Jump to content


Photo
- - - - -

I think my pc is infected..


  • This topic is locked This topic is locked
122 replies to this topic

#1 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 21 June 2012 - 08:26 PM

...any help/advice would be greatly appreciated. If I click on My Documents or My Music, it can take up to 10 minutes for the folder to open. CLicking on My Computer takes about 20 mins to open............

I've added a Rogue Killer report that I did before reading what was required, so I've added that anyway.....

Thanks in advance.

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 21 June 2012 - 09:02 PM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 22 June 2012 - 12:41 AM

Still hasn't resolved the issue of folders like my music taking up to 10 minutes to open, tho it did find three infections.

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 22 June 2012 - 03:39 AM

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of JRE 7 Update 5.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-7u5-windows-i586.exe)
    Windows x64 (jre-7u5-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")
The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

The installed version of Adobe Flash Player ActiveX control on this computer is out-dated. Using Internet Explorer, install the latest version of Adobe Flash Player ActiveX available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:
Java(TM) 6 Update 22
Java(TM) 6 Update 31

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O33 - MountPoints2\{819ee075-c3bd-11df-9155-002433e7cfb0}\Shell - "" = AutoRun
    O33 - MountPoints2\{819ee075-c3bd-11df-9155-002433e7cfb0}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{819ee075-c3bd-11df-9155-002433e7cfb0}\Shell\AutoRun\command - "" = G:\Startme.exe
    [2012/06/17 14:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 23 June 2012 - 12:07 PM

Right, all kinds of trouble happening. It won't let me install Adobe Flash Player as it says 'The user does not have sufficient privileges to install AFP' (I am running as admin)
I had to update to IE8, which now hangs & won't load. I can't install AFP from here because of that.
I managed to update Java, thought I would try OTL anyway, left it on for approx 10 hours with no movement.
Need more help please.

#6 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 23 June 2012 - 12:19 PM

Strange that, after attempting to install AFP from Opera for the umpteenth time, rather than unticking the box to say I don't want Google Chrome installed I left it ticked & it installed no problem. will try & kick on with your instructions, though IE is still stalled.

#7 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 23 June 2012 - 02:43 PM

OK, try this OTL fix instead:
:OTL

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

[2012/06/17 14:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}



:Commands

[Purity]

[EmptyTemp]

[EmptyFlash]

[EmptyJava]

[Reboot]

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#8 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 12:10 PM

Tried the new OTL fix, still no joy, left it running for over 12 hours & no progress. I must be doing something wrong. It is still set to minimal output, should I change that back to it's default or is that okay? It just basically hangs, it say's 'killIng processes DO NOT INTERUPT' how long is the process supposed to take? I may be being impatient. Sorry about this.

#9 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 04:05 PM

Something is interfering with OTL. Let's take a look for a MBR RootKit.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    Posted Image
  • Click Change parameters

    Posted Image
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    Posted Image
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    Posted Image
  • When it finishes, you will either see a report that no threats were found like below:
    Posted Image

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    Posted Image
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    Posted Image
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#10 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 05:51 PM

Here's the TDSSKiller log:

#11 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 06:27 PM

No MBR RootKit. Changing tools.

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update
Note: If you receive an error message, chose a different source, then click Start again
  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#12 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 07:42 PM

Here's the syz4 log, on another note my installation of AFP hasn't worked........

#13 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 08:03 PM

Close all windows then double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    begin
    SetAVZGuardStatus(True);
    SearchRootkit(true, true);
     DeleteFile('C:\WINDOWS\system32\MsSip1.dll');
     DeleteFile('C:\WINDOWS\system32\MsSip2.dll');
     DeleteFile('C:\WINDOWS\system32\MsSip3.dll');
     RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 1','$DLL');
     RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 2','$DLL');
     RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\WinTrust\SubjectPackages\MS Subjects 3','$DLL');
    ExecuteSysClean;
    RebootWindows(true);
    end.
  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.
Download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach the log to your reply.

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#14 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 09:59 PM

Managed to run FSS:

#15 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 10:11 PM

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
    [2012/06/17 14:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#16 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 11:13 PM

Don't know how long OTL is supposed to run, only been on for half an hour at the moment, but it appears to have hung again. The green status bar hasn't moved at all so far and the activity light has only come on briefly.

#17 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 11:25 PM

Now we need to use ComboFix to remove some stuff.
  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):
KillAll::

Folder::
C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
    Posted Image
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

Attach the log produced by ComboFix to your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#18 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 24 June 2012 - 11:44 PM

Should I just reboot my pc as OTL is stuck? Then when I restart do as above?

#19 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 24 June 2012 - 11:53 PM

Yes, go ahead and reboot. Then run the CFScript I posted.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#20 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 25 June 2012 - 01:32 PM

Here's the ComboFix log:

I still cannot get IE8 or AdobeFP to install properly on the pc, by the way.

#21 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 25 June 2012 - 03:33 PM

OK, let's reset somethings to default settings.

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Start Repairs tab on the far right.
  • Click the Start button (bottom right)
    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  • Click Unselect All
  • Put a checkmark in the following items:
    • Reset Registry Permissions
    • Reset File Permissions
    • Repair Internet Explorer
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    • Repair Windows Updates
    • Repair Volume Shadow Copy Service
    • Set Windows Services To Default Startup
    Note: Leave everything else unchecked
  • Put a checkmark in Restart System When Finished
  • Now click the Start button (bottom right)
Run a fresh scan with OTL and attach the resulting log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#22 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 25 June 2012 - 07:43 PM

Folders still taking an age to open, sorry about this.

