GT500

Emsisoft Employee
  • Content Count

    12862
  • Joined

  • Days Won

    388

Everything posted by GT500

  1. OK, things are looking pretty good. Is your computer still displaying any symptoms of an infection?
  2. OK, lets move that file back before we proceed: Please download BlitzBlank from , and save it on your desktop. Run BlitzBlank from the icon on your desktop. It will display a warning. Click OK to continue. Switch to the Script tab. Copy and paste the contents of the following box into the big white box on the Script tab: MoveFile: C:\IpsPlugin.dll "C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll" After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  3. According to this Web Of Trust report the website go.jetswap.com has about a 75% trustworthiness rating (100% is the best possible score, and 0% is the worst possible score). On my first glance, I am only seeing one entry in your OTL log that appears to be related to this "SafeSurf" application. This ThreatExpert reports shows that parts of SafeSurf are detected by Ikarus and Kaspersky as a "Risk Tool", which means it is most likely unwanted software. This list of analysis reports at VirScan.org does not show consistent detections from anti-virus software, with a detection rate ranging from anywhere between 0% and 43%. Just for reference, there does appear to be a legitimate program named SafeSurf, so my first recommendation would be to upload the file to VirusTotal at this link and then post a link to the analysis in a reply for me to review. The file that you will want to upload is as follows: C:\js\safesurf.exe
  4. You're quite welcome. Please let us know if you have any further issues.
  5. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page). Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it). Exit the program and re-enable all active protection when done.
  6. Please download Crysis Aversion Tool from this link (you can run it from your USB flash drive), run it on the computer that is unable to access the Internet, and select the following fixes: Flush DNS Resolver Cache Repair Internet Explorer Reset All Networking Interfaces After selecting those three fixes, click the Apply Checked Fixes button, and it will tell you the progress in the lower-left corner. When it says that it is complete, you can close Crysis Aversion Tool, and restart your computer. Let me know if that repairs your Internet connection.
  7. OK, please download an updated version of ComboFix from one of the links below, disable any anti-virus software you have installed, and then ComboFix and get me a new log: Link 1 Link 2
  8. Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try the ESET online scan again.
  9. Are you able to right-click on it and run it as administrator?
  10. OK, that log didn't show me what I thought it was going to show me. Lets go ahead and replace that file with the backup copy that ComboFix found, and then see if ComboFix will run normally after that. Please restart your computer (you may want to print out these instructions first), and immediately after the manufacturer's logo disappears (the one that you see every time you turn on your computer) start gently tapping the F8 key on your keyboard until you see a black screen with a list of options that looks like the screenshot below (you may need to click on the screenshot to see a larger version of it): Make sure that the Repair Your Computer option is highlighted (use the arrow keys on your keyboard to change which option is highlighted) and then press the Enter key on your keyboard to start the recovery environment. After Windows loads the recovery environment, you should be presented with a System Recovery Options screen that allows you to select your keyboard layout. If you don't know which one to select, then just click the Next> button. You will now be asked for the username and password to log in with. Please log in to an account that has administrative rights. If you only have one user account set up on your computer, then go ahead and use it. Windows should have automatically filled in the username for you, and if you don't use a password then just leave the box empty and click OK. Windows will present you with a list of recovery options. Please click the option for Command Prompt. In case you are not familiar with the Command Prompt in Windows, it is a program that will allow you to execute commands that you type out. You need to press Enter on your keyboard after you type in a command. Please go ahead and type in C: and then press Enter (this will tell the command prompt to switch to your C: drive). Now we need to delete the infected system file and replace it with the backup copy. Type in the following command to delete the infected file (making sure to press Enter afterwards): DEL c:\windows\System32\drivers\tdx.sys Assuming that there are no errors when attempting to delete that file, please type in the following command to replace it with the backup (making sure to press Enter afterwards): COPY c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys c:\windows\System32\drivers\tdx.sys After that, you can close the command prompt by clicking the X button in the upper-right corner, and the restart your computer by clicking the Restart button. Once your computer is running normally, please download a new version of ComboFix from one of the links below, save it on your desktop, turn off any anti-virus and anti-spyware software that you have installed, and then run ComboFix and get me a new log. BleepingComputer InfoSpyware
  11. What happens if you attempt to open the Control Panel through the Start Menu?
