Kevin Zoll

Emsisoft Employee
  • Content Count

    18830
  • Joined

  • Last visited

  • Days Won

    178

Everything posted by Kevin Zoll

  1. I've actually had that avatar for some time. Just started using it here. Attach a fresh a-squared log, so I can have a look at it.
  2. Hello and welcome to the a-squared support forums. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  3. Repair permissions: Download to your Desktop -->> Repair Permissions.exe <<-- self-extracting archive (117,015 bytes) - MD5: f4666e8f2acf6e1a12c655d56030d9e4 Double-click Repair Permissions.exe to install Repair Permissions Double-click on !RUNME.BAT You can safely ignore all errors. ----------------------------------------------------------- Now try running SAS and MBAM
  4. bowlef, The infection will prevent most of the tools listed in the instructions from running. Download to your Desktop Win32kDiag.exe by AD. Run Win32kDiag It will save a report on the Desktop (Win32kDiag.txt). Attach that report on your next reply. JeanInMontana, will assist you once this log is provided.
  5. Hello and welcome to the a-squared support forums. You posted in the a-squared free/HiJackFree Software support forum. I have moved your thread to the correct forum. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  6. Go to start > run and copy and paste the following command in the field: "%userprofile%\desktop\win32kdiag.exe" -f -r This should restore permissions on locked files and remove mountpoints. ----------------------------------------------------------- Run SAS and MBAM. Attach both logs.
  7. The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u16 available from Sun Microsystems. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: ----------------------------------------------------------- Run OTL.exe Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL :OTLI PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O4 - HKCU..\Run: [PopRock] C:\DOCUME~1\PRUTHV~1\LOCALS~1\Temp\a.exe File not found :Files C:\Documents and Settings\Pruthvesh\My Documents\*.tmp C:\WINDOWS\*.tmp C:\WINDOWS\System32\*.tmp C:\WINDOWS\System32\CF6269.exe C:\WINDOWS\System32\CF19906.exe C:\WINDOWS\System32\CF26072.exe C:\WINDOWS\System32\CF22827.exe C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job :Commands [purity] [emptytemp] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Then atach a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  8. No, you haven't done anything wrong. Malware may be interfering with ComboFix. Download to your Desktop - OTL to your desktop. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically. Attach both logs with your next reply.
  9. OK, now boot into Normal Mode and attach the logs from my earlier instructions.
  10. The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u16 available from Sun Microsystems. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: ----------------------------------------------------------- The PPTP Haxdoor entry in ISeeYouXP is a False Postive. ----------------------------------------------------------- Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /u or combofix /u Note: The space before /u, must be there. This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix. Delete everything in C:\!KillBox Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip DisableAutoRuns.reg FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Anything else I had you use Delete the following: (If they exist) C:\Avenger.txt C:\Avenger C:\ComboFix.txt C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run ATF Cleaner In the ISeeYouXP folder double-click HideIT.bat. Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4 Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing!
  11. Thread Closed Reason: Lack of Response PM either ShadowPuterDude or Lynx to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  12. I'm going to have you do something that normally isn't advised for the tool, I am about to have you download and use. Boot to Safe Mode with Networking Download to your Desktop - ComboFix by sUBs from >> Geeks2Go << Save as AvoidTDSS.exe during the download. ComboFix must be renamed before you download to your Desktop Close ALL windows Double click AvoidTDSS.exe follow the prompts When finished, the program will produce a log Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet Attach the ComboFix log
  13. Do the following: Click Start > Run Type shutdown -a Click OK ----------------------------------------------------------- Download to the Desktop: - SUPERAntiSpyware Free Edition - Malwarebytes' Anti-Malware ----------------------------------------------------------- Using SAS Double-click SUPERAntiSpyware.exe and use the default settings for installation. If you get a message like SuperAntiSpyware.exe is not a valid Win32 application then try renaming SuperAntiSpyware.exe to SAS.EXE and see if it will run. This error message often occurs due to malware trying to block the installation. [*]An icon will be created on your desktop. Double-click that icon to launch the program. [*]If you get an error message like The System Administrator has set policies to prevent this installation then see this possible fix which will help for some versions of Windows http://www.superantispyware.com/supportfaqdisplay.html?faq=50 [*]If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". ( If you encounter any problems while downloading the updates, manually download and unzip them from here.) [*]The first time you run it, it will ask you whether you want to Enable Automatic Update Checking. This is enabled by default. Since so many people come here complaining about slow start up, I suggest that you disable this now. If you later decide to keep SAS, you should enable automatic updating to make sure you are always up to date. [*]On the next form, you should allow diagnostic reports to be sent but this option is up to you. [*]On