33 replies to this topic

[Need Help]

My PC is currently infected with the "Ads not by this site" virus.
Ads keep popping up throughout my internet.
please help.

[ShadowPuterDude]

Hello and welcome to the Emsisoft support forums.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread also read the Emsisoft Support Forums Terms of Use

To Highlight a few:

• If you are seeking help make sure to only create one thread per problem at a time. Multiple threads about the same problem will get closed.
• To keep the threads clean please don't post the content of log or report files directly in your reply. Instead please attach any reports or logs you were asked to submit as a file attachment.
• Don't use any kind of "l33t" speak or slang and always keep in mind that most of the other people here don't speak English as their native language.
• Asking for help is only allowed in the forums. Requesting help via PM or mail is prohibited.
• Because of the potential for harm only selected members as well as our employees are allowed to offer help in the malware removal sections of the forum. If you have a strong malware fighting background and want to help please contact Emsi, Fabian Wosar and ShadowPuterDude (yes, all three of them) via forum PM.

[ShadowPuterDude]

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, Elise, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

[ShadowPuterDude]

Thread opened at original posters request.

[Need Help]

THANK YOU for reopening! But, i have a question, after i tried to open the emergency kit scanner but it says, "this application depends on other compressed files in this folder. For this application to run properly, it recommended that you first extract all files" so should i extract the files or just run?

[ShadowPuterDude]

The instructions in the start here thread, state:

UnZip Emsisoft Emergency Kit to a folder on your Desktop named EEK

• Run Emsisoft Emergency Kit:
  
• Open the EEK Folder on your Desktop and double click EmergencyKitScanner.bat
• Click "Yes" to Update Emsisoft Emergency Kit
• Put the mouse cursor over the "Menu" tab on the left and click-on "Scan PC".
• Select "Smart Scan" and click-on the "Scan" button.
  
  IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted.
• Save the scan log somewhere that you can find it.
• Exit Emsisoft Emergency Kit.

[Need Help]

umm im kind of confused, but ill try to figure it out right now.

[ShadowPuterDude]

Right-click on the zip file and select extract all.

[Need Help]

These are the logs from the scans

Attached Files

•  a2scan_120801-171303.txt   1.27K   28 downloads
•  Extras.Txt   70.38K   23 downloads
•  OTL.Txt   87.66K   35 downloads

[ShadowPuterDude]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of JRE 7 Update 5.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
  Windows x86 Offline (jre-7u5-windows-i586.exe)
  Windows x64 (jre-7u5-windows-x64.exe)
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 14 (64-bit)
Java(TM) 6 Update 14

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTLO2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)O2 - BHO: (wxDfast Class) - {395EB32B-EEDC-467E-AEE4-AE915990BFAE} - C:\ProgramData\wxDfast\bhoclass.dll ()O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.O4 - HKLM..\Run: []  File not foundO4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not foundO8:[b]64bit:[/b] - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not foundO8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not foundO13[b]64bit:[/b] - gopher Prefix: missingO13 - gopher Prefix: missingO18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value foundO20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not foundO20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not foundO21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O33 - MountPoints2\{42cacf4a-07dc-11e1-b3a8-002622b24ba0}\Shell - "" = AutoRunO33 - MountPoints2\{42cacf4a-07dc-11e1-b3a8-002622b24ba0}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -aO33 - MountPoints2\F\Shell - "" = AutoRunO33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a[2011/12/31 01:13:47 | 000,773,504 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0473.0[2011/12/31 01:13:47 | 000,540,001 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0473.JPG[2011/12/31 01:13:11 | 000,300,708 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.4[2011/12/31 01:13:10 | 000,302,334 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.3[2011/12/31 01:13:08 | 000,300,809 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.2[2011/12/31 01:13:06 | 000,301,026 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.1[2011/12/31 01:13:01 | 000,618,441 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.0[2011/12/31 01:13:01 | 000,301,026 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.JPG[2011/12/31 01:12:18 | 000,611,635 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0491.0[2011/12/31 01:12:18 | 000,408,410 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0491.JPG[2011/12/31 01:11:03 | 000,777,209 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0484.JPG[2011/12/31 01:10:19 | 001,162,328 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0484.0[2011/08/18 20:53:33 | 000,398,201 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpOTHER PICS AND VIDS 001.JPG[2011/08/18 20:53:32 | 000,933,740 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpOTHER PICS AND VIDS 001.0[2010/04/29 19:58:55 | 000,397,186 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMG028.JPG[2010/02/15 10:14:56 | 000,000,000 | -HSD | M] -- C:\Users\Sukhber\AppData\Roaming\.#[2012/03/29 21:14:47 | 000,000,000 | ---D | M] -- C:\Users\Sukhber\AppData\Roaming\Babylon:FilesC:\Users\Sukhber\AppData\Local\Temp\Addons\E439CF9B\babylon.exeC:\Users\Sukhber\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3WI1P4RV\MyBabylonTB[1].exe:Commands[Purity][EmptyTemp][EmptyFlash][EmptyJava][Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Need Help]

I did everything you told me to do so far But, the same weird ads are still popping up on every website i go to

Attached Files

•  08022012_142723.log   11.5K   18 downloads

[ShadowPuterDude]

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
• Double click on Combo-Fix & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Need Help]

Was this supposed to make the weird ads go away because right now there are no weird ads popping up! YAY! This makes me sooo happy Is there something else i need to do, or is my computer clean?

