arronk

Manual Removal for Trojan.win32.domaiq ?

12 posts in this topic

Earlier today I ran an Emsisoft scan and located a virus named Trojan.win32.domaiq.amn (A). I quarantined it. I have since located an internet article that states you must manually remove the following files in order to completely rid your computer of the virus or it will start again or move to another location.

C:\windows\system32\services.exe

C:\windows\winsxs\amd64_microsoft....a07b1\services.exe

C:\Windows\Installer\{bbee...db3cc}

My attempt to locate these Files and delete them resulted in a dialog window response that I did not have permission from TrustedInstaller to complete this function.

There also were registry entries that were to be delieted but I did not attempt anything in the registry when I encountered the problem with deleting the files.

I am including the EEK and OTL log files as outlined in the initial posting instructions HOWEVER, I think you will find I have removed the original trojan virus with the quarantine action and simply need instructions on if I need to complete the other file deletions and registry cleanup.

 

Emsisoft Emergency Kit - Version 3.0
Last update: 2/26/2013 1:23:07 PM

Scan settings:

Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\, C:\Program Files (x86)\

Detect Riskware: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    2/26/2013 1:29:11 PM


Scanned    467021
Found    0

Scan end:    2/26/2013 2:11:07 PM
Scan time:    0:41:56
 

OTL logfile created on: 2/26/2013 2:32:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\RonK\Desktop
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.90 Gb Total Physical Memory | 1.12 Gb Available Physical Memory | 28.85% Memory free
7.80 Gb Paging File | 4.06 Gb Available in Paging File | 52.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.11 Gb Total Space | 135.72 Gb Free Space | 58.47% Space Free | Partition Type: NTFS
Drive E: | 149.05 Gb Total Space | 138.38 Gb Free Space | 92.84% Space Free | Partition Type: NTFS
 
