HoggyDog

Malicious attack disabled then uninstalled Emsisoft

Recommended Posts

I was viewing fallout.wikia.com/wiki/Fallout_New_Vegas (on my older XP-SP3 machine using Firefox-latest and Emsisoft Guard enabled) last night when suddenly a popup appeared telling me that I didn't have the "fastest video player" and I should click OK then click a link to install it. The underlying URL was some gobbledy-gook gibberish hash of alpha and numeric characters- certainly nothing that seemed the least bit legitimate and nothing whatsoever related to Adobe, Shockwave Flash, etc.

 

Rather than click on anything, I first tried to launch Emsisoft from its icon on the taskbar, but was amazed to see that no such icon existed! Somehow, whatever hijacked me away from the wiki had shut down Emsisoft!!!

 

I immediately clicked the X to shut down my browser, and got a Firefox warning: "You are about to close 34 tabs. Continue/Cancel?" This was even more surprising because I had only two tabs open at the time- one for the wiki I intended to be on and the other for the malicious site that wanted me to click on things to install who-knows-what. Now thoroughly spooked, I simply removed the power cord from my computer, which of course succeeded in shutting it down instantly without having to click on anything.

 

After a few minutes and a beer, I plugged it back in and booted up. After all the "abnormal shutdown" rigamarole to restore Windows XP to a stable state, I was surprised to see that whatever had shut Emsisoft down had done so permanently- no icon appeared at all on my taskbar. So whatever shut it down also removed it from the Autorun section.

 

I launched Emsisoft manually and was surprised to have it ask me to either enter a license or enter a free trial. I have been running Emsisoft licensed (paid) on that machine for months and months. So my attacker not only shut down Emsisoft, it uninstalled it! After finally getting Emsisoft re-installed and updated, I ran a deep scan and it found nothing.

 

So I have no virus report to show you, nor any file to submit as "suspicious."

 

However, I am EXTREMELY concerned that Emsisoft was vulnerable to an attacker not only shutting it down, but uninstalling it. Please advise if there is anything I can send you that might help you to figure out what happened.

 

Thanks.

 

PS: I read the sticky asking for me to create a personal malware submission thread, however the poster declined to provide a link or any clues how to do that, and there is absolutely no visible way on this forum to do that, even if I could figure out what a "personal malware submission thread" even is.

 

I would be more than happy to comply with your instructions if you would make them clear, descriptive and relatively easy to follow.

Share this post


Link to post
Share on other sites

Hello,

 

welcome to our forum.

 

Because your post is not relevant to malware submission, so I will forward this to the appropriate forum. Also, as mentioned by stapp, please follow this guide first. Thank you!

Share this post


Link to post
Share on other sites

Hello,

 

welcome to our forum.

 

Because your post is not relevant to malware submission, so I will forward this to the appropriate forum. Also, as mentioned by stapp, please follow this guide first. Thank you!

Well, based on the forum title "Help! My PC is infected!" this is not the appropriate place for my report either.

  • My PC is not infected with anything as far as I know
  • Submitting an EEK log seems pointless since EEK didn't find anything on a deep scan immediately after the attack- what use is a log that says "No threats found"??
  • I am not asking for, nor do I require, any help removing anything from my PC since there is nothing on my PC that needs to be removed as far as I know

Although I thank you for the link to instructions (why isn't this link stickied at the top of all the forums???) there still are no instructions on what, exactly, is the meaning of "personal malware submission thread" or how to create one.

 

I realize you guys are busy. However, I respectfully ask someone to ACTUALLY READ my original post, which describes not "malware" but an externally-initiated browser hijack and malware install attack, which I thwarted myself by not clicking on the OK button on the popup, or any of the other links it offered, and then deliberately crashing my own machine by abruptly disconnecting power.

 

Since I prevented the attacker from installing his software on my machine, there is no malware on my machine that I need any help removing! Why is this so hard to understand?

 

The entire point of my report is:

  • Emsisoft Guard failed to prevent the hijacking of Firefox to an unknown and unintended URL
  • The attack directly targeted my Emsisoft installation and disabled/removed it
  • Emsisoft failed to prevent the attacker from disabling and then uninstalling Emsisoft

Of what possible use is an EEK log in this case?

