GT500

Emsisoft Employee
  • Content Count

    11231
  • Joined

  • Days Won

    323

Everything posted by GT500

  1. OK, according to that log ComboFix did not completely remove the ZeroAccess infection, and one of your system files is still infected. Fortunately, the ComboFix log shows a backup copy of the infected system file that appears to be clean. That backup copy can be used to replace the infected file. Before we do this, however, I will need some more information to ensure that we are not missing anything when we do this fix. Please run OTL again (you can download it from here if you need to), before clicking Run Scan make sure to type or copy and paste NETSVCS into the Custom Scans/Fixes box, and then click on the Run Scan button to start the scan. Please save the OTL log on your desktop when done, and attach it to a reply.
  2. No, if the file was moved then go ahead and run the ESET scan and attach the log for me when it is done. Here are the instructions again: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  3. Just to clarify, the word 'malware' refers to "malicious software", which includes viruses, worms, spyware, trojans, rootkits, keyloggers, etc. Our developers are researchers take the definition of 'malware' literally, and they make sure that Emsisoft Anti-Malware covers all of these areas and more.
  4. That's a bit odd. Lets try using ComboFix to move it. I have written a script that will tell ComboFix how to move that file. Here are instructions on what to do with the script: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll FCopy:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll | C:\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  5. ZeroAccess? That is a pretty nasty rootkit, and I hadn't heard anything about ComboFix being able to clean up the latest variants of it, so lets get some more information to make sure that it did really get removed. Please get me a log from TDSSKiller by following the instructions below: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  6. That log looks pretty good. ComboFix automatically deleted a bad file I saw in your OTL log (it also deleted some crash reports from Emsisoft Anti-Malware, but I contacted the guy who makes ComboFix and he's going to fix that). Lets get a virus scan from a third party just to verify that your computer is clean. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  7. We can try using BlitzBlank to move the file to your C: drive (note that whatever program uses this file may start displaying an error message after it is moved): Please download BlitzBlank from , and save it on your desktop. Run BlitzBlank from the icon on your desktop. It will display a warning. Click OK to continue. Switch to the Script tab. Copy and paste the contents of the following box into the big white box on the Script tab: MoveFile: "C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll" C:\lpsPlugin.dll After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  8. Most of those logs aren't useful without samples, and our researchers would prefer a copy of whatever file originally caused the infection so that they can learn the most about this.
  9. Since you've already found the, if you don't mind doing it, I recommend deleting them.
  10. Due to the way Virut infects files, it is often not possible for an anti-virus to completely remove all of the fragments of Virut code from an infected file. While the Virut infection may be completely disabled, some anti-virus software may still detect the file due to this issue. Are these files important, or can they be deleted?
  11. This section is worrying me a little bit: windows 7 x64 active av kav 11 yandex version H:\????? ?????\1000.exe Win32/Virut.NBP ????? H:\????? ?????\beertend.exe.kav Win32/Virut.NBP ????? H:\????? ?????\durak.exe.kav Win32/Virut.NBP ????? H:\????? ?????\happy.exe Win32/Virut.NBP ????? H:\????? ?????\tutorial.exe.kav Win32/Virut.NBP ????? Are you able to find those files? If so, can you upload them to VirusTotal and post links to the analysis of each file for me?
  12. Please get me a log from TDSSKiller by following the instructions below: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  13. ZeroAccess? This is a very nasty rootkit that. I was talking to someone the other day who has extensive experience removing the ZeroAccess rootkit, and it is possible that we will have to use a boot disk to get rid of it. Before we go to that extreme, please try ComboFix one more time, and attach the log to a reply. Make sure to download the latest ComboFix from one of the links below: Link 1 Link 2
  14. OK, that log looks better. Just to verify that there aren't any leftovers, please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  15. You're quite welcome, and here's some final instructions for you before you go: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 4. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 5. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  16. Please follow the instructions at this link to run TDSSKiller, and allow it to either Cure or Delete anything bad it detects.
  17. OK, I have written a script that will tell ComboFix how to fix some stuff I saw in your log. Here are instructions on what to do with the script: Turn off your Anti-Virus software. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7534-browser-virus/ KillAll:: Driver:: Normandy Suspect:: h:\windows\SysWow64\drivers\uzq3odgy.sys h:\windows\system32\xyz.rrfyr.exe h:\windows\winstart.bat FCopy:: h:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll | h:\windows\system32\user32.dll h:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | h:\windows\SysWOW64\user32.dll RegLock:: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). Close Notepad and verify that the CFScript file is saved on your desktop. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  18. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  19. We're going to need that ComboFix log (I can analyze it to see if there are any signs of an infection that were not removed), so go ahead and uninstall any AVG software, restart your computer, and then run the utility at this link (restarting your computer when asked) to make sure that nothing was left behind. You can reinstall AVG once I've been able to make sure that your computer is clean. After uninstalling AVG, go ahead and run ComboFix again, and get me a copy of the log.
  20. You don't have to uninstall MBAM to prevent its services from loading on startup. All you have to do is uncheck the option to start with Windows (either by right-clicking on the System Tray icon for MBAM or by opening MBAM and going to the Protection tab) and then restart your computer.
  21. That ComboFix log looks pretty good. Lets just get one more log to verify that your system is clean. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  22. That's OK, we don't need your credit card statements. OTL failed to delete some stuff (or it got recreated after it was deleted). The entries may not be bad, however I do want to check and verify with another utility. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  23. I assume that System Recover Options screen looks like this (if the picture is tiny, then you can click on it to make it bigger): Is so, then select the Command Prompt option. This will load a black window with white text. Click in the empty black space, and type in the command that is in the following box: chkdsk /F C: This will start an error check on your hard drive, and it should repair any errors in the filesystem automatically. Hopefully this will resolve the issue. Once it is done, you can simply close the command prompt, and click the Restart button.
  24. When you turn your computer on, do you get an option to load the Windows XP Recovery Console?
  25. Just a quick follow up: I have just spoken to Andrey and he has confirmed the following information: The fix will be tested in our next internal beta. There is currently no ETA on a public release. For now, simply mark the installer as Trusted and as an Installer in Online Armor to bypass the issue. If proper rules are set up in Online Armor for the installer, then the temp file should be ignored.