Computer Name: E5420-LAPTOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC -  File not found
PRC - C:\Users\RonK\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
PRC - C:\Users\RonK\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\APPLCODE\TimeLeft3\TimeLeft.exe (NesterSoft Inc.)
PRC - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe (NovaStor Corporation)
PRC - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe (NovaStor Corporation)
PRC - C:\Users\RonK\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
PRC - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
PRC - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
PRC - C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe (Intel Corporation)
PRC - c:\Windows\SysWOW64\SDIOAssist.exe (O2Micro.)
PRC - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
PRC - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe (CyberLink Corp.)
PRC - c:\Windows\SysWOW64\srvany.exe ()
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsAppRes409.dll ()
MOD - C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsEngineRes409.dll ()
MOD - C:\APPLCODE\TimeLeft3\trayclock.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (NisSrv) -- C:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SRV:64bit: - (DFEPService) -- C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe (Dell Inc.)
SRV:64bit: - (wltrysvc) -- C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE (Dell Inc.)
SRV:64bit: - (STacSV) -- C:\Program Files\IDT\WDM\stacsv64.exe (IDT, Inc.)
SRV:64bit: - (SecureStorageService) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.)
SRV:64bit: - (TdmService) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (BrcmMgmtAgent) -- C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe (Broadcom Corporation)
SRV:64bit: - (ATService) -- C:\Program Files\Fingerprint Sensor\ATService.exe (AuthenTec, Inc.)
SRV:64bit: - (O2FLASH) -- C:\Windows\SysNative\drivers\o2flash.exe (O2Micro International)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (AESTFilters) -- C:\Program Files\IDT\WDM\AESTSr64.exe (Andrea Electronics Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (BingDesktopUpdate) -- C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Backup Client Agent Service) -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe (NovaStor Corporation)
SRV - (nsService) -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe (NovaStor Corporation)
SRV - (Disaster Recovery Imaging) -- C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\DR\x64\drdiag.exe (NovaStor Corporation)
SRV - (LeapFrog Connect Device Service) -- C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (IntuitUpdateServiceV4) -- C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe (Intuit Inc.)
SRV - (AcrSch2Svc) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (jhi_service) -- C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe (Intel Corporation)
SRV - (RoxWatch12) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe (Sonic Solutions)
SRV - (RoxMediaDB12OEM) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe (Sonic Solutions)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (HPSLPSVC) -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL (Hewlett-Packard Co.)
SRV - (tcsd_win32.exe) -- C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe ()
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (O2SDIOAssist) -- c:\Windows\SysWOW64\srvany.exe ()
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (Point64) -- C:\Windows\SysNative\drivers\point64.sys (Microsoft Corporation)
DRV:64bit: - (timounter) -- C:\Windows\SysNative\drivers\timntr.sys (Acronis)
DRV:64bit: - (vididr) -- C:\Windows\SysNative\drivers\vididr.sys (Acronis)
DRV:64bit: - (vidsflt53) -- C:\Windows\SysNative\drivers\vsflt53.sys (Acronis)
DRV:64bit: - (snapman) -- C:\Windows\SysNative\drivers\snapman.sys (Acronis)
DRV:64bit: - (dc3d) -- C:\Windows\SysNative\drivers\dc3d.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Corel Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (ApfiltrService) -- C:\Windows\SysNative\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (O2SDJRDR) -- C:\Windows\SysNative\drivers\o2sdjw7x64.sys (O2Micro )
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (BCM42RLY) -- C:\Windows\SysNative\drivers\bcm42rly.sys (Broadcom Corporation)
DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation)
DRV:64bit: - (O2MDRRDR) -- C:\Windows\SysNative\drivers\O2MDRw7x64.sys (O2Micro )
DRV:64bit: - (O2MDFRDR) -- C:\Windows\SysNative\drivers\o2mdfw7x64.sys (O2Micro )
DRV:64bit: - (Acceler) -- C:\Windows\SysNative\drivers\Accelern.sys (ST Microelectronics)
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel® Corporation)
DRV:64bit: - (Blfp) -- C:\Windows\SysNative\drivers\basp.sys (Broadcom Corporation)
DRV:64bit: - (stdcfltn) -- C:\Windows\SysNative\drivers\stdcfltn.sys (ST Microelectronics)
DRV:64bit: - (btusbflt) -- C:\Windows\SysNative\drivers\btusbflt.sys (Broadcom Corporation.)
DRV:64bit: - (PTHDRVSP) -- C:\Windows\SysNative\drivers\PTHDRVSP.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV:64bit: - (PTHDRMDM) -- C:\Windows\SysNative\drivers\PTHDRMDM.sys (DEVGURU Co., LTD.(www.devguru.co.kr))
DRV:64bit: - (PTHDRBUS) -- C:\Windows\SysNative\drivers\PTHDRBUS.sys (DEVGURU Co., LTD.)
DRV:64bit: - (CtClsFlt) -- C:\Windows\SysNative\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (WSDPrintDevice) -- C:\Windows\SysNative\drivers\WSDPrint.sys (Microsoft Corporation)
DRV:64bit: - (StillCam) -- C:\Windows\SysNative\drivers\serscan.sys (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (PBADRV) -- C:\Windows\SysNative\drivers\PBADRV.SYS (Dell Inc)
DRV - (MREMP50) -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {49606DC7-976D-4030-A74E-9FB5C842FA68}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.microsoft.com     Signature Type: %%800     Update Type: %%803

    User:
 NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.9203.0     Error
 code: 0x8024001e     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/24/2013 5:09:21 PM | Computer Name = E5420-Laptop | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
 service which failed to start because of the following error:   %%0
 
Error - 2/24/2013 11:24:43 PM | Computer Name = E5420-Laptop | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
 service which failed to start because of the following error:   %%0
 
Error - 2/25/2013 8:32:03 AM | Computer Name = E5420-Laptop | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
 service which failed to start because of the following error:   %%0
 
Error - 2/25/2013 3:04:24 PM | Computer Name = E5420-Laptop | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
 service which failed to start because of the following error:   %%0
 
Error - 2/26/2013 6:53:13 AM | Computer Name = E5420-Laptop | Source = Service Control Manager | ID = 7001
Description = The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services
 service which failed to start because of the following error:   %%0
 
 
< End of report >

 

0

Share this post


Link to post
Share on other sites

All logs are to be attached to posts. At no time are any logs to be copied & pasted in to a post, unless otherwise instructed to do so.

