GT500

Emsisoft Employee
  • Content Count

    12862
  • Joined

  • Days Won

    388

Everything posted by GT500

  1. I'm not seeing anything in that log that I recognize as a ZeroAccess infection. Lets get a ComboFix log and see if it reveals anything. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  2. Also, if you could get us a screenshot of the popup, that might be helpful as well. Here's a link to instructions on how to sake a screenshot. Please attach it to a reply using the More Reply Options to access the attachment controls.
  3. Please run OTL by following the instructions below: Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run'). Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.
  4. Please get me a log from TDSSKiller by following the instructions below: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  5. Yes, that's fairly common for the ZeroAccess rootkit. It loves to hijack your TCP/IP settings so that you cannot use the Internet to download security software. Go ahead and download a fresh copy of ComboFix, and run it again. Here are the instructions again: Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  6. Do you have TortoiseSVN installed?
  7. Here is a link to instructions on how to start Windows in Safe Mode. Please try to start your computer in Safe Mode With Networking, and then follow the instructions below as best you can: Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  8. OK, that would explain the error message. Try copying and pasting the script into OTL again, and make the necessary modifications so that it looks just like it does on the forums (it should be 4 lines with a blank line in the middle). Let me know if the script runs properly like that.
  9. Topic reopened per user's request.
  10. Does Online Armor give you any idea as to what process may be doing this? It is very common for legitimate software (especially security software) to use svchost.exe to run parts of their program.
  11. When you copy and pasted that script into OTL, did everything appear on the same line, or did it look exactly like it does in little box in my post?
  12. OK, lets try using OTL to delete it. I have written a script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box: :Files C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  13. Since everything seems OK, I am going to go ahead and close this topic. Note: The instructions in this forum topic have been customized based on the logs posted by the person asking for assistance. Please do not attempt to follow any of the instructions in this forum topic, as they could cause damage to your computer. If you require assistance, please start here if you believe your computer is infected, and one of our experts will be happy to assist you by analyzing your logs.
  14. From that log, it looks like the infected came with the ZeroAccess rootkit, which can be tricky to remove. Lets start with ComboFix, and if we can get a log from it then we can go from there. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  15. What happens if you enable Learning Mode while installing updates?
  16. According to that log, your avast! Internet Security was still enabled while ComboFix was running. avast! would have prevented ComboFix from running properly.
  17. OK, here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  18. I'm pretty certain that they are clean. Looks like warning detections (CheatEngine can be used to hack games, so some vendors apparently detect it as a hacktool). Aside from some temp files, I think your computer is clean, so lets get those temp files cleaned up. Please download TFC to your desktop Open the file and close any other windows. It will close all programs itself when run, make sure to let it run uninterrupted. Click the Start button to begin the process. The program should not take long to finish its job Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
  19. OK, there are only two files in that log that I am actually concerned about: C:\Users\Owner\Documents\xfire_installer_43094.exe C:\Users\Owner\Downloads\CheatEngine561.exe Theoretically both of these are legitimate files, however there is always the possibility of an infection having been injected into them. Please upload both of those files to VirusTotal and then post the links to the analysis of each file for me.
  20. It looks like ComboFix cleaned up everything on its own, however lets get a third-party opinion just to be sure. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  21. Yes, we can do that. Please note, however, that you do get an automatic discount when you renew your licenses, so you may wish to verify that you will be getting a better deal from the Easter promo than from a normal renewal. I don't have the details in front of me, however you can send an e-mail to Davlat at da <at> emsisoft <dot> com and he will know a lot more about discounts, promotions, etc. than I do. If you decide to go ahead and go with the Easter promo, then send me a private message with all of the info (the key of your current 3-PC license, the three new keys that you want merged into it, and let me know if your e-mail address for your Customer Center account is different than the one you used on our forums).
  22. We are capable of merging and extending licenses. Just make sure that if you currently have a 3-PC license that you purchase a new 3-PC license during the promo, otherwise we may only extend you current 3-PC license by a third of a year.
  23. Well, lets try deleting it, and see if anything complains. Here's another ComboFix script with instructions: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  24. My apologies for the slow response. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!