b-mic80 0 Report post Posted February 26, 2012 Hi, An initial scan detected Trojan.Agent-UM!E2 and Trojan.Agent-UN!E2 however these were not removed. I have not attached the requested logs as I cannot complete a scan in normal mode using either EEK or OTL (or with any other program I have tried). My PC freezes during any scan and I have to hard boot, although I can complete scans in safe mode. Any help would be much appreciated thanks. Share this post Link to post Share on other sites
GT500 609 Report post Posted February 27, 2012 OK, lets try ComboFix, and see if it will complete its scan. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsSee HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Share this post Link to post Share on other sites
b-mic80 0 Report post Posted February 28, 2012 Ok, ran ComboFix and have attached log. Also managed to complete a scan with OTL afterwards so hope that helps. Am now getting error messages from various programs though, including my antivirus. PC still froze and also blue screened once after the ComboFix scan. Share this post Link to post Share on other sites
GT500 609 Report post Posted February 28, 2012 I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box::OTL FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites) O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted February 29, 2012 Thanks for that, here's the log from the latest OTL scan. Share this post Link to post Share on other sites
GT500 609 Report post Posted February 29, 2012 Please run an online virus scan through ESET by following the steps below: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 1, 2012 Tried several scans but my PC froze each time when scanning the same file: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll Share this post Link to post Share on other sites
GT500 609 Report post Posted March 1, 2012 Are you able to move that file out of the folder it's in, and then move it back where it was? Try just moving it to your desktop and back again. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 4, 2012 Not able to move the file, my pc just keeps crashing every time I try. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 5, 2012 Do you have a Windows XP CD? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 5, 2012 No, I didn't get a Windows cd with my laptop. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 5, 2012 When you turn your computer on, do you get an option to load the Windows XP Recovery Console? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 5, 2012 I'm running windows 7, get the option to repair computer on startup which takes me to a system recovery options screen Share this post Link to post Share on other sites
GT500 609 Report post Posted March 5, 2012 I assume that System Recover Options screen looks like this (if the picture is tiny, then you can click on it to make it bigger): Is so, then select the Command Prompt option. This will load a black window with white text. Click in the empty black space, and type in the command that is in the following box: chkdsk /F C: This will start an error check on your hard drive, and it should repair any errors in the filesystem automatically. Hopefully this will resolve the issue. Once it is done, you can simply close the command prompt, and click the Restart button. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 7, 2012 Ran the error check and windows found no problems in the file system, however it's still not fixed. What should I try next? Thanks Share this post Link to post Share on other sites
GT500 609 Report post Posted March 8, 2012 We can try using BlitzBlank to move the file to your C: drive (note that whatever program uses this file may start displaying an error message after it is moved): Please download BlitzBlank from , and save it on your desktop. Run BlitzBlank from the icon on your desktop. It will display a warning. Click OK to continue. Switch to the Script tab. Copy and paste the contents of the following box into the big white box on the Script tab:MoveFile: "C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll" C:\lpsPlugin.dll After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 8, 2012 Hi, Pasted the above box exactly as it is but when I click on execute I get the error message - Syntax error in line 1, Invalid file path Doesn't look to be anything wrong though? Share this post Link to post Share on other sites
GT500 609 Report post Posted March 8, 2012 That's a bit odd. Lets try using ComboFix to move it. I have written a script that will tell ComboFix how to move that file. Here are instructions on what to do with the script: Download an updated version of ComboFix from one of the following links:[list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll FCopy:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll | C:\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 8, 2012 Realised what the problem was, it's IPS with an i rather than L. Amended and ran BlitzBlank but it didn't restart properly and after about 5 mins of waiting I got the message - Windows failed to start. Will give ComboFix a try now. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 8, 2012 Sorry, just realised that depsite my PC not restarting properly, IpsPlugin.dll appears to have been successfully moved and I've attached the BlitzBlank log. I've therefore not ran ComboFix for now, do you still want me to? Thanks Share this post Link to post Share on other sites
GT500 609 Report post Posted March 8, 2012 No, if the file was moved then go ahead and run the ESET scan and attach the log for me when it is done. Here are the instructions again: Turn off your anti-virus software. Click on this link. Click on the ESET Online Scanner button. Put a check in the box that says YES, I accept the Terms of Use. Click the 'Start' button just to the right of the checkbox. Uncheck the box that says Remove found threats (this is very important). Click on Advanced settings. Put a check in the box that says Scan for potentially unsafe applications. Verify that Scan for potentially unwanted applications is also checked. Verify that Enable Anti-Stealth technology is also checked. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found). Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me. Close the ESET online scan. I will take a look at the log, and let you know if anything needs removed. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 11, 2012 Tried to run ESET scan twice and both times it got 93% through before freezing on the following file: C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-ipsplugin_31bf38...\IpsPlugin.dll Can't seem to find this file though. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 12, 2012 Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try the ESET online scan again. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 12, 2012 Completed ESET scan in safe mode and no threats were found. