HoggyDog

Member
  • Content Count

    65
  • Joined

  • Last visited

Everything posted by HoggyDog

  1. TDSSkiller just found 6 unsigned files. Skipped them per instructions. Here's the log: Pls advise. Thanks.
  2. OK, followed above structions except for the last. Either the link you provided for Secunia PSI is broken or I am still infected. No matter how many times I click the Download button, nothing gets downloaded. Worse, there is no "Click here if your download does not begin" link to force the download. The destination folder eventually ends up with a "dummy file" named PSIsetup (with no file extension) and a size of zero bytes. Just to make sure, I have double-clicked the fake file, and I then get an error box saying that the file is not a valid Windows file. So I went to CNET to download PSI, being sure to decline all the PUPs. I was able to install PSI, but after installing it, telling it to Scan results in a non-moving progress bar stuck at about 2% completion and a tiny message that it is determining which files to check for currency. This remains unchanged for 10-15 minutes, until I finally lose patience and Alt-F4 it down. So, the bottom line is that it is not possible to install or run PSI. If you have any suggestions I would love to hear them. Thanks.
  3. FRST Fix seems to have run OK. Here's the log: Pls. advise if there's anything else I need to do. Thanks.
  4. Both EEK and FRST seemed to run OK. Here are the logs: Pls advise how to fix the registry entry that seems to be disabling registry tools. Thanks.
  5. Followed latest instructions. Anomalies encountered: The instructions did not mention shutting down Online Armor and/or Anti-Malware before running CF, so I didn't shut either of them down. This caused a non-stop sequence of literally dozens of Online Armor challenges wanting me to authorize various obscure programs and dll's that I have never heard of to run. Very disconcerting and a major omission in these latest instructions. I was finally able to shut them down when CF finally stopped spamming processes at me via OA and said it had detected Emsisoft Anti-Malware running and would wait for me to shut it down. Truly a very serious omission from the instructions that may have compromised the run and hence the result. Although I was finally able to shut down Online Armor (see above), after the CF reboot, OA was back in full force and completely disrupted the CF after-reboot process with many more OA challenges that I had to authorize one by one. If there is any way to prevent OA from running after the CF reboot, I am not aware of it. This is another serious omission in the instructions. After dragging CFScript.txt onto the CF executable on my desktop, I got a notice that a newer version of CF was available. The instructions don't mention how to handle this, but since the previous instructions did mention it, I took a chance on interrupting the whole script process by updating and let it do so. Accordingly, I have no idea whether or not CF actually ran the script when it relaunched itself after the update. A file called C:\Combofix.txt WAS produced as the instructions specified. Here it is. Please advise what I should do next, and thanks.
  6. Anomalies encountered following above instructions: Although I right-clicked on the Emsisoft Anti-Malware taskbar icon and told it to shut itself down, ComboFix reported that Emsisoft Guard Scanner was still active but that ComboFix would try to run anyway. The only option offered at that point was [OK]. Online Armor shut itself down on command without incident, as did Malwarebytes. Immediately after I clicked [Yes] on ComboFix's initial Recovery Console Query dialog box (exactly as you show in the instructions), I got an immediate error message saying that no Internet connection could be found. Without doing anything (such as rebooting the router, wiggling Ethernet cables, etc. etc.) I just immediately hit "Try Again" and the installation appeared to finish normally. Contrary to the above instructions, there was no file named combofix.txt anywhere on my hard disk after the run.. Contrary to the above instructions, there was no path on my computer named C:\combofix after the run. Doing a search for file mask *.txt filtered for all files modified today, found a file named log.txt in C:\Documents & Settings\[all users]\local\temp. Opening that file shows it to be the ComboFix log file. As to how my system is running, I went back to BleepingComputer.com to redownload the FarBar tool as a test because one of you guys said if I was getting Firefox redirect warnings on that page then my machine was definitely infected (see above in this thread). I got an immediate redirect on the FarBar download page, then another on the page of ads the first one took me to after I hit Allow on the first redirect warning. So either you guys are mistaken and the BleepingComputer FarBar download page you are linking people to does in fact have legitimate redirects on the url you are linking to (above) and you just have the warnings turned off in your browsers so you don't know you have been redirected, OR my machine is still infected/browser-hijacked with something despite running every remedial tool known to man on it in the past 3 days. I'm attaching the only file I found that remotely resembles a ComboFix log even though both the name and path are not even close to what you specified in your instructions. Please advise- Thanks.
  7. Oops- my bad. Please disregard above note about running as Admin in XP. Your instructions clearly say to do that only if runnning Vista or W7.
  8. Followed your instructions, encountered two anomalies: Right-clicking JRT.exe to try to run it as Administrator did NOT produce any option to run it as Administrator- therefore, I just double-clicked it and ran it under my username account, which is also an Administrator. I'm not sure that the option to run something as Administrator even exists in XP, or that it would be needed since XP isn't afflicted with Windows 7's horrible UAC. AdwCleaner produced not one but two text files, named AdwCleaner[RO].txt and AdwCleaner[sO].txt. I was not able to save it to the desktop when it popped up because you did not specify a file name, and a user must manually enter a file name in order to use the "Save As..." function on an open Notepad file. The existing file name was so long in Notepad that it was truncated, so I was not able to determine what the name of the file was while it was open in Notepad. Once I hit "save as," the existing file name went away and I was on my own. Accordingly, not being able to save it to my desktop, I just closed it and later went to C:\AdwCleaner to find it, but I found two of them. So because you did not specify which of the two AdwCleaner output text files you wanted, I am attaching both of them. Logs attached: Thanks-
