Jump to content

GT500

Emsisoft Employee
  • Content Count

    13795
  • Joined

  • Days Won

    432

Posts posted by GT500

  1. I've been talking to one of our researchers, and that file is a Windows System File. The reason scans are failing on that file could be due to filesystem damage and it could be due to physical damage to your hard drive.

    Follow the instructions at this link, and instead of loading Safe Mode load the Recovery Environment. Once you get into the Recovery Environment, you should see a screen like this:

    66b9e3c2-bb67-47bf-802c-b753b54bcc19_48.jpg

    You'll want to click the link to load the Command Prompt. At the Command Prompt, type out chkdsk /R C: and it will check the filesystem for errors and check every sector on the hard drive for damage. Any repairs to the filesystem will be made automatically, and any bad sectors on your hard drive will be marked so that Windows won't try to write data in them.

  2. Here is a download of a ZIP archive that contains a batch file. When run, this batch file will enable debug mode in Emsisoft Anti-Malware. Please extract this batch file from the ZIP archive, and make sure that you run it as an administrator. A black window will open momentarily, and it will quickly disappear once it is done (it should only take a second to make the change).

    After you run that batch file, please be sure to restart your computer, and then download DebugView from this link and follow these instructions:

    1. When downloading, make sure to save it on your Desktop instead of clicking 'Run' or 'Open'.
    2. Right-click on the 'DebugView' file that you just saved on your Desktop, and select "Extract All".
    3. Open the new DebugView folder that was created on your Desktop after extracting.
    4. Windows XP and 2000 users should double-click on the file named 'Dbgview'. Windows 7 and Vista users should right-click and select "Run as Administrator".
    5. Click on the 'Capture' menu, and select everything except "Log Boot" (you will have to open the menu again after clicking to select an item).
    6. Do whatever it is you need to in order to replicate the issue.
    7. After you have replicated the issue you can switch back to DebugView and click 'File' and "Save As" in order to save the log to a file on your Desktop.
    8. Please attach that log file to a reply so that we may analyze it for errors.

  3. If you have an external hard drive, and a bootable disk (Fedora Linux or Ubuntu for instance) then you should be able to recover your data. A BartPE or UBCD4Win disk will work as well, however they require a Windows XP CD to create.

    If you want to try the Linux disks, you can get one of the editions of Fedora from this link (I recommend either the KDE or the Xfce versions, as they will most likely be easier for you to use), and you can get Ubuntu from this link. When you start your computer up off of these disks, you will be able to browse the files on your hard drive and copy them to your flash drive or external hard drive.

  4. There are a few reasons why your computer's fans would be making a lot of noise. One could be bearing damage that causes noise when the fans spins faster, another could be too much dust in the fans, and there's also the possibility of an electrical issue.

    A bearing issue cannot be fixed, however if you have a good silicon based lubricant then many fans have a way to add lubricant in order to extend the lifespan of the fans.

    If it's just dust, then that can be removed with a can of compressed air.

    A power issue can usually be solved by plugging your computer in through a UPS (Uninterruptible Power Supply). Most UPS units will filter power, and this can help with a lot of issues (I've seen computers perform better when connected to a UPS, speakers emit less static when the volume was turned up, and various other small improvements when plugged in to a UPS).

    Of course, even if any of those suggestions resolve the issue you are experiencing, I'm sure you'll still be wondering why the update process causes the fans to make noise. It's possible that some extra processing power is required for the updates, and this can cause the processor to heat up a little bit, which causes the fans to spin faster. How much your processor heats up depends on what processor your computer has and how good the heatsink and airflow inside the computer are.

