Jump to content


Emsisoft Employee
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Elise

  1. Unfortunately such a link is hard to find! (I don't know of any, but then I'm not much of an online gamer). I will close this topic, if you need it reopened, please send me a PM.
  2. I am glad to hear that! Some final steps are included below. ALL CLEAN -------------- Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean Please do the following to remove the remaining programs from your PC: Delete the tools used during the disinfection: Press windows key + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK. This will remove Combofix and other tools we used from your computer. [*]You can delete any other tool or log by simply deleting them. Please read the following advice on how to prevent reinfecting your PC: Install and update the following programs regularly: an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall. A comprehensive tutorial and a list of possible firewalls can be found here. an AntiVirus Software It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. [*]Keep Windows (and your other Microsoft software) up to date! I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!! [*]Keep your other software up to date as well Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine. [*]Stay up to date! The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing. Some more links you might find of interest: Miekies' prevention suggestions So How did I get infected? Microsoft - 'Security at home' Calendar of Updates: See which updates have been released. How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink: Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum. osalt: Find (free) open source alternatives to known commercial software. Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.
  3. This does not mean the file size is zero, the file contains data, but all data consists of zero-characters. Download BlitzBlank and save it to your desktop. Open Blitzblank.exe Click OK at the warning (and take note of it, this is a VERY powerful tool!). Click the script tab and copy/paste the following text there: DeleteFile: C:\WINDOWS\System32\Drivers\gfkkinsymgeaokm.sys Click Execute Now. Your computer will need to reboot in order to replace the files. When done, post me the report created by Blitzblank.
  4. Can you please open EAM, and click the Quarantine tab (left panel). Look under Source for the detected file and let me know how many times it is present in the list. As a general note, the file, as you can see, is zero-byte, meaning that it contains no data and as such is not malicious. We still need to make sure its gone, but at least it doesn't pose a threat to your computer.
  5. Can you please upload the file to http://www.virustotal.com? C:\WINDOWS\System32\Drivers\gfkkinsymgeaokm.sys Link me to the search results please (if the file does not show up, simply type its name into the Open box).
  6. You can download the uninstaller here: https://remoteassist.ca.com/supportbridge/jsp/selfserve/processScriptRequestOwnWindow.jsp?divisionID=7&scriptID=254
  7. Please calm down, is this the same computer as the one you just got booting again? Please run DDS as instructed. Also download and run unhide.exe and let me know if that makes the desktop files visible again: http://www.bleepingcomputer.com/download/unhide/dl/6/
  8. Lets have a look at this file and see if we can find out a bit more about it, it looks like it was removed but is being recreated. Its not said its malicious though, although it is definitely looking that way (still, there are some legit programs that use similar files). CF-SCRIPT ------------- Open notepad and copy/paste the text in the quotebox below into it: <http://support.emsisoft.com/topic/8508-help-pc-infected-with-rootkitwin32agente2/#entry52215> Collect:: C:\WINDOWS\System32\Drivers\gfkkinsymgeaokm.sys Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. **Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
  9. Sorry, saw your next posts just now. We need to see some information about what is happening in your machine. Please perform the following scan: Download DDS by sUBs from one of the following links. Save it to your desktop. DDS.scr DDS.pif [*]Double click on the DDS icon, allow it to run. [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running. [*]Notepad will open with the results. [*]Follow the instructions that pop up for posting the results. [*]Close the program window, and delete the program from your desktop. Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE
  10. Hi again, not so fast, we're getting there! Please let me know if you can use windows normally after the following fix. Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc} C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\@ C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\L C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\n C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\L\[email protected] C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U\[email protected] C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U\[email protected] C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U\[email protected] C:\Windows\Installer\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U\[email protected] C:\Users\The GooD\AppData\Local\{b0e51b7c-e1f7-af15-5358-309f190e53fc} C:\Users\The GooD\AppData\Local\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\@ C:\Users\The GooD\AppData\Local\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\L C:\Users\The GooD\AppData\Local\{b0e51b7c-e1f7-af15-5358-309f190e53fc}\U NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system On Vista or Windows 7: Now please enter System Recovery Options. On Windows XP: Now please boot into the BartPE CD. Run FRST64 and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  11. Hello again, First we need to search for a replacement file for the infected services.exe. Boot to System Recovery Options and run FRST. Type the following in the edit box after "Search:". services.exe Note: The file names should be separated by semicolon (;) It then should look like: Search: services.exe Click Search button and post the log (Search.txt) it makes in your reply (please do not attach the file).
  12. Thank you for the additional information, that is very helpful! Download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive. Plug the flashdrive into the infected PC. Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next. On the System Recovery Options menu you will get the following options: Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt [*]Select Command Prompt [*]In the command window type in notepad and press Enter. [*]The notepad opens. Under File menu select Open. [*]Select "Computer" and find your flash drive letter and close the notepad. [*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive. [*]The tool will start to run. [*]When the tool opens click Yes to disclaimer. [*]Press Scan button. [*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  13. Hello, and welcome to Emsisoft support forums! Could you give me a bit more information about the state of your computer: what windows version is this, what happened before this restart began, have you tried Safe Mode? How far does the computer actually boot before the restart occurs? (what is the last screen you see before the restart)
  14. What actual problems are you experiencing at this point? Your log indicates there are some problems with Symantec remnants. Please run the following to remove them. Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.
  15. Hello Allan, and welcome to Emsisoft Support forums. Lets run a rootkit scanner here to see if will be able to remove this threat. Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!! Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator. If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension. Click the Start Scan button. Do not use the computer during the scan If the scan completes with nothing found, click Close to exit. If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options. Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process. A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller. will be created and saved to the root directory (usually Local Disk C:). Copy and paste the contents of that file in your next reply. Also, please rerun OTL, click the NONE button, then change the value under Extra Registry to "use safelist" and click Run Scan. This will ensure extra.txt is created. Please post me this log as well.
  16. It looks like the Toggle Editing Mode is finally fixed in this version (it no longer seems to revert back to RTE)! A browser is as safe as its user (as long as you make sure you keep it updated as well as any used add-ons). You can use ten different security extensions, if you visit or download things from sites that you better should stay away from, you still can infect a computer without any sort of problem with even the most safest browser.
  • Create New...