 

Why do I have to jump through 10,000 hoops in order to report this attack, which DIRECTLY TARGETED MY EMSISOFT INSTALLATION, to Emsisoft and have someone who can read and understand it respond to the specific problems I reported instead of boilerplate on how to get help removing malware?

 

Thanks for the responses, but neither one of them is relevant to what I reported.

 

Let me help you formulate an appropriate response:

 

"Dear paying customer: Thank you for purchasing and relying on Emsisoft for your personal computer security, and thank you for reporting this hijack and anti-Emsisoft attack.

  • We were not aware of this type of attack until your report, and...
  • We have seen this type of attack before, and...

...we are investigating how Emsisoft could be maliciously disabled and then uninstalled by an external attacker without the user having clicked on anything. We are sorry that Emsisoft's failure necessitated you crashing your machine to protect it from the attack once Emsisoft had failed to do so, but commend you for immediately noticing that Emsisoft had been disabled and then taking quick action to prevent further damage.

 

Please rest assured that future updates of Emsisoft will be strengthened to eliminate this unfortunate vulnerability in our award-winning security software product.

 

Sincerely, your Emsisoft Team."

 

Have a great day.

Share this post


Link to post
Share on other sites
  • My PC is not infected with anything as far as I know

 

  • I am not asking for, nor do I require, any help removing anything from my PC since there is nothing on my PC that needs to be removed as far as I know

 

From what I can see based on your story, I think there is suspicious thing on your machine but our product didn't detect anything. That's why I forward you to this forum. Our technical support  team or the malware removal specialist team will analyze your issue, so they can make sure that, whether your PC is infected or not. That's why the initial guide post ask you to send us several files to analyze.

 

In case there is a potential bug that was caused Emsisoft to terminate itself, the team will report their findings to the Developer Team, or if they found undetected malware they will forward the files to the Analysis team. But first, we have to make sure that your computer is perfectly clean from any malware infections.

 

 

  • Submitting an EEK log seems pointless since EEK didn't find anything on a deep scan immediately after the attack- what use is a log that says "No threats found"??

 

If EEK didn't find anything, then you don't need to send the EEK log file.

 

 

Although I thank you for the link to instructions (why isn't this link stickied at the top of all the forums???) there still are no instructions on what, exactly, is the meaning of "personal malware submission thread" or how to create one.

 

 

Basically personal malware submission thread is a forum where user can send us samples of the undetected malware.

Share this post


Link to post
Share on other sites

OK, I will try to send you the files that you want. Unfortunately, I am blocked at the first step- the Farbar Recovery Scan Tool will not download to my machine. The link takes me to bleepingcomputer.com, showing the Farbar tool and 2 download options, 32-bit and 64-bit. I click the 32-bit button (because the attack occurred on my old XP machine, which is 32-bit) and I get a redirect warning from Firefox. I Allow it, then I immediately get another redirect warning from Firefox, so I Allow that, and finally I land on a page full of advertisements for 20-30 computer security products. Farbar is not among those products, and no download ever starts.

 

With all due respect, it would be much safer and more productive if YOU would host the files you want us to download. The thousands of websites offering 10,000 junk products, some of which are undoubtedly malicious and all of which say "Recommended" as though that was worth something, are messy, unreliable and unsafe.

 

Please advise a safe, straightforward location where I can actually get the Farbar tool you want me to run. Thank you.

Share this post


Link to post
Share on other sites

BleepingComputer is the correct download location for Farbar. If your system is being redirect, then it is definitely infected.

Do you have access to another system,? If so download the tools to a USB thumb drive and transfer them to the infected computer.

Share this post


Link to post
Share on other sites

OK, I d/l Farbar using my W7-64 machine and copied it to this machine via the network.

 

Here are all of the logs per the instructions.

 

 

Thanks.

Share this post


Link to post
Share on other sites

Let's start by targeting Adware and Junkware in general.

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Policies\Explorer: [] 
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1659004503-1532298954-839522115-1004\...\Policies\Explorer: [NoFolderOptions] 0
URLSearchHook: HKCU - (No Name) - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -  No File
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Toolbar: HKCU - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - ZoneAlarm Security Suite Toolbar - {3CE45C4F-BFFF-4988-9A3C-A75C1F491319} - C:\Program Files\ZoneAlarm_Security_Suite\prxtbZon0.dll No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
2014-06-04 15:56 - 2014-06-04 15:55 - 00000030 _____ () C:\AVScanner.ini
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Followed your instructions, encountered two anomalies:

 

  • Right-clicking JRT.exe to try to run it as Administrator did NOT produce any option to run it as Administrator- therefore, I just double-clicked it and ran it under my username account, which is also an Administrator. I'm not sure that the option to run something as Administrator even exists in XP, or that it would be needed since XP isn't afflicted with Windows 7's horrible UAC.
     
  • AdwCleaner produced not one but two text files, named AdwCleaner[RO].txt and AdwCleaner[sO].txt. I was not able to save it to the desktop when it popped up because you did not specify a file name, and a user must manually enter a file name in order to use the "Save As..." function on an open Notepad file. The existing file name was so long in Notepad that it was truncated, so I was not able to determine what the name of the file was while it was open in Notepad. Once I hit "save as," the existing file name went away and I was on my own. Accordingly, not being able to save it to my desktop, I just closed it and later went to C:\AdwCleaner to find it, but I found two of them. So because you did not specify which of the two AdwCleaner output text files you wanted, I am attaching both of them.

 

Logs attached:

 

 

Thanks-

Share this post


Link to post
Share on other sites

Oops- my bad. Please disregard above note about running as Admin in XP. Your instructions clearly say to do that only if runnning Vista or W7.

Share this post


Link to post
Share on other sites

Changing tools.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**NOTE: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Anomalies encountered following above instructions:

 

  • Although I right-clicked on the Emsisoft Anti-Malware taskbar icon and told it to shut itself down, ComboFix reported that Emsisoft Guard Scanner was still active but that ComboFix would try to run anyway. The only option offered at that point was [OK]. Online Armor shut itself down on command without incident, as did Malwarebytes.
  • Immediately after I clicked [Yes] on ComboFix's initial Recovery Console Query dialog box (exactly as you show in the instructions), I got an immediate error message saying that no Internet connection could be found. Without doing anything (such as rebooting the router, wiggling Ethernet cables, etc. etc.) I just immediately hit "Try Again" and the installation appeared to finish normally.
  • Contrary to the above instructions, there was no file named combofix.txt anywhere on my hard disk after the run..
  • Contrary to the above instructions, there was no path on my computer named C:\combofix after the run.
  • Doing a search for file mask *.txt filtered for all files modified today, found a file named log.txt in C:\Documents & Settings\[all users]\local\temp. Opening that file shows it to be the ComboFix log file.

As to how my system is running, I went back to BleepingComputer.com to redownload the FarBar tool as a test because one of you guys said if I was getting Firefox redirect warnings on that page then my machine was definitely infected (see above in this thread). I got an immediate redirect on the FarBar download page, then another on the page of ads the first one took me to after I hit Allow on the first redirect warning.

 

So either you guys are mistaken and the BleepingComputer FarBar download page you are linking people to does in fact have legitimate redirects on the url you are linking to (above) and you just have the warnings turned off in your browsers so you don't know you have been redirected, OR my machine is still infected/browser-hijacked with something despite running every remedial tool known to man on it in the past 3 days.

 

I'm attaching the only file I found that remotely resembles a ComboFix log even though both the name and path are not even close to what you specified in your instructions. Please advise- Thanks.

Share this post


Link to post
Share on other sites

Yes, the system was pretty heavily infected. ComboFix removed even more.

EAM has a service that runs at Windows start, and remains running even when you exit EAM. ComboFix is alerting on that service. So, click OK allows ComboFix to run, despite the warning.

We need to use ComboFix to remove some stuff.

  • Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Copy the below code to Notepad; Save As CFScript.txt to your Desktop.
    KillAll::
    
    Driver::
    SetupNTGLM7X
    
    File::
    C:\SecurityScanner.dll
    Close Notepad.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix

    CFScriptB-4.gif

  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • Attach the new log generated by ComboFix to your next reply.
Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

Share this post


Link to post
Share on other sites

Followed latest instructions. Anomalies encountered:

  • The instructions did not mention shutting down Online Armor and/or Anti-Malware before running CF, so I didn't shut either of them down. This caused a non-stop sequence of literally dozens of Online Armor challenges wanting me to authorize various obscure programs and dll's that I have never heard of to run. Very disconcerting and a major omission in these latest instructions. I was finally able to shut them down when CF finally stopped spamming processes at me via OA and said it had detected Emsisoft Anti-Malware running and would wait for me to shut it down. Truly a very serious omission from the instructions that may have compromised the run and hence the result.
  • Although I was finally able to shut down Online Armor (see above), after the CF reboot, OA was back in full force and completely disrupted the CF after-reboot process with many more OA challenges that I had to authorize one by one. If there is any way to prevent OA from running after the CF reboot, I am not aware of it. This is another serious omission in the instructions.
  • After dragging CFScript.txt onto the CF executable on my desktop, I got a notice that a newer version of CF was available. The instructions don't mention how to handle this, but since the previous instructions did mention it, I took a chance on interrupting the whole script process by updating and let it do so. Accordingly, I have no idea whether or not CF actually ran the script when it relaunched itself after the update.

A file called C:\Combofix.txt WAS produced as the instructions specified. Here it is.

 

 

Please advise what I should do next, and thanks.

Share this post


Link to post
Share on other sites

OA can be very chatty, and there is no way to prevent it from starting at Windows start, without uninstalling it.

Yes, the CFScript worked correctly.

Will Emsisoft Emergency Kit and FRST now run? If so, follow the steps in the Start Here thread, and attach the resulting scan logs to your reply.

Share this post


Link to post
Share on other sites

Both EEK and FRST seemed to run OK. Here are the logs:

 

 

Pls advise how to fix the registry entry that seems to be disabling registry tools.

 

Thanks.

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

SearchScopes: HKLM - DefaultScope value is missing.
S3 catchme; \??\C:\DOCUME~1\Doug\LOCALS~1\Temp\catchme.sys [X]
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Close Notepad.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Everything should be fine now.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Press the Windows key + R and this will open the Run text box. Copy/paste the following text into the Run box as shown and click OK.

Combofix /Uninstall

(Note: There is a space between the ..X and the /U that needs to be there.)

CF.jpg

Uninstall AdwCleaner:

  • Close all open programs and Internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Uninstall button.
  • Confirm by clicking Yes.
Delete the following from your Desktop: (If they exist)

AdwCleaner.exe

CFscript.txt

Emsisoft Emergency Kit.lnk

FRST.exe

FRST64.exe

JRT.exe

JRT.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\AdwCleaner

C:\ComboFix

C:\EEK

C:\FRST

C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:

    4l5a4i.png

  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck 2wlsw11.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.
Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

OK, followed above structions except for the last.

 

Either the link you provided for Secunia PSI is broken or I am still infected.

 

No matter how many times I click the Download button, nothing gets downloaded. Worse, there is no "Click here if your download does not begin" link to force the download. The destination folder eventually ends up with a "dummy file" named PSIsetup (with no file extension) and a size of zero bytes. Just to make sure, I have double-clicked the fake file, and I then get an error box saying that the file is not a valid Windows file.

 

So I went to CNET to download PSI, being sure to decline all the PUPs. I was able to install PSI, but after installing it, telling it to Scan results in a non-moving progress bar stuck at about 2% completion and a tiny message that it is determining which files to check for currency. This remains unchanged for 10-15 minutes, until I finally lose patience and Alt-F4 it down.

 

So, the bottom line is that it is not possible to install or run PSI. If you have any suggestions I would love to hear them.

 

Thanks.

Share this post


Link to post
Share on other sites

Let's take a quick look for a rootkit.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.

    tdss1.png

  • Click Change parameters

    settings20121003115955.png

  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

    tdss3.png

  • Click on the Start Scan button to begin the scan and wait for it to finish.

    NOTE: Do not use the computer during the scan!

  • During the scan it will look similar to the image below:

    tdss4.jpg

  • When it finishes, you will either see a report that no threats were found like below:

    tdss5.jpg

    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.

  • If any infection or suspected items are found, you will see a window similar to below:

    tdss7.jpg

    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Attach this log to your next reply.

Share this post


Link to post
Share on other sites

Not sure why PSI is hanging during the scan. Your system doesn't appear to be infected any longer.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.