GT500

Emsisoft Employee
  • Content Count

    11517
  • Joined

  • Days Won

    333

Everything posted by GT500

  1. Could you please upload each of those files to VirusTotal, and then send me the link to the analysis of each file? They could be harmless, but we can check and make sure.
  2. Current version of TDSSKiller appears to be 2.7.34.0 (not sure what it was when I posted my instructions in post #105). It may actually check for updates when it runs, but I cannot guarantee that.
  3. Most of the information relates to things Online Armor is doing. The logs are encrypted for safety, and only Andrey can decrypt them (I don't even have the ability to decrypt and read them). Just an FYI: Andrey did let me know that he has downloaded your logs, and that he's taking a look at them.
  4. OK, we'll probably need some logs to see what the problem is. Open Online Armor, go to 'Options' in the menu on the left, click the little check box to enable debug mode (just above the "Run Safety Check Wizard", restart your computer (Debug Mode will not be enabled until after your computer is restarted), and then try launching a program in "Run Safer" mode. After that, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs) and attach it to a reply for me. Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to "Send To", and clicking on "Compressed (zipped) Folder". If the file it too large to attach to a reply, then let me know, and I will send you a private message with instructions on how to get it to us. Edit: Scratch that. Our developers just reminded me that RunSafer just executes an application with restricted rights. When running as a "Standard User" your applications are already running with restricted rights, so RunSafer doesn't actually do anything when running applications under a "Standard User" account, which is why no border is displayed around the window of a program that is set to execute in RunSafer mode.
  5. OK, we'll probably need some logs to see what the problem is. Open Online Armor, go to 'Options' in the menu on the left, click the little check box to enable debug mode (just above the "Run Safety Check Wizard", restart your computer (Debug Mode will not be enabled until after your computer is restarted), and then try launching Chrome. After you see the warning from Online Armor, click the button to allow it, and then please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs) and attach it to a reply for me. Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to "Send To", and clicking on "Compressed (zipped) Folder". If the file it too large to attach to a reply, then let me know, and I will send you a private message with instructions on how to get it to us.
  6. Here are some instructions on adding this program's folder to the Exclusions list in Online Armor: Click on the 'Start' button, go to "All Programs", go to "Online Armor", and click on the Online Armor icon to open it. Click on 'Options' in the menu on the left. Go to the 'Exclusions' tab. Click on the 'Add' button. Use the little [+] and [-] icons to the left of folder names to open and close them, find the folder that you wish to add to the exclusions list, click on it to highlight it, and then click 'OK' at the bottom. The folder you are looking for is most likely C:\DatabaseNet4 Close the Online Armor window.
  7. OK, lets get some more information. Our developers want a log from System Information, and I would like to see an OTL log, so here's instructions for getting both: System Information Click on the Start button. Go to All Programs . Go to Accessories . Go to System Tools . Click on System Information . Click on the File menu to open it. Click on Save . Save the System Information on your desktop (this may take a few minutes). Close the System Informaton window and then right-click on the System Information file you saved, go to Send to , and select Compressed (zipped) folder . This will add your System Information file to a ZIP archive that you can attach to a reply in this forum topic. Reply to this topic by using the More Reply Options button to the lower-right of where you type in your reply, and attach the ZIP archive to a reply. OTL Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run'). Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt . The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply.
  8. OK, we'll probably need some logs to see what the problem is. Open Online Armor, go to 'Options' in the menu on the left, click the little check box to enable debug mode (just above the "Run Safety Check Wizard", restart your computer (Debug Mode will not be enabled until after your computer is restarted), and then try a normal shutdown. After that, please ZIP your entire logs folder (normally C:\Program Files\Online Armor\Logs) and attach it to a reply for me. Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to "Send To", and clicking on "Compressed (zipped) Folder". If the file it too large to attach to a reply, then let me know, and I will send you a private message with instructions on how to get it to us.
  9. You're quite welcome. Since everything seems OK, I am going to go ahead and close this topic. Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.
  10. If no threats were found, then I'm fairly certain that it does not give you the option to save a log, so that's OK. ComboFix makes repairs on its own, and you will see some deletions in its initial log. Also, the scripts I asked you to run made some repairs as well (mostly just deleting things that were bad or didn't need to be there, as well as temp files). If you go ahead and run a scan with Emsisoft Anti-Malware, does it detect anything?
  11. If you look in the folder C:\Program Files\Emsisoft Anti-Malware are there any files with names that end in .elf? If so, please zip the, and attach them to a reply. You can zip files by right-clicking on them, going to Send to, and selecting Compressed (zipped) folder.