  5. I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

    1. Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box:
      :OTL
      SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found
      SRV - (PermissionResearch) -- C:\Program Files\PermissionResearch\prservice.exe (TMRG,  Inc.)
      SRV - (rpcnet) Remote Procedure Call (RPC) -- C:\Windows\System32\rpcnet.exe (Absolute Software Corp.)
      IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
      IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.link180.com/
      IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 1A 52 E4 CA 1E CC 01  [binary data]
      IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
      FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
      FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
      FF - prefs.js..browser.search.selectedEngine: "Swag Bucks Customized Web Search"
      FF - prefs.js..extensions.enabledItems: [email protected]:1.2
      FF - prefs.js..extensions.enabledItems: [email protected]:5.2.0.0
      FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.1.20091029021655
      FF - prefs.js..extensions.enabledItems: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}:3.8.1.0
      FF - prefs.js..extensions.enabledItems: {3e0e7d2a-070f-4a47-b019-91fe5385ba79}:3.1.3
      FF - HKLM\Software\MozillaPlugins\@worldwinner.com/Launcher2,version=1.10.0.25: C:\Program Files\WorldWinner.com, Inc\WorldWinner Games\npwwload.dll (WorldWinner.com, Inc.)
      FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3C5F0F00-683D-4847-89C8-E7AF64FD1CFB}: C:\Program Files\PermissionResearch [2012/04/04 21:49:28 | 000,000,000 | ---D | M]
      [2012/03/09 20:30:48 | 000,000,000 | ---D | M] (AddThis) -- C:\Users\BPV\AppData\Roaming\Mozilla\Firefox\Profiles\0jwp8ts7.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
      [2012/03/07 16:32:11 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Users\BPV\AppData\Roaming\Mozilla\Firefox\Profiles\0jwp8ts7.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
      [2011/02/15 05:34:11 | 000,000,000 | ---D | M] (ShopAtHome.com Intelligent Shopping Toolbar) -- C:\Users\BPV\AppData\Roaming\Mozilla\Firefox\Profiles\0jwp8ts7.default\extensions\[email protected]
      [2011/10/06 01:03:52 | 000,000,923 | ---- | M] () -- C:\Users\BPV\AppData\Roaming\Mozilla\Firefox\Profiles\0jwp8ts7.default\searchplugins\conduit.xml
      [2012/04/04 23:11:01 | 000,001,540 | ---- | M] () -- C:\Users\BPV\AppData\Roaming\Mozilla\Firefox\Profiles\0jwp8ts7.default\searchplugins\swagbuckscom.xml
      [2012/04/04 21:49:28 | 000,000,000 | ---D | M] (PermissionResearch) -- C:\PROGRAM FILES\PERMISSIONRESEARCH
      [2011/06/04 21:09:19 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll
      [2011/06/04 21:09:19 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol500.dll
      [2011/03/18 13:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
      [2011/03/18 13:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
      CHR - default_search_provider: search_url = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
      CHR - plugin: CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
      CHR - plugin: CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
      CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
      CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
      CHR - Extension: Entanglement = C:\Users\BPV\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.5.7_0\
      CHR - Extension: Poppit = C:\Users\BPV\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
      CHR - Extension: PermissionResearch = C:\Users\BPV\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkndcbhcgphcfkkddanakjiepeknbgle\1.3.331.4_0\
      O2 - BHO: (Swag Bucks Toolbar) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\prxtbSwa0.dll (Conduit Ltd.)
      O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
      O2 - BHO: (AddThis Toolbar BHO) - {9EBF8AAF-0A31-4786-909A-97A0EF101743} - C:\Program Files\AddThis Toolbar\Toolbar.dll ()
      O2 - BHO: (ShopAtHomeIEHelper Class) - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar1.dll (ShopAtHome.com)
      O3 - HKLM\..\Toolbar: (Swag Bucks Toolbar) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\prxtbSwa0.dll (Conduit Ltd.)
      O3 - HKLM\..\Toolbar: (ShopAtHome Toolbar) - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar1.dll (ShopAtHome.com)
      O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (AddThis Toolbar) - {B43176CC-4D9E-493B-A636-D9CBFE39C6DA} - C:\Program Files\AddThis Toolbar\Toolbar.dll ()
      O3 - HKCU\..\Toolbar\WebBrowser: (Swag Bucks Toolbar) - {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - C:\Program Files\Swag_Bucks\prxtbSwa0.dll (Conduit Ltd.)
      O3 - HKCU\..\Toolbar\WebBrowser: (ShopAtHome Toolbar) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar1.dll (ShopAtHome.com)
      O3 - HKCU\..\Toolbar\WebBrowser: (AddThis Toolbar) - {B43176CC-4D9E-493B-A636-D9CBFE39C6DA} - C:\Program Files\AddThis Toolbar\Toolbar.dll ()
      O4 - HKLM..\Run: [selectRebates] C:\Program Files\SelectRebates\SelectRebates.exe ()
      O4 - HKCU..\Run: [{4669E75E-65D5-159C-A4BC-C1109D1D8AD6}] C:\Users\BPV\AppData\Roaming\Tiloap\firisi.exe (TLN Team)
      O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
      [2012/03/25 12:18:59 | 000,000,000 | ---D | C] -- C:\Users\BPV\AppData\Roaming\Ygvum
      [2012/03/25 12:18:59 | 000,000,000 | ---D | C] -- C:\Users\BPV\AppData\Roaming\Qyux
      [2012/03/25 12:18:59 | 000,000,000 | ---D | C] -- C:\Users\BPV\AppData\Roaming\Budilu
      @Alternate Data Stream - 207 bytes -> C:\ProgramData\TEMP:07C99568
      @Alternate Data Stream - 197 bytes -> C:\ProgramData\TEMP:260575F1
      @Alternate Data Stream - 193 bytes -> C:\ProgramData\TEMP:63CD0333
      @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:2C678471
      
      :Commands
      [EMPTYTEMP]
      [RESETHOSTS]


    2. Then click the Run Fix button at the top.
    3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
    4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

  6. That's OK, I don't want you to reinstall Windows. There's a special disk you can make called Ultimate Boot CD 4 Windows (UBCD4Win), and all you need to make it is a Windows XP disk, a blank CD, and a CD burner. You should be able to run a System Restore from this disk.

    Although, now that I think about it, Windows 7 should have an option when starting up to load the Recovery Environment, which you should be able to run a System Restore from as well. That will allow you to restore your computer back to a time before the infection happened, which should repair your system's networking services. You can load the Recovery Environment by following the instructions at this link and select to load the Recovery Environment instead of Safe Mode.

  7. OK, I deleted the duplicates.

    ZeroAccess likes to hijack the network services, and improper removal can damage them and the ZeroAccess infection will just recreate itself with new files and new services. Unfortunately this one seems to be a little tougher than normal, so it could be a newer variant.

    Are you able to download utilities from another computer, and transfer them with a USB flash drive?

  8. OK, lets get a new OTL log. Please run OTL by following the instructions below:

    1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
    2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
    3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
    4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
    5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

  9. Topic reopened. ;)

    OK, your ComboFix log looks pretty good. Lets get a third-party opinion just to make sure that I'm not missing anything. Please run an online virus scan through ESET by following the steps below:

    1. Turn off your anti-virus software.
    2. Click on this link.
    3. Click on the ESET Online Scanner button.
    4. Put a check in the box that says YES, I accept the Terms of Use.
    5. Click the 'Start' button just to the right of the checkbox.
    6. Uncheck the box that says Remove found threats (this is very important).
    7. Click on Advanced settings.
    8. Put a check in the box that says Scan for potentially unsafe applications.
    9. Verify that Scan for potentially unwanted applications is also checked.
    10. Verify that Enable Anti-Stealth technology is also checked.
    11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.
    12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
    13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
    14. Close the ESET online scan.

    I will take a look at the log, and let you know if anything needs removed.

×
×
  • Create New...