Kevin Zoll

Emsisoft Employee
  • Content Count

    18822
  • Joined

  • Last visited

  • Days Won

    177

Posts posted by Kevin Zoll


  1. Download OTC to your desktop and run it

    • A list of tool components used in the cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
    • Click Yes to begin the cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

    Now download ComboFx again, and run it following my earlier directions.

    Post fresh logs for:

    • ComboFix (C:\combofix.txt)
    • ISeeYouXP

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  2. Download ComboFix from one of these locations:

    Link 1

    Link 2

    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    -----------------------------------------------------------

    Post fresh logs for:

    • ComboFix (C:\combofix.txt)
    • a-squared Free
    • ISeeYouXP

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  3. Download ComboFix from one of these locations:

    Link 1

    Link 2

    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, ComboFix will produce a log.

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    -----------------------------------------------------------

    Post fresh logs for:

    • ComboFix (C:\combofix.txt)
    • a-squared Free
    • ISeeYouXP

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  4. Download RootRepeal.zip and unzip it to your Desktop.

    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • Drivers
      • Files
      • Processes
      • SSDT
      • Stealth Objects
      • Hidden Services

      [*]Click the OK button

      [*]In the next dialog, select all drives showing

      [*]Click OK to start the scan

      Note: The scan can take some time.
      DO NOT
      run any other programs while the scan is running

      [*]When the scan is complete, the Save Report button will become available

      [*]Click this and save the report to your Desktop as RootRepeal.txt

      [*]Go to File, then Exit to close the program

    Attach the report.


  5. Thread Closed

    Reason: Lack of Response

    PM either ShadowPuterDude or Lynx to have this thread reopened.

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread


  6. Download ComboFix from one of these locations:

    Link 1

    Link 2

    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
      See HERE for help
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. (C:\ComboFix.txt)

    -----------------------------------------------------------

    Post fresh logs for:

    • ComboFix (C:\combofix.txt)
    • a-squared Free
    • ISeeYouXP

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  7. Repair permissions:

    Download to your Desktop

    -->> Repair Permissions.exe <<-- self-extracting archive (117,015 bytes) - MD5: f4666e8f2acf6e1a12c655d56030d9e4

    • Double-click Repair Permissions.exe to install Repair Permissions
    • Double-click on !RUNME.BAT

    You can safely ignore all errors.

    -----------------------------------------------------------

    Let me know if that changes anything with AVG and HiJackFree.


  8. There are 3 logs that are required: a-squared Free/Anti-Malware, ISeeYouXP, and HiJackFree. Win32kDiag is not required unless your a-squared log shows the infection family that would make running Win32kDiag necessary.

    The instructions are written as uncomplicated as possible and still communicate what needs to be done with sufficient enough clarity to accomplish all the required steps in the instructions.

    Once you have completed all the required steps, and attached all the required logs. I will be able to formulate a removal procedure for your unique case.


  9. Do the following to remove trojan TDSSserv (trojan Backdoor.Tidserv).

    PART I: TDss RootKit removal

    Step 1: Disable TDSSserv trojan driver.

    • Right click the My computer icon. If you are using the non classic Start menu, then right click My computer icon on your Start button menu.
    • Click Properties.
    • Click Hardware Tab.
    • Click Device Manager.
    • In the top menu, click View and click Show Hidden Drivers.
    • Scroll down to non Plug and Play drivers.
    • Click + at left.
    • In the list of drivers right click UACd.sys. (If you do not find this, then skip to Step 2)
    • Click Disable.
    • Click YES for confirm.
    • Close all windows and reboot your computer.

    Step 2: Remove TDSSserv Registry Keys

    • Download RegASSASSIN from HERE. Save to your Desktop
    • Run RegASSASSIN
    • Click "I Agree"
    • Copy & Paste the following RegKey to be deleted:
      HKEY_LOCAL_MACHINE\SOFTWARE\UAC

      If you receive the error message "The registry key you have specified does not exist or is not visible to regassasin. This may be caused by a set permission that does not allow regassasin to see it, would you like to continue?" Click "Yes" to continue.

    • Close all windows and reboot your computer.

    PART II: TDss RootKit removal

    Step 3: Delete TDSSserv trojan driver.

    • Download Avenger from HERE and unzip to your desktop.
    • Run Avenger, copy & paste the following text in Input script Box:
      Drivers to delete:
      UACd.sys


      Then click "Execute".

    • You will be asked, "Are you sure you want to execute the current script?". Click Yes.
    • You will now be asked First step completed - The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes.
    • Your PC will now reboot

    Step 4: Running ComboFix

    Download to your Desktop

    - ComboFix by sUBs from >> Geeks2Go <<

    Save as AvoidTDSS.exe during the download. ComboFix must be renamed before you download to your Desktop

    Close ALL windows

    Double click AvoidTDSS.exe follow the prompts

    When finished, the program will produce a log

    Note:

    1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

    2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

    Step 4: Getting Logs

    Post the following logs:

    • ComboFix
    • ISeeYouXP


  10. Open notepad

    Copy and Paste the below lines of code to notepad:

    @echo off
    copy C:\Windows\System32\logevent.dll C:\logevent.dll

    Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

    Double-click on fixes.bat to execute it.

    -----------------------------------------------------------

    Download Avenger from -->> HERE <<-- and unzip to your desktop.

    Run Avenger

    • Read the prompt that appears, and press OK
    • Copy & paste the following text in Input script Box:
      Tiles to delete:
      C:\Windows\System32\cngaudit.dll
      
      Files to move:
      C:\logevent.dll | C:\Windows\System32\cngaudit.dll

      Then click "Execute".

    • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
      Note: It is possible that Avenger will reboot your system TWICE.
    • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

    -----------------------------------------------------------

    Go to start > run and copy and paste the following command in the field:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    This should restore permissions on locked files and remove mountpoints.

    -----------------------------------------------------------

    Post fresh logs for:

    • Avenger (C:\avenger.txt)
    • a-squared Free
    • ISeeYouXP

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  11. Go to start > run and copy and paste the following command in the field:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    This should restore permissions on locked files and remove mountpoints.

    -----------------------------------------------------------

    Post fresh logs for:

    • a-squared Free
    • ISeeYouXP
    • HiJackFree

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!


  12. Thread Closed

    Reason: Lack of Response

    PM either ShadowPuterDude or Lynx to have this thread reopened.

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread


  13. Thread Closed

    Reason: Lack of Response

    PM either ShadowPuterDude or Lynx to have this thread reopened.

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread


  14. Thread Closed

    Reason: Lack of Response

    PM either ShadowPuterDude or Lynx to have this thread reopened.

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread


  15. Thread Closed

    Reason: Lack of Response

    PM either ShadowPuterDude or Lynx to have this thread reopened.

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread