Kevin Zoll

Emsisoft Employee
  • Content count

    17907
  • Joined

  • Last visited

  • Days Won

    155

Kevin Zoll last won the day on June 28

Kevin Zoll had the most liked content!

Community Reputation

263 Excellent

7 Followers

About Kevin Zoll

  • Rank
    Malware Removal Support
  • Birthday 12/04/60

Contact Methods

  • Website URL
    http://www.malwareteks.com/

Profile Information

  • Gender
    Male
  • Location
    Depauville, NY, USA
  • Interests
    Computer Security, Malware Research, Malware Removal, Computer Programming, Website Design

Recent Profile Visitors

160685 profile views
  1. John, Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. • Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. • Right-click RogueKiller.exe and select Run As Administrator to run the tool. • Once the Prescan has finished, click Scan. • Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  2. This system is infected with the SmartService Trojan which is likely interfering with our software's cleaning engine. Try using this Download and run MBAR according to this post: https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/ It has proven to be somewhat effective against SmartService.
  3. Hi, Let's get a fresh set logs for the current system. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.
  4. Holy Crap! I cannot do this by myself...

    David, The FRST scan log is incomplete. Looks like it did not run correctly. Let's try a different tool. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.
  5. Getting rid of Bing.

    BML, Have tried what is suggested here https://itstillworks.com/uninstall-bing-back-google-25948.html
  6. You can start threads for each system, or what till we are done with this system and then we can work on the next. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running.
  7. Download and run MBAR according to this post: https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/ The above tool has a good success rate when dealing with SmartService.
  8. John, Do the following: Copy the below code to Notepad; Save As fixlist.txt to your Desktop. HKLM-x32\...\Run: [] => [X] HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = URLSearchHook: HKLM-x32 - Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFree.dll No File URLSearchHook: HKU\S-1-5-21-1370685322-1198290777-1211605888-1001 - Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFree.dll No File BHO: VIPRE Search Guard Helper -> {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} -> C:\Program Files (x86)\VIPRE\x64\VSGx64.dll => No File BHO-x32: VIPRE Search Guard Helper -> {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} -> C:\Program Files (x86)\VIPRE\VSG.dll => No File Toolbar: HKLM - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - No File Toolbar: HKLM-x32 - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - No File Toolbar: HKLM-x32 - Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files (x86)\Freecorder\tbFree.dll No File Toolbar: HKU\S-1-5-21-1370685322-1198290777-1211605888-1001 -> No Name - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} - C:\Program Files (x86)\VIPRE\VSG.dll No File Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll No File FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [No File] R3 ALSysIO; C:\Users\John\AppData\Local\Temp\ALSysIO64.sys [17416 2017-11-21] (Arthur Liberman) <==== ATTENTION C:\ProgramData\simplitec Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.
  9. Holy Crap! I cannot do this by myself...

    DO NOT reply to the Support Forums Notification Emails. They are informational only. Any and all email replies go to an inbox that is not monitored by support personnel. Always reply to my posts by logging into the support forums and posting your response in your support thread. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running.
  10. CLOSED TimW

    Hi Tim, Just send me a PM, and I will take a look if you need help in the future. We no longer support BlitzBlank and it is no longer in active development. If you are getting Syntax Errors with BlitzBlank enclose the path in quotes. DeleteFile: ReplaceWithDummy "C:\Users\OWNER\AppData\Local\zadtgpv" "C:\Users\OWNER\AppData\Local\exibrgo"
  11. Hi John, I will need 2 additional logs, before I begin cleaning up your system. Download Farbar Recovery Scan Tool and save it to your desktop. For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop. For x64 (x64) bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to the disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  12. Holy Crap! I cannot do this by myself...