  12. Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page). Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "No", save the log and post back the results. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it). Exit the program and re-enable all active protection when done.
  13. I deleted the logs you attached to your post because Fiddler logs can contain your license information for Emsisoft Anti-Malware (that information is verified by our servers on update and will wind up in your Fiddler log). Lets go ahead and proceed with cleanup, and if you still are unable to update Emsisoft Anti-Malware after that then we will worry about it once we are able to get things cleaned up with ComboFix and other utilities.
  14. Please download Rkill from one of the links below: rkill.exe rkill.com rkill.scr eXplorer.exe iExplore.exe WiNlOgOn.exe uSeRiNiT.exe The reason why there are 7 of them, each with a different name (and some of them with very funny names), is because some infections like to block security software from running. Start with the first one, and if it doesn't work then try the next one, and so on until you find one that works. Once you get one of the Rkill downloads to work, please run it a second time to make sure that it is no longer able to find any malicious processes still running. If it finds more, run it again to make sure that Rkill was able to stop any malicious processes still running on your computer. After running Rkill, please proceed with my previous instructions to run ComboFix, and if everything works OK then attach the log to a reply when it is done.
  15. OK, from what I'm seeing in that log, it should be OK to proceed with normal cleanup (no ZeroAccess infections detected). Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  16. OK, according to that log ComboFix did not completely remove the ZeroAccess infection, and one of your system files is still infected. Fortunately, the ComboFix log shows a backup copy of the infected system file that appears to be clean. That backup copy can be used to replace the infected file. Before we do this, however, I will need some more information to ensure that we are not missing anything when we do this fix. Please run OTL again (you can download it from here if you need to), before clicking Run Scan make sure to type or copy and paste NETSVCS into the Custom Scans/Fixes box, and then click on the Run Scan button to start the scan. Please save the OTL log on your desktop when done, and attach it to a reply.
  17. No, if the file was moved then go ahead and run the ESET scan and attach the log for me when it is done. Here are the instructions again: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  18. Just to clarify, the word 'malware' refers to "malicious software", which includes viruses, worms, spyware, trojans, rootkits, keyloggers, etc. Our developers are researchers take the definition of 'malware' literally, and they make sure that Emsisoft Anti-Malware covers all of these areas and more.
  19. That's a bit odd. Lets try using ComboFix to move it. I have written a script that will tell ComboFix how to move that file. Here are instructions on what to do with the script: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll FCopy:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll | C:\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  20. ZeroAccess? That is a pretty nasty rootkit, and I hadn't heard anything about ComboFix being able to clean up the latest variants of it, so lets get some more information to make sure that it did really get removed. Please get me a log from TDSSKiller by following the instructions below: Download TDSSKiller from this link and save it on your desktop. Run the TDSSKiller download that you saved. Click on Change parameters as it shows in the following screenshot: Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK: Click the Start scan button as in the following screenshot: You will see the following as the scan runs: If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip: Click on Report in the upper-right corner, as in the following screenshot: You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot: Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  21. That log looks pretty good. ComboFix automatically deleted a bad file I saw in your OTL log (it also deleted some crash reports from Emsisoft Anti-Malware, but I contacted the guy who makes ComboFix and he's going to fix that). Lets get a virus scan from a third party just to verify that your computer is clean. Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed.
  22. We can try using BlitzBlank to move the file to your C: drive (note that whatever program uses this file may start displaying an error message after it is moved): Please download BlitzBlank from , and save it on your desktop. Run BlitzBlank from the icon on your desktop. It will display a warning. Click OK to continue. Switch to the Script tab. Copy and paste the contents of the following box into the big white box on the Script tab: MoveFile: "C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll" C:\lpsPlugin.dll After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
  23. Most of those logs aren't useful without samples, and our researchers would prefer a copy of whatever file originally caused the infection so that they can learn the most about this.
  24. Since you've already found the, if you don't mind doing it, I recommend deleting them.
  25. Due to the way Virut infects files, it is often not possible for an anti-virus to completely remove all of the fragments of Virut code from an infected file. While the Virut infection may be completely disabled, some anti-virus software may still detect the file due to this issue. Are these files important, or can they be deleted?