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 12, 2012 OK, lets move that file back before we proceed: Please download BlitzBlank from , and save it on your desktop. Run BlitzBlank from the icon on your desktop. It will display a warning. Click OK to continue. Switch to the Script tab. Copy and paste the contents of the following box into the big white box on the Script tab:MoveFile: C:\IpsPlugin.dll "C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll" After pasting the script in the box above into the white box in BlitzBlank, please click the Execute button in the lower-right corner. A message will appear warning you that BlitzBlank is going to restart your computer. Make sure that anything you were working on is saved, and click OK to allow it to restart your computer. When your computer is starting up you should see an odd black screen with some white text on it. This is normal, and your computer will continue with its normal startup after a minute or two. Once your computer is finished starting up, there should be a log file saved as a Text Document named blitzblank in the root of your C: drive. Please attach that file to a reply by using the More Reply Options button to the lower-right of where you type in your reply. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 12, 2012 Ok, I've done that. Please see attached log. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 13, 2012 OK, things are looking pretty good. Is your computer still displaying any symptoms of an infection? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 14, 2012 Tried running scans in normal mode with emsisoft anti-malware and malwarebytes anti-malware, both completed and found nothing suspicious. This is an improvement as I've not been able to scan in normal mode without pc crashing up to now. Haven't noticed any other problems tonight. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 15, 2012 OK, from your logs it looks like your system is clean now. Here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 18, 2012 Ok I've now done all that thanks. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 18, 2012 One thing that might be worth mentioning, I've now downloaded avast! Internet Security and the full scan found no threats, however it could not scan one file: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll Came up as status 'Error: Incorrect function' Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs? Thanks Share this post Link to post Share on other sites
GT500 609 Report post Posted March 19, 2012 ... Do you think this is something to be concerned about since it's the same file that was crashing the scans with other programs? Well, lets try deleting it, and see if anything complains. Here's another ComboFix script with instructions: Download an updated version of ComboFix from one of the following links:[list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 20, 2012 Tried that and have attached log. File still seems to be there though. ComboFix also told me that avast! real-toemscanner was still active, however I checked this and all the components were definitely disabled so don't know if that affected anything. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 20, 2012 According to that log, your avast! Internet Security was still enabled while ComboFix was running. avast! would have prevented ComboFix from running properly. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 23, 2012 Ok this log should be what you're looking for. File's still not moved though. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 23, 2012 OK, lets try using OTL to delete it. I have written a script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box::Files C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 24, 2012 Notepad came up with this message after restart. I've attached the OTL log as requested. All processes killed Error: Unable to interpret <:FilesC:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll:Commands[EMPTYTEMP]> in the current context! OTL by OldTimer - Version 3.2.33.2 log created on 03242012_163324 Files\Folders moved on Reboot... Registry entries deleted on Reboot... Share this post Link to post Share on other sites
GT500 609 Report post Posted March 26, 2012 When you copy and pasted that script into OTL, did everything appear on the same line, or did it look exactly like it does in little box in my post? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 26, 2012 I think it pasted it all on one line Share this post Link to post Share on other sites
GT500 609 Report post Posted March 27, 2012 OK, that would explain the error message. Try copying and pasting the script into OTL again, and make the necessary modifications so that it looks just like it does on the forums (it should be 4 lines with a blank line in the middle). Let me know if the script runs properly like that. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 29, 2012 The script ran properly this time and I have attached the OTL log. Share this post Link to post Share on other sites
GT500 609 Report post Posted March 29, 2012 OK, are you able to complete anti-virus scans now? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted March 31, 2012 Tried twice today, first time I got the blue screen, second time it froze and I had to hard boot. Share this post Link to post Share on other sites
GT500 609 Report post Posted April 2, 2012 Do you remember what file it froze on? Share this post Link to post Share on other sites
b-mic80 0 Report post Posted April 3, 2012 Sorry I should have checked, am not home until Thursday but will try again then and let you know. Thanks Share this post Link to post Share on other sites
GT500 609 Report post Posted April 3, 2012 OK. If your topic gets closed then just send me a private message asking me to reopen it. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted April 6, 2012 Ok, this time it crashed on the first scan, second time I managed to run the antivirus to completion but again it couldn't scan the same file: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll Looks like it's still causing problems. Share this post Link to post Share on other sites
GT500 609 Report post Posted April 9, 2012 I've been talking to one of our researchers, and that file is a Windows System File. The reason scans are failing on that file could be due to filesystem damage and it could be due to physical damage to your hard drive. Follow the instructions at this link, and instead of loading Safe Mode load the Recovery Environment. Once you get into the Recovery Environment, you should see a screen like this: You'll want to click the link to load the Command Prompt. At the Command Prompt, type out chkdsk /R C: and it will check the filesystem for errors and check every sector on the hard drive for damage. Any repairs to the filesystem will be made automatically, and any bad sectors on your hard drive will be marked so that Windows won't try to write data in them. Share this post Link to post Share on other sites
b-mic80 0 Report post Posted April 11, 2012 Tried that, Windows found no bad sectors and no problems in the file system. Share this post Link to post Share on other sites
GT500 609 Report post Posted April 12, 2012 Are scans still freezing on that file? Share this post Link to post Share on other sites