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of JRE 7 Update 15.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.

    Windows x86 Offline (jre-7u15-windows-i586.exe)

    Windows x64 (jre-7u15-windows-x64.exe)

  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")
  • The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

    The installed version of Adobe Flash Player ActiveX control on this computer is out-dated. Using Internet Explorer, install the latest version of Adobe Flash Player ActiveX available from Adobe.

    The installed version of Adobe Flash Player Plugin on this computer is out-dated. Using Firefox, install the latest version of Adobe Flash Player Plugin available from Adobe.

    Using Programs and Features in the Control Panel; uninstall the following:

    Java 7 Update 10 (64-bit)
    Java™ 6 Update 31
    Java 7 Update 10
    Java 2 Runtime Environment, SE v1.4.1_07
    Run OTL.exe
    • Copy/paste the entire contents of OTLfix.txt (ATTACHED BELOW) into the Custom Scans/Fixes box located at the bottom of OTL.

      NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
    Let me know of any problems you may have encountered with the above instructions and also let my know how things are running.
0

Share this post


Link to post
Share on other sites

Completed the instructions with some exceptions I will note below. After each activity, I performed a best effort testing process and all appears to be well. My assumption is that while what you have asked me to do is truly needed, I do have an outstanding question as regards to the Trojan.win32.domaiq virus found by the Emsisoft scan I performed yesterday. I am attaching the log of the OTL run I performed for today.

 

The exceptions I reference are that the Adobe FlashPlayer ActiveX and Plugin appear to be the same level (files for IE and Firefox were differently named) but were at the same level. Hopefully you will find all was done correctly.   

0

Share this post


Link to post
Share on other sites

I have not attempted to address the issue of a possibly infected services.exe, but am doing do at this time.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
0

Share this post


Link to post
Share on other sites

Completed the Combo-Fix run and all seems to be well. Please understand that I did not have any symptoms with this problem other than the detected virus by an Emsisoft scan. I will include the log from this Combo-Fix run as well as the original detection run as an fyi.

0

Share this post


Link to post
Share on other sites

Download AdwCleaner and save it on your desktop.

  • Close all open programs and internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open n Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner[s1] on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Run OTL.exe
  • Copy/paste the entire contents of OTLfix.txt (ATTACHED BELOW) into the Custom Scans/Fixes box located at the bottom of OTL.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let my know how things are running.
0

Share this post


Link to post
Share on other sites

I am in BIG Trouble.. I don't which program did it but my desktop had about half of the icons removed. My Outlook and Access no longer run. When I attemt to start them using the start menu, it tells me that the copy has expired. Right now I don't have a running email program. Any suggestions?? I ran the ADWCleaner and the JRT program but had not yet run the OTL.  

0

Share this post


Link to post
Share on other sites

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.
0

Share this post


Link to post
Share on other sites

I am sorry but my computer is in big trouble and it appears to me that we are attempting to look for more viruses. Should we not be looking at restoring the registry or something. Something was deleted or changed that has drastrically impaired my computer and I am real hesitant to move forward and seemingly make things worse. Please help me understand our course of action. 

0

Share this post


Link to post
Share on other sites

You can run system restore and restore the system to an earlier date. However, that will bring the infection back and we will have to start over.

0

Share this post


Link to post
Share on other sites

Derogatory comments removed.

Edited by ShadowPuterDude
0

Share this post


Link to post
Share on other sites

Your abusive, derogatory rant was removed.

Whenever you are dealing with Malware removal anything can happen during the removal process.

The tools we use here are no different then the tools you will be asked to run on any of the other Malware Removal forums, in fact they are the same tools.

Now we can continue to fix the problem or you can go somewhere else.

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.