    Behavior Blocker detected suspicious behavior "CodeInjector" of "C:\Program Files (x86)\Real\RealDownloader\realdownloader264.exe" Behavior Blocker detected suspicious behavior "TrojanDownloader" of "C:\Program Files (x86)\Real\RealDownloader\videodl.exe" RealDownloader is not malicious. Please submit both detection's as false positive detection's. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. ProxyServer: [S-1-5-21-1314812793-550930247-1527748754-1004] => localhost:8080 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.palikan.com/?f=1&a=plk_coinisre_17_31&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0CyCyEyCyE0CtAzz0F0E0CtN0D0Tzu0StBtDyEtBtN1L2XzutAtFtByBtFyEtFyDtDtN1L1Czu1BtAtN1L1G1B1V1N2Y1L1Qzu2SyE0A0CyEyByCzztDtGtCtAtAtDtG0FtD0BtBtGtA0Fzz0EtGyB0DyDtBtAzz0F0FtA0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0EzztB0CtB0CyBtGtC0AzzzztGyEyEtB0EtGzztByCyEtGtByDyD0CyCyD0FyDyBtA0E0A2QtN0A0LzutB&cr=1344754233&ir= HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = HKU\S-1-5-21-1314812793-550930247-1527748754-1004\Software\Microsoft\Internet Explorer\Main,Local Page = SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisre_17_31&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0CyCyEyCyE0CtAzz0F0E0CtN0D0Tzu0StBtDyEtBtN1L2XzutAtFtByBtFyEtFyDtDtN1L1Czu1BtAtN1L1G1B1V1N2Y1L1Qzu2SyE0A0CyEyByCzztDtGtCtAtAtDtG0FtD0BtBtGtA0Fzz0EtGyB0DyDtBtAzz0F0FtA0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0EzztB0CtB0CyBtGtC0AzzzztGyEyEtB0EtGzztByCyEtGtByDyD0CyCyD0FyDyBtA0E0A2QtN0A0LzutB&cr=1344754233&ir=&q={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.palikan.com/results.php?f=4&a=plk_coinisre_17_31&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0CyCyEyCyE0CtAzz0F0E0CtN0D0Tzu0StBtDyEtBtN1L2XzutAtFtByBtFyEtFyDtDtN1L1Czu1BtAtN1L1G1B1V1N2Y1L1Qzu2SyE0A0CyEyByCzztDtGtCtAtAtDtG0FtD0BtBtGtA0Fzz0EtGyB0DyDtBtAzz0F0FtA0Ezy0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0EzztB0CtB0CyBtGtC0AzzzztGyEyEtB0EtGzztByCyEtGtByDyD0CyCyD0FyDyBtA0E0A2QtN0A0LzutB&cr=1344754233&ir=&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File Handler: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - No File FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X] 2017-10-20 17:17 - 2017-10-20 17:17 - 001232264 _____ (AMD) C:\Windows\system32\SETF0BB.tmp 2017-10-20 17:19 - 2017-07-20 17:40 - 000195888 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\SETD84B.tmp 2017-10-20 17:18 - 2017-07-20 17:39 - 015897712 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\SETB084.tmp 2017-10-20 17:18 - 2017-07-20 17:39 - 001930896 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\SETDACF.tmp 2017-10-20 17:18 - 2017-07-20 17:39 - 000223112 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\SETD8E9.tmp 2017-10-20 17:18 - 2017-07-20 17:39 - 000144776 _____ (Advanced Micro Devices, Inc. ) C:\Windows\system32\SETEAB2.tmp 2017-10-20 17:18 - 2017-07-20 17:39 - 000020360 _____ (Microsoft Corporation) C:\Windows\system32\SET918F.tmp 2017-10-20 17:16 - 2017-07-20 17:37 - 035220360 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\SET8279.tmp 2010-12-25 12:47 - 2010-12-25 12:47 - 000000000 _____ () C:\Users\Backup\AppData\Local\AtStart.txt 2017-06-05 19:44 - 2017-06-05 19:44 - 000000000 _____ () C:\Users\Backup\AppData\Local\BITFE4A.tmp 2010-12-25 12:47 - 2010-12-25 12:47 - 000000000 _____ () C:\Users\Backup\AppData\Local\DSwitch.txt 2010-12-25 12:47 - 2010-12-25 12:47 - 000000000 _____ () C:\Users\Backup\AppData\Local\QSwitch.txt 2017-06-05 19:40 - 2017-06-05 19:42 - 000000000 _____ () C:\Users\Backup\AppData\Local\{3E92EA9D-740E-43FF-AA30-D66E87C05206} 2017-11-15 18:34 - 2017-11-15 18:34 - 004043712 _____ (Geek Unіnstaller) C:\Users\Backup\AppData\Local\Temp\geek64.exe C:\Windows\SysWOW64\dlumd10.dll C:\Windows\SysWOW64\dlumd11.dll C:\Windows\SysWOW64\dlumd9.dll C:\Windows\System32\dlumd10.dll C:\Windows\System32\dlumd11.dll C:\Windows\System32\dlumd9.dll Task: {5D8AF9A8-16F5-4AFF-8D4B-5401BAC4D7BD} - System32\Tasks\{1AB524E9-38E2-4D1D-AE80-B6A44F0CB701} => C:\Windows\system32\pcalua.exe -a D:\setup.EXE -d D:\ -c /AUTORUN Task: {99571026-02A5-4C79-BAA1-A68C8354D8C0} - System32\Tasks\AMD ThankingURL => "" [Argument = -LAUNCHTHQURL] Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version.
  13. CLOSED Rootkit.SmartService (A) [290143]

    Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
  14. CLOSED Pc infected with trk.cp20.com virus

    Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
  15. Thread Closed Reason: Lack of Response PM either Kevin, Elise, or Arthur to have this thread reopened. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.