  12. Brilliant? Or slightly crazy? I'm sure that's open to debate. That ComboFix log looks fine to me. Lets get a second opinion just to make sure we didn't miss anything. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  13. OK, go ahead and run a scan with Emsisoft Anti-Malware, and let me know if it detects anything.
  14. The OTL log should list all of your hard drives, as does the TDSSKiller drive (it checks the MBR on each drive). Those unsigned files that were detected look OK to me. It is, unfortunately, fairly common for companies to not sign some of their drivers. It can be annoying when trying to figure out what stuff is, but it doesn't mean that the files are dangerous. Based on your logs so far, I think it's safe to run ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  15. OK, those are all minor threats (adware or software with minor privacy concerns). The detection in the System Restore is not a big deal, because I'll tell you how to clear it out once your computer is cleaned up. If you want to delete those files that were detected, then here's instructions on how to do it: 1. Please download The Avenger from this link, and make sure to save it on your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Save the AvengerScript.txt at the link below to your desktop, open it, and copy all the text contained in the AvengerScript.txt file, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link): Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer! 3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon. Please paste the contents of the attached AvengerScript.txt file above (which you should have already copied) into the white box in The Avenger (see example picture below). Click on the Execute button in the low-right corner (see example picture below). Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please attach the content of c:\avenger.txt to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  16. Please download DebugView from this link: When downloading, make sure to save it on your Desktop instead of clicking 'Run' or 'Open'. Right-click on the 'DebugView' file that you just saved on your Desktop, and select "Extract All". Open the new DebugView folder that was created on your Desktop after extracting. Windows XP and 2000 users should double-click on the file named 'Dbgview'. Windows 7 and Vista users should right-click and select "Run as Administrator". Click on the 'Capture' menu, and select everything except "Log Boot" (you will have to open the menu again after clicking to select an item). Open Outlook, wait until you see the error message, then close the error message (either by clicking OK or Cancel). After seeing the error message in Outlook you can switch back to DebugView and click 'File' and "Save As" in order to save the log to a file on your Desktop. Please attach that log file to a reply so that we may analyze it for errors. You will need to use the More Reply Options button to the lower-right of where you type in your reply in order to access the attachment controls. Note: You may need to ZIP the log file in order to attach it. If you do not have a program such as 7-Zip, WinZip, WinRar, etc. then you can right-click on the log file, go to Sent to, and click on Compressed (zipped) folder. You will be able to attach the ZIP archive to a reply.
  17. That's OK. It can take some time to get used to how a forum works. That log is showing some problems with some system files. Before proceeding, lets get one more log just to make sure that there are no rootkits. Please get me a log from TDSSKiller by following the instructions below: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  18. I hate to say it, because this was in your OTL log and I missed it, but I think I just found out where your infection came from: C:\Users\Administrator\Desktop\keygen.exe We do have a no piracy policy here, and I'm going to have to ask you to remove any pirated software, keygens, cracks, etc. before we proceed. Once you have done that, follow the instructions below to get me WVCheck and CKScanner logs: WVCheck Please download WVCheck from this link (make sure to save it on your desktop), and follow the steps below to get me a log: Double-click on the WVCheck file that you saved on your desktop to run it. Once it has launched, press Enter on your keyboard to start the scan (this could take a while, depending on how much hard drive space you have). Once it is done, it will open a log in Notepad. Please save this log on your desktop, and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply. CKScanner Download CKScanner from here Important : Save it to your desktop. Doubleclick CKScanner.exe and click Search For Files . After a very short time, when the cursor hourglass disappears, click Save List To File . A message box will verify that the file is saved. Please attach the CKFiles.txt file on your desktop to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  19. That log actually looks fairly good. Lets get a second opinion. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  20. OK, lets move on with checking your computer. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  21. It looks like the part of the scan that produces the Extras log is no longer selected by default. It isn't a big deal, unless you are still having trouble. It does give me some extra information to help with debugging problems, however most of what I need to assist you is in the main OTL log. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window: Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  22. OK, that log looks better. Lets move on to ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  23. I see your forum profile lists that you also have Microsoft Security Essentials and Malwarebytes' Anti-Malware installed. Do you have any other security software? Is MBAM registered with an id and key and running real-time protection?
  24. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window: Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.