Attached Files

•  ComboFix.txt   20.28K   33 downloads

[ShadowPuterDude]

OK, run a fresh scan with OTL, attach the new OTL log to your next reply.

[Need Help]

when i run another scan with OTL, do i need to change the settings or just run it as it is?

[ShadowPuterDude]

Run OTL with these settings:

• Underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.

[Need Help]

Okie dokie, here is the new OTL log

Attached Files

•  OTL.Txt   93.14K   25 downloads

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTLO6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value foundO20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found[2011/12/31 01:13:47 | 000,773,504 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0473.0[2011/12/31 01:13:47 | 000,540,001 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0473.JPG[2011/12/31 01:13:11 | 000,300,708 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.4[2011/12/31 01:13:10 | 000,302,334 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.3[2011/12/31 01:13:08 | 000,300,809 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.2[2011/12/31 01:13:06 | 000,301,026 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.1[2011/12/31 01:13:01 | 000,618,441 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.0[2011/12/31 01:13:01 | 000,301,026 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0492.JPG[2011/12/31 01:12:18 | 000,611,635 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0491.0[2011/12/31 01:12:18 | 000,408,410 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0491.JPG[2011/12/31 01:11:03 | 000,777,209 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0484.JPG[2011/12/31 01:10:19 | 001,162,328 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMAG0484.0[2011/08/18 20:53:33 | 000,398,201 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpOTHER PICS AND VIDS 001.JPG[2011/08/18 20:53:32 | 000,933,740 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpOTHER PICS AND VIDS 001.0[2010/04/29 19:58:55 | 000,397,186 | ---- | C] () -- C:\Users\Sukhber\AppData\Local	mpIMG028.JPG:Commands[Purity][EmptyTemp][EmptyFlash][EmptyJava][Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[Need Help]

do i need to click the purity, and LOP Check boxes when i do this scan?

[ShadowPuterDude]

You're not doing a new scan, you are attaching the log OTL created when you ran the fix.

[Need Help]

okay, umm I tried running the scan but something went wrong. The screen went blank, and i could see my mouse and then the computer started over. Then an error thing popped up. What do i do?

[ShadowPuterDude]

What error?

[Need Help]

Oh, I turned my pc off and waited and turned it back on, then i tried it again and it worked. Sorry, for the confusion but it worked. Here is the new log.

Attached Files

•  08042012_142608.log   5.97K   26 downloads

[ShadowPuterDude]

OK, let's make sure those were actually deleted.

Run a fresh scan with OTL, attach the new OTL log to your next reply.

[Need Help]

okie dokie, here is the new log

Attached Files

•  OTL.Txt   93.23K   24 downloads

[ShadowPuterDude]

Now we need to use ComboFix to remove some stuff.

Download CFscript.txt, attached below, to your Desktop

• Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• Attach the log generated by ComboFix to your next reply

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

Attached Files

•  CFscript.txt   713bytes   29 downloads

[Need Help]

Here is the new log for combofix.

Attached Files

•  ComboFix.txt   25.75K   13 downloads

[ShadowPuterDude]

ComboFix indicates that it deleted what I wanted to remove. Let's double check and make.

Run a fresh scan with OTL, attach the new OTL log to your next reply.

[Need Help]

Here you go

Attached Files

•  OTL.Txt   90.88K   21 downloads

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  SEE ATTACHED OTLfix.txt

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Attached Files

•  OTLfix.txt   668bytes   18 downloads

[Need Help]

My computer is running very well! It's back to normal and no weird/crazy ads are popping all over the screen like it used to! Here is the new log

Attached Files

•  08052012_165205.log   4.12K   19 downloads

[ShadowPuterDude]

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)
CFscript.txt
TDSSKiller.exe
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox
C:\TDSSKiller_Quarantine

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
• The following should be selected by default, if not, please select:
  
• Click and choose
• Uncheck
• Then go back to and click to run it.
• Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[Need Help]

THANK YOU! THANK YOU! THANK YOU! My computer is back to normal! I did the last step and everything is cleared out, and i feel more educated about taking care of my computer now! No more weird/scary popping up ads anymore! YAY! I really appreciate all of the help you gave me to get my computer fixed I really hope you get payed a lot for this, because you helped me when no one else did! Thank you for taking the time to help me, and your awesome! Thank you!

[ShadowPuterDude]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.