#23 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 25 June 2012 - 08:23 PM

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    [2012/06/17 14:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{FD7CAB3E-E895-4E98-9D68-A307CC601204}
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#24 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 26 June 2012 - 08:10 AM

Right, so OTL has been on runfix now for 11 hours, still stuck on the Killing processes Do Not Interrupt, at the bottom. No progress has been made from what I can tell, the egg timer is still on too. Am I doing something wrong? It is stil on the minimal output is that what is supposed to be on?
Am I ok to reboot/force shut down of my pc?

#25 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 26 June 2012 - 02:46 PM

Changing tools.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      Alternate Zip Mirror 2
      Alternate Zip Mirror 3
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Double click Posted Image or Posted Image on your desktop. If you are using Vista, please right-click and select run as administrator
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Allow the gmer.sys driver to load if asked.
If it detects rootkit activity, you will receive a prompt to run a full scan. Click NO.

  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Attach the GMER log.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on <--- ROOKIT entries
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#26 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 26 June 2012 - 05:08 PM

Atteched GMER log:

#27 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 26 June 2012 - 05:51 PM

Download Hitman Pro to your Desktop. Download the 32-bit version.

Press the CTRL key and double-click on Hitman Pro. Hitman Pro will shut down all unnecessary processes when ran this way.

If Hitman Pro wants to update, let it.

If Hitman Pro wants to download signatures, let it.

If Hitman Pro wants to remove something, let it.

Attach any logs produced by Hitman Pro.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#28 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 26 June 2012 - 06:49 PM

It only seemed to delete CombiFix.exe & a load of cookies..............

#29 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 26 June 2012 - 07:13 PM

Everything is coming back clean. So, I'm a little baffled as to why those registry restrictions aren't being removed.

Let's try this:

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Attach the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#30 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 12:06 AM

With MBAM, it's the registered paid for version I have with daily updates. Do you still want me to go ahead with the re-install? I will do it tomorrow as not enough time tonight.

#31 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 12:40 AM

No need to reinstall. Run a scan with MBAM and have it remove what it finds and then attach the MBAM log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#32 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 07:41 AM

MBAM Full scan & flash scan :

#33 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 02:47 PM

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).
Windows Registry Editor Version 5.00

[-HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery]

[-HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions]

[-HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]

[-HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions]
Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot

Run a fresh scan with OTL and attach the new OTL log to your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#34 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 04:28 PM

Still freezing on My Documents, a lot of screens all stuck on even thoughI've closed them.

#35 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 05:19 PM

Those registry restrictions are still inplace.

Download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Attach the DDS.txt report in your next reply
  • Attach the Attach.txt report to your reply

Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#36 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 06:13 PM

dds. logs as requested

#37 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 06:34 PM

It's more than likely that it is EAM preventing the registry changes. Disable EAM and do the registry patch.

Reboot

Get a fresh log from OTL.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#38 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 07:36 PM

Here's the OTL log, thanks for all your help so far. My Documents & My Comp open quite quickly at the moment

#39 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 08:52 PM

Download to your Desktop:
- RegASSASSIN
  • Start RegASSASSIN
  • Enter the registry key to delete:
    HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery
  • Ensure the following are selected:
    • Reset registry key permissions
    • Delete registry key and all subkeys
  • Click Delete
  • Repeat for each of the following registry keys:
    HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions
    HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
  • Exit RegASSASSIN
Reboot

Run a fresh scan with OTL and attach the new OTL log.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#40 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 09:41 PM

If I copy & paste the above instructions, ach time an error message appears, it reads ERROR: Hive returned NULL. If I follow the instructions from RegAssassin It gives me these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

Should I use these?

#41 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 27 June 2012 - 09:53 PM

If I copy & paste the above instructions, ach time an error message appears, it reads ERROR: Hive returned NULL. If I follow the instructions from RegAssassin It gives me these keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Restrictions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

Should I use these?

Yes, go ahead and use those.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#42 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 27 June 2012 - 11:50 PM

Next OTL log.........

#43 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 28 June 2012 - 12:07 AM

OK, that did the trick.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Delete the following from your Desktop (If they exist)
CFscript.txt
FixReg.reg
TDSSKiller.exe
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable
  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    Posted Image
  • Click Posted Image and choose Posted Image
  • Uncheck Posted Image
  • Then go back to Posted Image and click Posted Image to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#44 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 28 June 2012 - 09:33 AM

And now My Documents folders are taking an age to open again. Even though I have installed AFP, it's telling me I don't have it & when I try to re-install it, the old chestnut of not having authorisation to do it.....

#45 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 28 June 2012 - 10:27 AM

And can't open IE either.........

#46 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 28 June 2012 - 03:55 PM

Run ComboFix and attach the resulting log to your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#47 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 29 June 2012 - 12:31 AM

MY folders are still slow to open, Firefox takes a long time to open, IE8 won't install & neither will AFP or Quicktime........

#48 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 29 June 2012 - 04:21 AM

Now we need to use ComboFix to remove some stuff.
  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it
(make sure you scroll all the way down in the code box to get all lines selected ):
KillAll::

Driver::
0269081340819581mcinstcleanup

File::
c:\windows\TEMP\026908~1.EXE
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
    Posted Image
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#49 Stevo

Stevo

    Active Member

  • Members
  • PipPipPip
  • 76 posts
  • OS:Windows XP
  • AV:Emsisoft Anti malware, Malwarebytes AM
  • HIPS:Emsisoft Online Armor

Posted 29 June 2012 - 01:46 PM

At this moment in time I cannot get on to my computer as it is stuck on a loading screen. Either Chrome, Firefox or IE has stalled it. The box says "Personalised settings: setting up personalized settings for Browser Customizations"

#50 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 12970 posts
  • LocationDepauville, NY, USA
  • OS:Windows Vista
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 29 June 2012 - 03:30 PM

Will the system boot to Safe Mode?
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users