windows XP Home: download and run: XPHomeFix
    • For Windows 2000: download and run: W2KFix
    Then run ISeeYouXP.bat again and attach the log.
  • A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

16 bit MS-DOS Subsystem
drive:\program path
XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.


-or-

16 bit MS-DOS Subsystem
drive:\program path
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.


After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

IMPORTANT NOTE:

Vista Users

UAC must be turned off to run this script.

Turning Off/On UAC in Vista
1. Open the Control Panel.
2. Under User Account and Family settings click on the "Add or remove user account".
3. Click on your user account.
4. Under the user account click on the "Go to the main User Account page" link.
5. Under "Make changes to your user account" click on the "Change security settings" link.
6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.
7. You will be prompted to reboot your computer. Do so.

In order to re-enable UAC just select the above checkbox and reboot.

To Run ISeeYouXP right-click on the batch file and select "Run as Administrator"

Attach the ISeeYouXP log. Should be on your Desktop.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#22 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 04:04 AM

here it is.

#23 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 23 November 2011 - 04:43 AM

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-6u29-windows-i586.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")
 
The installed version of Adobe Flash Player on this computer is out-dated. Install the latest version of Adobe Flash Player available from Adobe. (Do this using both IE and Firefox)

 
The installed version of Adobe Shockwave Player on this computer is out-dated. Install the latest version of Adobe Shockwave Player available from Adobe.

 
The installed version of Firefox on this compter is out-dated. Install the current version of FireFox from: Mozilla Firefox

 
The installed version of Thunderbird on this compter is out-dated. Install the current version of Thunderbird from: Mozilla Thunderbird

 
Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - AutoRun File - [2010/01/08 10:18:42 | 000,000,050 | ---- | M] () - X:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2010/07/09 21:14:07 | 000,000,000 | RH-D | M] - Y:\autorun -- [ NTFS ]
    O32 - AutoRun File - [2002/10/16 07:56:50 | 000,000,036 | RH-- | M] () - Y:\autorun.inf -- [ NTFS ]
    O32 - Unable to obtain root file information for disk Z:\
    [2011/11/18 18:47:14 | 000,000,000 | ---D | C] -- C:\Users\Sheila\AppData\Roaming\PUUVelOOBtz
    [2011/11/18 18:47:04 | 000,000,000 | ---D | C] -- C:\Users\Sheila\AppData\Roaming\RhhYYXwwkUelOtz
    [1 C:\Users\Sheila\AppData\Local\*.tmp files -> C:\Users\Sheila\AppData\Local\*.tmp -> ]
    [2011/11/19 08:17:00 | 000,000,000 | ---- | M] () -- C:\Users\Sheila\AppData\Local\{4A6134E9-CE92-4E26-A2E3-3C793CFA7B0D}
    [2011/06/18 14:26:44 | 000,000,000 | ---- | C] () -- C:\Users\Sheila\AppData\Local\{2CBADD8F-0B0B-4805-8B9F-5B4AEC8E9320}
    @Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:2430E4FC
    @Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:63238B95
    
    :Files
    C:\32788R22FWJFW
    C:\globdata.ini
    C:\install.res.1036.dll
    C:\install.res.3082.dll
    C:\install.res.1040.dll
    C:\install.res.1041.dll
    C:\install.res.1042.dll
    C:\install.exe
    C:\install.ini
    C:\install.res.2052.dll
    C:\install.res.1028.dll
    C:\install.res.1031.dll
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\DLL_{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}.ini
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\EF2.dir
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\is7756.tmp
    C:\Windows\Temp\fb_3800.lck
    C:\Windows\Temp\MSI327d1.LOG
    C:\Windows\Temp\SEP98E8.tmp
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#24 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 01:51 PM

Okay this is wild. I had to redownload OTL and the first time EAM quarantined it with an alert. The second time I tried, I got this message: attached

I did go to eam and restore it. Just thought you should see it. That happened in the beginning also, when I was following the first instructions to get help.

I am going to run it now. Hope it's ok!

#25 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 01:54 PM

OTL will not run. It got shut down again, this time as an invalid program or something. I clicked on the shortcut again and it had been 'removed'.....

#26 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 23 November 2011 - 03:52 PM

OK, shut down all you active AV/AM protection. Delete all copies of OTL. Download a new copy and run it.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#27 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 23 November 2011 - 07:58 PM

Okay, done. Seems to be ok. Anything I should look for? Run another scan?

#28 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 23 November 2011 - 08:03 PM

Yes, run another scan with OTL and attach the log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#29 skatko

skatko

    Member

  • Members
  • PipPip
  • 17 posts

Posted 24 November 2011 - 12:40 AM

Here you go. Things seem ok. EAM scan was clean

#30 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 November 2011 - 01:22 AM

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Delete the following from your Desktop (If they exist)
CFscript.txt
Win32kDiag.exe
Win32kDiag.txt
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable
  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    Posted Image
  • Click Posted Image and choose Posted Image
  • Uncheck Posted Image
  • Then go back to Posted Image and click Posted Image to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#31 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 26 November 2011 - 04:16 PM

Thread Closed

Reason:
Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users