GT500

Emsisoft Employee
  • Content Count

    11444
  • Joined

  • Days Won

    330

Everything posted by GT500

  1. Considering the nature of the infection on your computer, it is possible that it is infected with a rogue. Rogues pretend to be antivirus software claiming that your computer is infected, and usually trying to get you to pay money to remove whatever they claim they detected. In reality, the rogue is the infection, and just allow Microsoft Security Essentials to finish its scan and then remove anything it finds. You may also want to try Malwarebytes' Anti-Malware again after Microsoft Security Essentials is done. Do you have access to a good computer with a CD burner? It may be necessary to use a bootable anti-virus disk to clean this infection up.
  2. I'm sorry, you did give me a GMER log earlier. Lets try a scan with Malwarebytes' Anti-Malware. Please run a scan with Malwarebytes' Anti-Malware by following the instructions below: Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages): Download From TechSpot Download From CNet's Download.com Download From MajorGeeks [*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it). [*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database. [*] Switch back to the Scanner tab and run a Quick Scan. [*] When it is done, remove anything it finds. [*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop. [*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.
  3. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page). Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it). Exit the program and re-enable all active protection when done.
  4. Have you run a full scan of all of your hard drives with your ESET Smart Security?
  5. Thanks. I'll send this on to our developers to take a look at.
  6. Let just run ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  7. Go ahead and run the full scan with Microsoft Security Essentials, but run Rkill first.
  8. That's the same stuff that ComboFix keeps showing. I doubt that it was actually removed. I need some more information to know what's going on. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page). Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it). Exit the program and re-enable all active protection when done.
  9. Did these issues start after attempting to run the ESET online scan?
  10. I don't see any evidence of those entries in that log either. I assume that the detections listed in your screenshot in your first post have already been deleted? I'm also not seeing any signs of infection, so lets get a third-party opinion with an online virus scan. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  11. That log isn't showing anything major. Just a few trojans on another partition (sda6 should be the 6th partition on your primary hard drive, although Windows partitions hard drives in an odd way, so you may not actually have 6 partitions). Everything else in the log is either errors or detections of the files backed up in TDSSKiller's quarantine. I do recommend that you delete the following files, assuming that the Avira AntiVir Rescue System hasn't already done so, as they may be infected with something (due to the way Linux maps hard drives, I can't be certain what drive you will find these files on in Windows): /reset/seminar jafar.exe.exe/comprise interface.DT3.exe/h.exe/itl.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed] /reset/seminar jafar.exe.exe/comprise interface.DT3.exe/seminar jafar.exe.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed] /reset/seminar jafar.exe.exe/comprise interface.DT3.exe/Temp.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed] /reset/seminar jafar.exe.exe/D=0.5d Test problem.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed] /D/1/1/1/star them hossein/Blazing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed] /D/1/1/1/star them hossein/Color Cubes/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed] /D/1/1/1/star them hossein/Pulsing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]
  12. This is a persistent infection. We're going to have to try something else. Make sure you run Rkill before proceeding with the following instructions. Please run a scan with Malwarebytes' Anti-Malware by following the instructions below: Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages): Download From TechSpot Download From CNet's Download.com Download From MajorGeeks [*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it). [*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database. [*] Switch back to the Scanner tab and run a Quick Scan. [*] When it is done, remove anything it finds. [*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop. [*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.
  13. OK, please run ComboFix again, and get me a fresh log.
  14. Are you able to move that file out of the folder it's in, and then move it back where it was? Try just moving it to your desktop and back again.
  15. OK, ComboFix isn't deleting part if the infection, so we need to try a different utility. Here are some new instructions: 1. Please download The Avenger from this link, and make sure to save it on your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop 2. Copy all the text contained in the CODE box below, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link): Folders to delete: c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer! 3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon. Please paste the contents of the CODE box above (which you should have already copied) into the white box in The Avenger (see example picture below). Click on the Execute button in the low-right corner (see example picture below). Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply, and we will go from there.
  16. OK, there should be two ZIP archives in the following location on your computer: C:\Qoobox\Quarantine Their name will most likely start out [4] followed by the date and time. Windows may call them a Compressed (zipped) folder. Please send me a private message on the forums with these two files attached.
  17. If those scan results are not false positives, then a reformat and reinstall of Windows may be needed after all. It is possible that these are false positives, so if you want to try another bootable CD then you can try one of the following: Kaspersky Rescue Disk 10 Avira AntiVir Rescue System
  18. Yes, every version of ComboFix will expire after a certain period of time, and you will need to download a new one. If you run Rkill first, then are you able to download ComboFix from one of the links below? Link 1 Link 2
  19. The only Image File Execution Options oddities that OTL showed in the log were the following: O27 - HKLM IFEO\asc.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software) O27 - HKLM IFEO\suc12_uninstal.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software) O27 - HKLM IFEO\toolbox.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software) O27 - HKLM IFEO\turboboost.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software) O27 - HKLM IFEO\unins000.exe: Debugger - C:\Program Files\TuneUp Utilities 2012\TUAutoReactivator32.exe (TuneUp Software) As you can see, they are all related to TuneUp Utilities 2012, which is a legitimate utility. Lets get a registry export of the keys from your screenshot: For 32-bit Windows, please download MiniRegTool.zip and unzip it. For 64-bit Windows, please download MiniRegTool64.zip and unzip it. Run the MiniRegTool download. Copy and paste the following into the rectangular white box in MiniRegTool: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] Check Export keys radio button. Press Go button and post the result.
  20. McAfee will need to be disabled before running ComboFix. If it is working, then it will not allow ComboFix to run properly. If you are unable to do anything about McAfee, then try following the instructions at this link to remove McAfee. You can reinstall it once we get your computer cleaned up. After disabling or uninstalling McAfee, please try the latest CFScript instructions again.
  21. OK, we're going to need to try another CFScript. Here are instructions again on what to do with the script: Turn off your Anti-Virus software. Run Rkill just to make sure that nothing interferes with ComboFix while it runs the script. Go ahead and run all three of the ones in the ZIP file I attach to a post earlier, just in case. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7475-my-pc-is-infected-and-i-cant-run-otl/ KillAll:: Collect:: c:\documents and settings\Bunny\Start Menu\Programs\Startup\lhofbvjm.exe c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv\lhofbvjm.exe c:\windows\Temp\dmjadxlsslpxqsmp.exe Folder:: c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe," [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "LhoFbvjm"=- Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). Close Notepad and verify that the CFScript file is saved on your desktop. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: **NOTE** If ComboFix wants to update, then please allow it to do so. When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  22. Could you get us memory dumps from the BSOD crashes? Here is a link to an article from Microsoft on memory dumps in Windows XP. You may need to upload it to a service such as RapidShare due to the large size of memory dump files. Note that you can send me the link to download the dump file via a private message on our forums if you do not want to post it publicly.
  23. Try enabling beta updates in the update configuration.
  24. You're quite welcome. Please let us know if you have any further issues.
  25. Looks like that was a pretty bad infection. From that log, it looks like Safe Mode is broken, and we'll need to fix it after we finish some more cleanup. I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script: Turn off your Anti-Virus software. Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7475-my-pc-is-infected-and-i-cant-run-otl/ KillAll:: Collect:: C:\lhofbvjm.exe c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv\lhofbvjm.exe Suspect:: c:\program files\11201111240856.bat c:\program files\08201113562048.bat c:\program files\08201118561918.bat Folder:: c:\documents and settings\LocalService\Local Settings\Application Data\dbwsqsdv c:\documents and settings\Bunny\Local Settings\Application Data\dbwsqsdv Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\WINDOWS\system32\userinit.exe," Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). Close Notepad and verify that the CFScript file is saved on your desktop. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.