Jump to content

Recommended Posts

Please get me a log from TDSSKiller by following the instructions below:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
  5. Click the Start scan button as in the following screenshot:
  6. You will see the following as the scan runs:
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
  8. Click on Report in the upper-right corner, as in the following screenshot:
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Link to post
Share on other sites

OK, I need to see logs from a couple more utilities before we continue:

Download CKScanner from here

Important : Save it to your desktop.

  1. Doubleclick CKScanner.exe and click Search For Files.
  2. After a very short time, when the cursor hourglass disappears, click Save List To File.
  3. A message box will verify that the file is saved.
  4. Please attach the CKFiles.txt file on your desktop to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Please download WVCheck from this link (make sure to save it on your desktop), and follow the steps below to get me a log:

  1. Double-click on the WVCheck file that you saved on your desktop to run it.
  2. Once it has launched, press Enter on your keyboard to start the scan (this could take a while, depending on how much hard drive space you have).
  3. Once it is done, it will open a log in Notepad. Please save this log on your desktop, and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Link to post
Share on other sites

Both of those logs show lots of cracks, keygens, etc. used in pirating software. There are also files related to RemoveWAT (Remove Windows Activation Technology) which is an activation crack for Windows, and at least one malicious file related to CHEW7 (another activation crack for Windows that appears to come bundled with a trojan).

We do have a no piracy policy here, so before we proceed I am going to have to ask you to remove all pirated software, all cracks, all keygens, etc. and then rerun CKScanner and WVCheck and post the new logs for me to review.

  • Upvote 1
Link to post
Share on other sites

The logs are showing a couple of things that haven't been deleted yet (let me know if you are not able to delete some of this stuff):

c:\users\marci\documents\flash decompiler trillix + crack.zip
c:\windows\system64\hale.exe (this one appears to be a trojan, so don't worry if you can't delete it)

Also, you HOSTS file contains a lot of bypasses for Adobe's product activation which will need to be deleted. To reset your HOSTS file and clear out all of those entries, please download HostsExpert from this link. Extract HostsExpert from the ZIP archive it comes in, run it, and click the button that says "Restore MS Hosts File". Refer to the screenshot below to see what it looks like:


After that, run CKScanner again, and attach the new log to a reply for me.

Link to post
Share on other sites

OK, go ahead and get me a fresh OTL log, and then we can continue normally:

  1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Link to post
Share on other sites

I have written a cleanup script for OTL (if you need to, you may download OTL from this link).

  1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Link to post
Share on other sites

Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop. You can download it on another computer and copy it to the infected computer with a flash drive if needed.

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.


1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

So far, I'm not seeing anything I recognize as malicious in your logs. Lets concentrate on the Internet access issue.

Please download Farbar Service Scanner, save it on your desktop, and follow the instructions below to get me a log.

  1. Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

[*]Press "Scan".

[*]It will create a log (FSS.txt) in the same directory the tool is run.

[*]Please attach the log to a reply by clicking on the More Reply Options button to the lower-right of where you type your reply.

Link to post
Share on other sites

My apologies for the slow response.

I'm glad that you were able to resolve the missing winsock registry key issue on your own, because that log didn't show any problems.

Is your computer still exhibiting any odd behavior? Is everything working properly now?

Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either ShadowPuterDude, or GT500 to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...