GT500

Emsisoft Employee
  • Content Count

    13513
  • Joined

  • Days Won

    421

Posts posted by GT500


  1. Please run an online virus scan through ESET by following the steps below:

    1. Turn off your anti-virus software.
    2. Click on this link.
    3. Click on the ESET Online Scanner button.
    4. Put a check in the box that says YES, I accept the Terms of Use.
    5. Click the 'Start' button just to the right of the checkbox.
    6. Uncheck the box that says Remove found threats (this is very important).
    7. Click on Advanced settings.
    8. Put a check in the box that says Scan for potentially unsafe applications.
    9. Verify that Scan for potentially unwanted applications is also checked.
    10. Verify that Enable Anti-Stealth technology is also checked.
    11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
    13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
    14. Close the ESET online scan.

    I will take a look at the log, and let you know if anything needs removed.


  2. Please download Emsiclean from this link (be sure to save it on your desktop), and follow the instructions below to get me a log:

    1. Run the Emsiclean download that you saved on your desktop.
    2. Read the disclaimer. Note that you must agree to it in order to proceed.
    3. Once the scan is finished, simply exit Emsiclean, and do not remove anything.
    4. A new file will be saved on your desktop with a log of what was detected. Please attach that to a reply by using the More Reply Options button to the lower-right of where you type in your reply.


  3. I've asked someone else to look at that log to verify whether or not some of the system files it listed have been modified. Lets go ahead and get a registry export while we wait for that.

    For 32-bit Windows, please download MiniRegTool.zip and unzip it.

    For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

    1. Run the MiniRegTool download.
    2. Copy and paste the following into the rectangular white box in MiniRegTool:
      HKLM\SYSTEM\ControlSet001\services\BTHPORT
      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
      HKLM\SYSTEM\ControlSet003\services\BTHPORT


    3. Check Export keys radio button.
    4. Press Go button, save the results as a Text Document on your desktop, and attach them to a reply.


  4. You can reinstall Windows if you wish, however I do not believe that it will be required.

    I don not know how to get information from registry.

    If you wish to continue trying to fix this without reinstalling, then please download Farbar Service Scanner and run it on the computer with the issue.

    1. Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.


  5. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  6. That ComboFix log looks good, however that GMER log shows what are most likely leftovers from the TDL4 rootkit.

    Do you know how to export information from the Windows registry? I want to take a look at the contents of those registry keys that were listed in the GMER log before we just blindly delete them.


  7. I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

    1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
      :OTL
      FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
      FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
      FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
      O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      
      :Commands
      [EMPTYTEMP]


    2. Then click the Run Fix button at the top.
    3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
    4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.


  8. I will assume you are running Windows 7 x64 on the effected computer. Do you have any other security software installed? What version of Online Armor were you trying to remove?

    Also, go ahead and try the following (these instructions assume Windows 7):

    1. Click on the Start button (the one with the little Windows icon that says Start when you hold the mouse pointer over it).
    2. Type network connections into the search box at the bottom of the Start menu.
    3. Once the search results appear, click on View network connections (should be at the top of the list).
    4. Right click on your network adapter (the one your Internet connection normally goes through), and select Properties from the bottom of the menu that pops up.
    5. In the middle of the dialog that pops up there will be a list of components that Windows is using for your network connection. Look through the list for anything related to Online Armor, click on it to highlight it in blue, and then click the Uninstall button to remove it.
    6. Once you have uninstalled all of the Online Armor components from the list, click the OK button at the bottom.
    7. If there is an Online Armor network device on the Network Connections window, then follow the last three steps to remove any Online Armor components that are being used by it.
    8. Restart your computer, and check your Internet connection.


  9. OK, it looks like NOD32 detected the files as TDSSKiller was quarantining them. So long as NOD32 didn't interfere with TDSSKiller removing the infection, then everything should be fine, otherwise you may need to turn off NOD32 and run TDSSKiller again.

    If TDSSKiller is no longer showing any detected items, or if it cannot remove what it finds, then we can move on to ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

    Link 1

    Link 2

    * IMPORTANT !!! Save Combo-Fix to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

    • ComboFix (C:\combofix.txt)

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  10. Quad Core E6600 / 8GB Ram - I do have MalwareBytes installed but even if I disable this I get the high CPU usage.

    Simply disabling Malwarebytes' Anti-Malware won't make a difference, as the service stays loaded in memory. You would have to right-click on the System Tray/Notification Area icon for Malwarebytes' Anti-Malware and uncheck the option to "Start with Windows" (either that or open Malwarebytes' Anti-Malware and uncheck the option to start the protection with Windows from the 'Protection' tab).

    I don't expect this to make a difference, however, as I run Malwarebytes' Anti-Malware on a system with a much older and much slower dual-core CPU, and I don't experience any CPU usage issues when I scan with Emsisoft Anti-Malware.

    I did have a search on the internet and there is a reference to high CPU usage here - it seems it might be just during on demand scans. Is there any way to limit the resources used in any way even if it were to increase the length of time for a scan?

    The only way would be lowering the process priority for the EXE doing the scanning, but I'm pretty certain that the built-in protection in Emsisoft Anti-Malware would prevent you from doing that.