GT500

Emsisoft Employee
  • Content Count

    10706
  • Joined

  • Days Won

    297

Everything posted by GT500

  1. OK, that log looks better. Just to verify that there aren't any leftovers, please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  2. You're quite welcome, and here's some final instructions for you before you go: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 4. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 5. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  3. Please follow the instructions at this link to run TDSSKiller, and allow it to either Cure or Delete anything bad it detects.
  4. OK, I have written a script that will tell ComboFix how to fix some stuff I saw in your log. Here are instructions on what to do with the script: Turn off your Anti-Virus software. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7534-browser-virus/ KillAll:: Driver:: Normandy Suspect:: h:\windows\SysWow64\drivers\uzq3odgy.sys h:\windows\system32\xyz.rrfyr.exe h:\windows\winstart.bat FCopy:: h:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll | h:\windows\system32\user32.dll h:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | h:\windows\SysWOW64\user32.dll RegLock:: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). Close Notepad and verify that the CFScript file is saved on your desktop. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  5. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  6. We're going to need that ComboFix log (I can analyze it to see if there are any signs of an infection that were not removed), so go ahead and uninstall any AVG software, restart your computer, and then run the utility at this link (restarting your computer when asked) to make sure that nothing was left behind. You can reinstall AVG once I've been able to make sure that your computer is clean. After uninstalling AVG, go ahead and run ComboFix again, and get me a copy of the log.
  7. You don't have to uninstall MBAM to prevent its services from loading on startup. All you have to do is uncheck the option to start with Windows (either by right-clicking on the System Tray icon for MBAM or by opening MBAM and going to the Protection tab) and then restart your computer.
  8. That ComboFix log looks pretty good. Lets just get one more log to verify that your system is clean. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  9. That's OK, we don't need your credit card statements. OTL failed to delete some stuff (or it got recreated after it was deleted). The entries may not be bad, however I do want to check and verify with another utility. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  10. I assume that System Recover Options screen looks like this (if the picture is tiny, then you can click on it to make it bigger): Is so, then select the Command Prompt option. This will load a black window with white text. Click in the empty black space, and type in the command that is in the following box: chkdsk /F C: This will start an error check on your hard drive, and it should repair any errors in the filesystem automatically. Hopefully this will resolve the issue. Once it is done, you can simply close the command prompt, and click the Restart button.
  11. When you turn your computer on, do you get an option to load the Windows XP Recovery Console?
  12. Just a quick follow up: I have just spoken to Andrey and he has confirmed the following information: The fix will be tested in our next internal beta. There is currently no ETA on a public release. For now, simply mark the installer as Trusted and as an Installer in Online Armor to bypass the issue. If proper rules are set up in Online Armor for the installer, then the temp file should be ignored.
  13. That log looks petty good. Lets get a online virus scan just to verify. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  14. OK, a quick chat with Fabian has revealed that this is an issue with Online Armor that our developers are already aware of. A quick check of our bug tracker shows that the issue is already fixed. I assume the fix will be included in the next program update to Online Armor, however I have not spoken to Andrey to confirm that.
  15. My apologies. For some reason I did not see your reply. Checking the MD5 and SHA1 hashes that VirusTotal generated against our database shows that the file is most likely legit. I'll ask some of our developers to look at this, as it may be a false positive.
  16. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  17. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  18. OK, I thought those looked like entries from a HijackThis log. Due to the fact that it hasn't been updated in a very long time, I recommend avoiding HijackThis. It was a great utility back in the day, unfortunately that day came and went a long time ago. Good alternatives to HijackThis include Emsisoft HijackFree (which comes with Emsisoft Anti-Malware), Autoruns from Microsoft, RunAlyzer from Safer Network. There are a few other good ones as well, however I don't have a list of them. Also, please note that I don't actually need logs from any of these utilities, and that if you don't know what the various entries listed in these programs do then I highly recommend not using them to make any changes to your system configuration. Don't worry about not saving the Panda log. Go ahead and get me a fresh ComboFix log (download a fresh copy of ComboFix from one of these links: Link 1 / Link 2 and always make sure to disable your anti-virus software before running it) and let me know if your computer is still having any troubles (such as not being able to start in Safe Mode, weird popups or error messages, etc).
  19. Before I get on to the fix script I wrote, I noticed a couple of PDF files saved in your Documents folder about 4 hours before a folder related to the infection that I am seeing in your log was created. These PDF files are named 02-09-2012.pdf and 01-10-2012.pdf and I was wondering if you could upload each of them to VirusTotal at this link and post the links to the analysis of each file for me to look at. And now on to the fix script. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box: :OTL O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O4 - HKCU..\Run: [MicrosoftUpdate] C:\Users\Hussein\Documents\MSDCSC\msdcsc.exe File not found O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found O18:[b]64bit:[/b] - Protocol\Handler\intu-help-qb3 - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\qbwc - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Users\Hussein\Documents\MSDCSC\msdcsc.exe) - File not found O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. [2012/03/04 19:37:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows @Alternate Data Stream - 103 bytes -> C:\ProgramData\Temp:76650B61 :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  20. You'll find file information here. Essential it is a Windows system file. May have gotten damage/corrupted by the infection. Do you have your Windows disk? Running the System File Checker may be a good idea, just in case, however it will require a Windows disk for your version of Windows. ComboFix didn't show any system files failing a signature check, so theoretically your system files are OK, however it may be a good idea to run it just in case. Another alternative is simply to reinstall the last Service Pack, which for Windows XP would be Service Pack 3. How did you fix the Blue Screen error? Did you run the System Restore?
  21. OK, that is a good sign. You can run a Full Scan with Malwarebytes' Anti-Malware on your other hard drives if you wish, in order to check and see if it detects anything. You may also want to run a Deep Scan with Emsisoft Anti-Malware as well (making sure to check those extra drives). Other than possibly a few infected files on your other hard drives, I don't think your system is still infected, so here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 4. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 5. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  22. You're welcome. I'm sorry we couldn't be of more assistance in getting it fixed. A good repair shop will have utilities such as customized BartPE disks or UBCD4Win disks where they can run all sorts of anti-virus scans from a bootable CD. Theoretically they will also have techs capable of looking at your system and manually removing anything that anti-virus software is missing. Since it appears that the need for this topic is now over, I'm going to go ahead and close it. If you require any further assistance, then please let me know. This topic can be reopened at any time. Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.
  23. That is a list of the DNS servers that your computer will ask for a list of what domain names map to what IP addresses. For more information, here's a link to an article on DNS. Did you run HijackThis, or were those in your OTL log? That file appears to be a legitimate part of AdFender. I assume you are still not able to start your computer normally? If so, then let me know if you are able to uninstall your software from PCTools while Windows is running in Safe Mode. One of their drivers is one of the ones failing on startup, and it is possible that one of their drivers was corrupted.
  24. OK, I've forwarded the dump on to one of our developers. Hopefully they can give me an idea of what might be going on.