the next form fro Home Page protection, you should select Do Not Protect . We do this at this time because we do not want anything to get in the way of cleanup. Since are coming here for malware removal, your home page could be currently set to a malware link and we don't want to block fixing of it. [*]Now physically unplug your cable to the internet (even if you have dial-up, unplug modem) [*]In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button. [*]Click the Scanning Control tab. [*]Under Scanner Options make sure that only the following are Unchecked ( make sure all others are checked ): Scan only know file types Scan for tracking cookies Display scan option in Explorer context (right click) menu [*]Click the "Close" button to leave the control center screen. [*]Back on the main screen, under Scan for Harmful Software click Scan your computer. [*]On the left, make sure you check C:\Fixed Drive and any other Fixed Drives in your PC. [*]On the right, under Complete Scan, choose Perform Complete Scan. [*]Click "Next" to start the scan. Please be patient while it scans your computer. NOTE: If you get a blue screen type crash when trying to run the scan then after reboot, configure the below options and rescan Run SuperAntiSpyware In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button. Click the Scanning Control tab. Under Scanner Options uncheck the below two options Use Kernel Direct File Access (recommended) Use Kernel Direct Registry Access (recommended) [*]Then try doing a new Complete. If it still crashes, just skip SUPERAntispyware and continue with the other instructions. If the scan runs, continue on with the below steps. [*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". [*]Make sure everything has a checkmark next to it and click "Next". [*]A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu. [*]If asked if you want to reboot, click Yes. [*]Reboot into normal Windows boot mode [*]Now plug your cable to the internet back in. [*]At this point if you run into any problems where your internet connection appears to be broken, perform the below sub steps otherwise skip to the next main step about getting the log from SUPERAntiSpyware: Click on the Repairs Tab. Click on Repair broken Network Connection (WinSock LSP Chain) and then click on Perform Repair [*]To retrieve the removal information ( the log )after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Although the logs are automatically save in a folder for SUPERAntiSpyware, you may want to save the log somewhere you can easily locate it. We suggest using an informative filename like SASlog.txt Please attach the Scan Log results to your next reply whether it finds anything or not. This way we no that the correct updated version of the program has been run. [*]Click Close to exit the program. ----------------------------------------------------------- Using MBAM Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Save the log to a convenient location, you will be posting the log later. ----------------------------------------------------------- Post fresh logs for: Avenger (C:\avenger.txt) SUPERAntiSpyware (C:\combofix.txt) Malwarebytes' Anti-Malware (C:\combofix.txt) a-squared Free ISeeYouXP HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  14. Thread Closed Reason: Lack of Response PM either ShadowPuterDude or Lynx to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  15. Thread Closed Reason: Lack of Response PM either ShadowPuterDude or Lynx to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  16. Just be patient, as sometimes ComboFix can take what seems like an extremely long time to run. Just depends on the type and number of infections encountered.
  17. When ComboFix first runs, there will be a blue box. It's doing some stuff in the background, and may take several minutes before ComboFix starts to scan the system.
  18. Move Win32kDiag to the Desktop. Instructions must be followed implicitly. If everybody saves things where they want, then all of the Command Line Instructions (CLI) as prewritten will fail to execute, because the executable was not saved where instructed. ----------------------------------------------------------- Open notepad Copy and Paste the below lines of code to notepad: @echo off copy C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe c:\helpsvc.exe Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop. Double-click on fixes.bat to execute it. ----------------------------------------------------------- Download Avenger from -->> HERE <<-- and unzip to your desktop. Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box: Files to move: C:\helpsvc.exe | C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot. Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- Go to start > run and copy and paste the following command in the field: "%userprofile%\desktop\win32kdiag.exe" -f -r This should restore permissions on locked files and remove mountpoints. ----------------------------------------------------------- Post fresh logs for: Avenger (C:\avenger.txt) a-squared Free ISeeYouXP HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  19. Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread
  20. Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. ----------------------------------------------------------- Post fresh logs for: ComboFix (C:\combofix.txt) a-squared Free ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  21. Download to your Desktop Win32kDiag.exe by AD. Run Win32kDiag It will save a report on the Desktop (Win32kDiag.txt). Attach that report on your next reply.
  22. The instructions do not have you downloading and using HijackThis. You are to use HiJackFree. You did not attach an ISeeYouXP log. Use only the tools listed in the instructions. Attach log files for: HiJackFree ISeeYouXP
  23. Hello and welcome to the a-squared support forums. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread