crazz2323

My laptop has been infected and Emsisoft blocks attempts to img.tongji.linezing.com

Recommended Posts

My laptop has been infected and Emsisoft keeps blocking attempts to connect to img.tongji.linezing.com. When I do a deep scan in safe mode Emsisoft finds nothing. I tried spybot as well as malware bytes and still nothing. How can I get rid of this? I am testing out Emsisoft and may purchase but I need to see if this software can help first!

Share this post


Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 30.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-6u30-windows-i586.exe)
    Windows x64 (jre-6u30-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

The installed version of Adobe Flash Player ActiveX control on this computer is out-dated. Using Internet Explorer, install the latest version of Adobe Flash Player ActiveX available from Adobe.

The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:

Java(TM) 6 Update 27 (64-bit)
Java(TM) 6 Update 26
Adobe Flash Player 10 Plugin

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. 
    [2012/01/02 15:35:45 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{8F6DE1F9-365B-43DC-A6EE-66D2847A8267}
    [2012/01/02 15:35:35 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{D5050F71-5024-44D5-B0CD-49181B6379E1}
    [2012/01/01 09:33:57 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{E4C1D496-EE6A-44BF-AF01-D9D2882D4538}
    [2012/01/01 09:33:46 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{0073C8E9-5975-41BE-BB1E-549D098E9B36}
    [2011/12/31 20:09:37 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{1A4D23E0-7211-4D97-ACF7-BBB726978AE6}
    [2011/12/31 20:09:26 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{180F1FC1-B7AD-43A1-A53E-363EAD3B2C52}
    [2011/12/30 21:17:03 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{723ABD0F-1F3F-4839-AA0B-ED0450AF0BBA}
    [2011/12/30 21:16:53 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{490A3AE9-9E5D-460A-A81A-D3E464FF868D}
    [2011/12/27 19:29:58 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{FEC661B8-EBCC-4B77-8DB9-DCCF8C482107}
    [2011/12/26 11:04:07 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{2FBBEC44-AA6A-4AA6-AE1E-57CBCA23220A}
    [2011/12/23 16:55:07 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{9E8051EF-08AE-4BDF-87B8-16FB1710854D}
    [2011/12/23 16:54:57 | 000,000,000 | ---D | C] -- C:\Users\John\AppData\Local\{06082D31-875E-4707-9008-0D2A743AE02F}
    [2012/01/01 11:26:45 | 000,014,856 | -HS- | M] () -- C:\Users\John\AppData\Local\hjo833mc3jum42mv8x310l2loyaro0om8wihg
    [2012/01/01 11:26:45 | 000,014,856 | -HS- | M] () -- C:\ProgramData\hjo833mc3jum42mv8x310l2loyaro0om8wihg
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [ResetHosts]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, or JeanInMontana to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

Thank you! I followed the above instructions and received the following log (see attached). It appears my windows firewall has been damaged at some point during the virus removal process. I do not see it as a listed service and am unable to run it.

On a good note, I have not seen any more messages regarding attempts to connect to img.tongji.linezing.com anymore.

Share this post


Link to post
Share on other sites

OK, let's have a look at what is going on with Windows Firewall.

Download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please attach the log to your reply.

Share this post


Link to post
Share on other sites

Download to your Desktop FixMpsSvc.zip, attached below.

Unzip the contents of FixMpsSvc.zip to your Desktop.

Right-click FixMpsSvc.bat and select "Run as administrator" to run FixMpsSvc.bat.

A Command Console window will briefly open and then close.

Run Farbar Service Scanner (FSS).

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Attach the log to your reply.

Share this post


Link to post
Share on other sites

Ok, I ran the bat file as admin and then ran FSS. Seems it did not work. I even rebooted and ran it again. I am still unable to start windows firewall. Says "The Windows Firewall with Advanced Security snap-in failed to load. Error code 0x6D9 when I try to run windows firewall.

Share this post


Link to post
Share on other sites

Download and unzip the attached file, to your Desktop, replacing mpssvc.reg.

Run FixMpsSvc.bat by right-clicking on it and selecting "Run as administrator".

Get a fresh log from FSS.

Share this post


Link to post
Share on other sites

Still no luck. The report says:

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

Share this post


Link to post
Share on other sites

Emsisoft Anti-Malware may be preventing the changes to the Windows Registry. Disable EAM, and run the fix again.

Share this post


Link to post
Share on other sites

Good news! I tried it again under safe mode and Windows Firewall is working now! Thank you so much for your help! So how do I know for sure that I am clean now? I want to feel confident that I am virus free?

Share this post


Link to post
Share on other sites

OK, that looks much better. However, FSS indicates that there are still problems with System Restore & Windows Update.

Download Windows Repair by Tweaking.com to your desktop.

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Start Repairs tab on the far right.
  • Click Custom Mode so there is a bullet in it.
  • Click the Start button (bottom right)
    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  • Click Unselect All
  • Put a checkmark in the following items:
    • Repair Windows Updates
    • Repair Volume Shadow Copy Service
    • Set Windows Services To Default Startup

    Note: Leave everything else unchecked

    [*]Put a checkmark in Restart System When Finished

    [*]Now click the Start button (bottom right)

Share this post


Link to post
Share on other sites

Download to your Desktop FixSdrSvc.zip, attached below.