  9. OK, I d/l Farbar using my W7-64 machine and copied it to this machine via the network. Here are all of the logs per the instructions. Thanks.
  10. OK, I will try to send you the files that you want. Unfortunately, I am blocked at the first step- the Farbar Recovery Scan Tool will not download to my machine. The link takes me to bleepingcomputer.com, showing the Farbar tool and 2 download options, 32-bit and 64-bit. I click the 32-bit button (because the attack occurred on my old XP machine, which is 32-bit) and I get a redirect warning from Firefox. I Allow it, then I immediately get another redirect warning from Firefox, so I Allow that, and finally I land on a page full of advertisements for 20-30 computer security products. Farbar is not among those products, and no download ever starts. With all due respect, it would be much safer and more productive if YOU would host the files you want us to download. The thousands of websites offering 10,000 junk products, some of which are undoubtedly malicious and all of which say "Recommended" as though that was worth something, are messy, unreliable and unsafe. Please advise a safe, straightforward location where I can actually get the Farbar tool you want me to run. Thank you.
  11. Well, based on the forum title "Help! My PC is infected!" this is not the appropriate place for my report either. My PC is not infected with anything as far as I know Submitting an EEK log seems pointless since EEK didn't find anything on a deep scan immediately after the attack- what use is a log that says "No threats found"?? I am not asking for, nor do I require, any help removing anything from my PC since there is nothing on my PC that needs to be removed as far as I know Although I thank you for the link to instructions (why isn't this link stickied at the top of all the forums???) there still are no instructions on what, exactly, is the meaning of "personal malware submission thread" or how to create one. I realize you guys are busy. However, I respectfully ask someone to ACTUALLY READ my original post, which describes not "malware" but an externally-initiated browser hijack and malware install attack, which I thwarted myself by not clicking on the OK button on the popup, or any of the other links it offered, and then deliberately crashing my own machine by abruptly disconnecting power. Since I prevented the attacker from installing his software on my machine, there is no malware on my machine that I need any help removing! Why is this so hard to understand? The entire point of my report is: Emsisoft Guard failed to prevent the hijacking of Firefox to an unknown and unintended URL The attack directly targeted my Emsisoft installation and disabled/removed it Emsisoft failed to prevent the attacker from disabling and then uninstalling Emsisoft Of what possible use is an EEK log in this case? Why do I have to jump through 10,000 hoops in order to report this attack, which DIRECTLY TARGETED MY EMSISOFT INSTALLATION, to Emsisoft and have someone who can read and understand it respond to the specific problems I reported instead of boilerplate on how to get help removing malware? Thanks for the responses, but neither one of them is relevant to what I reported. Let me help you formulate an appropriate response: "Dear paying customer: Thank you for purchasing and relying on Emsisoft for your personal computer security, and thank you for reporting this hijack and anti-Emsisoft attack. We were not aware of this type of attack until your report, and... We have seen this type of attack before, and... ...we are investigating how Emsisoft could be maliciously disabled and then uninstalled by an external attacker without the user having clicked on anything. We are sorry that Emsisoft's failure necessitated you crashing your machine to protect it from the attack once Emsisoft had failed to do so, but commend you for immediately noticing that Emsisoft had been disabled and then taking quick action to prevent further damage. Please rest assured that future updates of Emsisoft will be strengthened to eliminate this unfortunate vulnerability in our award-winning security software product. Sincerely, your Emsisoft Team." Have a great day.
  12. I was viewing fallout.wikia.com/wiki/Fallout_New_Vegas (on my older XP-SP3 machine using Firefox-latest and Emsisoft Guard enabled) last night when suddenly a popup appeared telling me that I didn't have the "fastest video player" and I should click OK then click a link to install it. The underlying URL was some gobbledy-gook gibberish hash of alpha and numeric characters- certainly nothing that seemed the least bit legitimate and nothing whatsoever related to Adobe, Shockwave Flash, etc. Rather than click on anything, I first tried to launch Emsisoft from its icon on the taskbar, but was amazed to see that no such icon existed! Somehow, whatever hijacked me away from the wiki had shut down Emsisoft!!! I immediately clicked the X to shut down my browser, and got a Firefox warning: "You are about to close 34 tabs. Continue/Cancel?" This was even more surprising because I had only two tabs open at the time- one for the wiki I intended to be on and the other for the malicious site that wanted me to click on things to install who-knows-what. Now thoroughly spooked, I simply removed the power cord from my computer, which of course succeeded in shutting it down instantly without having to click on anything. After a few minutes and a beer, I plugged it back in and booted up. After all the "abnormal shutdown" rigamarole to restore Windows XP to a stable state, I was surprised to see that whatever had shut Emsisoft down had done so permanently- no icon appeared at all on my taskbar. So whatever shut it down also removed it from the Autorun section. I launched Emsisoft manually and was surprised to have it ask me to either enter a license or enter a free trial. I have been running Emsisoft licensed (paid) on that machine for months and months. So my attacker not only shut down Emsisoft, it uninstalled it! After finally getting Emsisoft re-installed and updated, I ran a deep scan and it found nothing. So I have no virus report to show you, nor any file to submit as "suspicious." However, I am EXTREMELY concerned that Emsisoft was vulnerable to an attacker not only shutting it down, but uninstalling it. Please advise if there is anything I can send you that might help you to figure out what happened. Thanks. PS: I read the sticky asking for me to create a personal malware submission thread, however the poster declined to provide a link or any clues how to do that, and there is absolutely no visible way on this forum to do that, even if I could figure out what a "personal malware submission thread" even is. I would be more than happy to comply with your instructions if you would make them clear, descriptive and relatively easy to follow.