Aurarius

Help, my PC is out of my control

Recommended Posts

My computer has been taken over by Malware, other users and administrators. Can't even install Emsisoft, since internet connection has been altered.

Share this post


Link to post
Share on other sites

Please get me a log from TDSSKiller by following the instructions below:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
    tdsskiller_report_001.png
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    tdsskiller_report_002.png
  5. Click the Start scan button as in the following screenshot:
    tdsskiller_report_003.png
  6. You will see the following as the scan runs:
    tdsskiller_report_004.png
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    tdsskiller_report_005.png
  8. Click on Report in the upper-right corner, as in the following screenshot:
    tdsskiller_report_006.png
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    tdsskiller_report_007.png
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    tdsskiller_report_008.png
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    tdsskiller_report_009.png
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

OK, from what I'm seeing in that log, it should be OK to proceed with normal cleanup (no ZeroAccess infections detected). Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I was not able to save or download. I received a message that it could harm my computer. I have deleted Avast and Avast fakes couple of times but the fake one keeps on coming back.

At the moment I am actually running the Emsisoft Anti-malware. I was able to do so after previously following the instruction for Fiddler found in another topic. I have saved logs on the Malware infected computer. I keep my finger crossed that the Emsisoft Antimalware scan will be a success.

Thank you for all the help so far.

The history of events: Previously the real Avast stopped being connected to any account, I could not enter account information or anything and it would not update virus definitions. After deleting Avast I found another with slightly different file name. I was able to delete after running Hijack this. After Hijack this I did run Combofix and after combofix I was able to run Emsisoft Emergency kit. It was deep scanning for ever and found quite a few trojans. I tried to install Emsisoft Malware but it would not install and I joined the forum.

Share this post


Link to post
Share on other sites

Please download Rkill from one of the links below:

  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. eXplorer.exe
  5. iExplore.exe
  6. WiNlOgOn.exe
  7. uSeRiNiT.exe

The reason why there are 7 of them, each with a different name (and some of them with very funny names), is because some infections like to block security software from running. Start with the first one, and if it doesn't work then try the next one, and so on until you find one that works.

Once you get one of the Rkill downloads to work, please run it a second time to make sure that it is no longer able to find any malicious processes still running. If it finds more, run it again to make sure that Rkill was able to stop any malicious processes still running on your computer.

After running Rkill, please proceed with my previous instructions to run ComboFix, and if everything works OK then attach the log to a reply when it is done.

Share this post


Link to post
Share on other sites

I will run the programs next.

The Emsisoft Anti malware completed without finding anything. I could not update the program and did not have the latest definitions. I am attaching earlier and later Fiddler files.

Share this post


Link to post
Share on other sites

I deleted the logs you attached to your post because Fiddler logs can contain your license information for Emsisoft Anti-Malware (that information is verified by our servers on update and will wind up in your Fiddler log).

Lets go ahead and proceed with cleanup, and if you still are unable to update Emsisoft Anti-Malware after that then we will worry about it once we are able to get things cleaned up with ComboFix and other utilities. ;)

Share this post


Link to post
Share on other sites

No success, the virus creates another parent folder for rkill. A temp\user folder has RarSFX1 or what ever number. Other folders such as Nird, h are also present. I managed to install Online Armour and it has been blocking with success. When trying to update Emsisoft Anti Malware I get: " could not connect to the update server. Even my wireless connection stopped working.

Share this post


Link to post
Share on other sites

Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  1. Disconnect from the Internet and close all running programs.
  2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  5. Allow the driver to load if asked.
  6. You may be prompted to scan immediately if it detects rootkit activity.
  7. If you are prompted to scan your system click "No", save the log and post back the results.
  8. If not prompted, click the "Rootkit/Malware" tab.
  9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  10. Select all drives that are connected to your system to be scanned.
  11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
  12. When the scan is finished, click Save to save the scan results to your Desktop.
  13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  14. Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

I can't save it to the root. I don't seem to have the privileges. I saved where I could, which was on user/downloads. Only 3 boxes were check and I could not check more. I will continue tomorrow my fight against these monstrous viruses.

Thanks!

Share this post


Link to post
Share on other sites

I have tried, but it does not change anything. I can only save it on users/downloads. On Gmer and users I can see users I don't recognize. Creator/owner seems to be the one that has access to everything. Unknown user names pop up sometimes and disappear almost immediately before I can click on them.

Share this post


Link to post
Share on other sites

OK, please download an updated version of ComboFix from one of the links below, disable any anti-virus software you have installed, and then ComboFix and get me a new log:

Link 1

Link 2

Share this post


Link to post
Share on other sites

I opened both programs as an administrator and ran. Before getting any logs computer rebooted. Online Armour (which was turned off when I ran programs) asks after reboot if a program (one part of the file name was Combofix) was ok to access. I don't know if it was a ok move to allow, meaning either combofix updated or it was altered. I blocked it. Sorry no logs.

Share this post


Link to post
Share on other sites

Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try ComboFix again.

Share this post


Link to post
Share on other sites

Good news!!! I think, so far...I managed to download never version of Emsisoft programs from a memory stick, install and even update.I still have a lot of repair work to do but at least I am in control. Thanks!

Share this post


Link to post
Share on other sites

You could try something such as System Repair Engineer (you can get it from the download page at this link) to perform a check on your system and repair common problems. I doubt it can fix everything, however it may help make your life a bit easier.

When you run System Repair Engineer, go to System Repair on the left, and then go to the Advanced Repair tab. Make sure that it is set to Recommended Fix Level and click the Auto Repair button.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.