Unzip the contents of FixSdrSvc.zip to your Desktop.

Right-click FixSdrSvc.bat and select "Run as administrator" to run FixSdrSvc.bat.

A Command Console window will briefly open and then close.

Attach a fresh log from FSS.

Share this post


Link to post
Share on other sites

OK, now to see if we can get Volume Shadow Copy Service working.

Run Windows Repair by Tweaking.com to your desktop.

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Start Repairs tab on the far right.
  • Click Custom Mode so there is a bullet in it.
  • Click the Start button (bottom right)
    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  • Click Unselect All
  • Put a checkmark in the following items:
    • Repair Volume Shadow Copy Service
    • Set Windows Services To Default Startup

    Note: Leave everything else unchecked

    [*]Put a checkmark in Restart System When Finished

    [*]Now click the Start button (bottom right)

Attach a fresh log from FSS

Share this post


Link to post
Share on other sites

SDRSVC is disabled again.

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    tdss2.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

    [*]Click Continue to apply selected actions.

    [*]A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

    [*]Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

    [*]Attach this log to your next reply.

Share this post


Link to post
Share on other sites

TDSSKiller log shows no problems.

OK, let's start over from the top.

Do fresh scans with EAM and OTL.

Attach the logs when finished.

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2011/06/20 19:05:30 | 000,000,000 | -H-D | M]
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
    [2011/09/11 10:12:13 | 000,000,190 | ---- | C] () -- C:\ProgramData\nvUnsupRes.dat
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

When I run Combofix it says Microsoft Security Essentials is still on even though I disabled it via turning off Real time protection. It's warning me it may cause damage. How can I be sure its really disabled before running the rest of combo fix. See attached error.

Share this post


Link to post
Share on other sites

I already had Spybot disabled so I do not know why Teatimer was still active. So for now I uninstalled Spybot as well as Microsoft Security Essentials. I rebooted and ran FixSdrSvc.bat and I noticed when the command window popped up briefly, it said ERROR: Error accessing the registry, The Windows Backup service is starting, The Windows Backup service was started successfully. Should I just stop the windows backup service, run the two .regs without the bat file and start the service again?

Share this post


Link to post
Share on other sites

I tried running sdrsvc.reg and it gives an error saying some keys are open by system or other processes. I also tried running it in safe mode. See attached pic.

Share this post


Link to post
Share on other sites

I was no able to get the sdsvc.reg to work and the registry said it could not change some of the permissions when I tried. So I went line by line and made sure the registry matched what the sdrsvc.reg does. It matched exactly and I did not need to edit anything. I was able to get the proper permissions and run the legacy_sdrsvc.reg successfully. I noticed before I ran it the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SDRSVC] did not even exist in my registry so it imported properly. I now ran FSS.exe and here is the log.

Share this post


Link to post
Share on other sites

Something continues to damage critical Windows Services. Run fresh scans with EAM and OTL and attach the logs when the scans are finished.

Share this post


Link to post
Share on other sites

It seems to me the damage would happen after running Combofix. Not sure if that warning about Microsoft Security essentials detected even though I had it disabled had anything to do with it. Either way, I uninstalled it last time as well as Spybot and Malwarebytes so the only thing running now should be EAM.

I ran the scans again. Deep scan with EAM and a scan with OTL.

Share this post


Link to post
Share on other sites

Do the following:

Start -> All Programs -> Accessories -> Right click "Command Prompt" -> "Run as administrator"

Click"OK" on any alerts.

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

net start sdrsvc
net start wscsvc
net start wuauserv
exit

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
    O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done

Run a new sacn with FSS

Attach the new logs produced by FSS & OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Do the following:

Start -> All Programs -> Accessories -> Right click "Command Prompt" -> "Run as administrator"

Click"OK" on any alerts.

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

net stop bits
sc config bits start= auto
net start bits
exit

Click Start and in "Start search" type in:

regedit

Press Enter.

Registry editor will open.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDRSVC

Right click on SDRSVC key, click "Permissions"

Click on Add button, type Everyone and click OK.

Now click once on Everyone

Below, in "Permissions" pane checkmark "Allow" in "Full control" row.

Click OK.

Do the following:

Start -> All Programs -> Accessories -> Right click "Command Prompt" -> "Run as administrator"

Click"OK" on any alerts.

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

net stop vss
net stop sdrsvc
sc config sdrsvc start= auto
sc config vss start= auto
net start sdrsvc
net start vss
exit

Reboot

Run a fresh scan with FSS and attach the new FSS log.

Share this post


Link to post
Share on other sites

Do the following:

Start -> All Programs -> Accessories -> Right click "Command Prompt" -> "Run as administrator"

Click"OK" on any alerts.

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

net stop wscsvc
net stop wuauserv
sc config wscsvc start= auto
sc config wuauserv start= auto
net start wscsvc
net start wuauserv
exit

Reboot

Run a fresh scan with FSS and attach the new FSS log.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.