Sign in to follow this  
rescue

Requisite reports here

Recommended Posts

Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to.

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not click in ComboFix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I downloaded ComboFix and I got tho the point where there was a warning that Emsisoft Anti-Malware was active and that I should deactivate it before running ComboFix. I don't know how to deactivate Emsisoft Anti-Malware so I allowed ComboFix to proceed. Then there was a message that said "Scanning for infected files" and a comment that the scanning doesn't usually take more than 10 minutes. There was a yellow cursor flashing at the end of the message. And other than the cursor that kept on flashing, nothing else seemed to be happening......this went on for about an hour. I finally gave up waiting and turned off my pc. So what do you suggest I do next?

Share this post


Link to post
Share on other sites

Is there a little Emsisoft Anti-Malware icon in the lower-right corner of your screen, to the left of the clock somewhere? If so, then right-click on it, go to Guard state, and select to Disable all guards. You should be able to run ComboFix after that.

Share this post


Link to post
Share on other sites

OK, are you able to open Emsisoft Anti-Malware from the icon on your desktop, or from the Start menu? If so, then on the Security Status screen (which is normally the first one you see when you open Emsisoft Anti-Malware) it will list the status of Emsisoft Anti-Malware, and when you hold your mouse over File Guard, Behavior Blocker, and Surf Protection you will see an option to turn them off. They will turn red when they are off.

If you have any trouble with that, then just follow the instructions at this link to start your computer in Safe Mode With Networking, and you should be able to run ComboFix in Safe Mode With Networking.

Please note that ComboFix will need to download an update when it runs, as there will have been numerous updates to ComboFix since you first downloaded it. Please allow it to download the update.

Share this post


Link to post
Share on other sites

I am running ComboFix now in safe mode with networking and it is now at the Autoscan window. There is a blinking cursor just after the message "However, scan times for badly infected machines may easily double". It has been like this for the past 6 mins and I will let it go on while I list my concerns here ....

1. It looks like ever since I downloaded Emsisoft Anti-Malware, my pc has been very slow. Why is that so? Eg., windows don't close immediately when I click the X. They close in slow motion - with the window getting shorter by the second. When I try to open anything, the pc takes a long time to respond.

2. The Emsisoft icon in the bar at the bottom right screen appears intermittently. It wasn't there when you first suggested for me to disable the guards from the icon but last night, the icon popped up in the bar. I saw Enable all Guards so I assumed that the guards are disabled at the time and when I want to enable all guards, I would click on that option. So I ran the ComboFix then. And allowed it to do an update. It updated and once again, it stopped at the Autoscan stage with the blinking cursor - as described in my earlier message. I let it remain scanning for about 2 hours and then I gave up and turned off my pc.

3. This morning (we are on opposite sides of the world so it is morning for me while it should be evening for you), I saw your note on running ComboFix on Safe Mode with Networking and that is what I am doing now. By the way, the Emsisoft icon has disappeared from the bar. And I don't think the ComboFix thing is ever going to finish scanning for infected files - it is still going on like the Energizer bunny.

4. Whenever I activate Emsisoft from my desktop or start menu, I get the Welcome to Emsisoft screen where there is the option to buy the software or use the 30-day free trial - that was where I first started days ago when I had selected the 30-day free trial option and went followed the prompts until the end (I think I did get to the finish point). It doesn't start with the Security Status screen that you described. Is that a problem?

ComboFix has been running at AutoScan for about 30 mins now. I am going to shut down my pc (I am on my netbook now while AutoScan is running on my pc) and wait to hear from you again.

Have a good day/night.

Share this post


Link to post
Share on other sites

One more thing - after leaving AutoScan to run, a message from the bar at the bottom of page will pop up saying "Virtual Memory Minimum is too low..

And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards. Is that a problem?

Share this post


Link to post
Share on other sites

Re the above message "And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards.", I'd like to clarify that I was referring to the times when I have stopped trying to run ComboFix and therefore, I enabled all guards.

Share this post


Link to post
Share on other sites

I'll address your questions in another post. First, I want to give you some instructions for getting me a TDSSKiller log:

  1. Download TDSSKiller from this link and save it on your desktop.
  2. Run the TDSSKiller download that you saved.
  3. Click on Change parameters as it shows in the following screenshot:
    tdsskiller_report_001.png
  4. Make sure that Verify digital signatures and Detect TDLFS file system are checked as in the following screenshot, and then click OK:
    tdsskiller_report_002.png
  5. Click the Start scan button as in the following screenshot:
    tdsskiller_report_003.png
  6. You will see the following as the scan runs:
    tdsskiller_report_004.png
  7. If there are any threats or malicious items detected, then make sure the option to the right of each item is set to Skip as in the following screenshot (it is very important that TDSSKiller not be allowed to Cure, Quarantine, or Delete these detections!), note that you can click on the selection action to open a list and change it if it is not set to Skip automatically, and then click Continue at the bottom when everything is set to Skip:
    tdsskiller_report_005.png
  8. Click on Report in the upper-right corner, as in the following screenshot:
    tdsskiller_report_006.png
  9. You will see a report similar to the one in the following screenshot. Please click in the report somewhere, then hold down the Ctrl key on your keyboard and tap the A key to select the entire report.
    tdsskiller_report_007.png
  10. Once everything is selected, then it should look similar to the following screenshot, and you will be able to hold down the Ctrl key on your keyboard and tap the C key to copy the entire report.
    tdsskiller_report_008.png
  11. Open Notepad by clicking on the Start button, going to All Programs (or just Programs in Windows 7 and Vista), then Accessories, and clicking on Notepad in the list.
  12. Once Notepad has opened, click on Edit to open the Edit menu, and then click Paste, as in the following screenshot:
    tdsskiller_report_009.png
  13. Once the report has been pasted into Notepad, click File to open the File menu, and then click Save as, as in the following screenshot. Please save the report on your desktop and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply.
    tdsskiller_report_010.png

Share this post


Link to post
Share on other sites

1. It looks like ever since I downloaded Emsisoft Anti-Malware, my pc has been very slow. Why is that so? Eg., windows don't close immediately when I click the X. They close in slow motion - with the window getting shorter by the second. When I try to open anything, the pc takes a long time to respond.

If there is an infection, then that could be the cause. It could also be a conflict with something else you have installed. It isn't possible to accurately answer this question until we are certain that your computer is clean.

2. The Emsisoft icon in the bar at the bottom right screen appears intermittently. It wasn't there when you first suggested for me to disable the guards from the icon but last night, the icon popped up in the bar. I saw Enable all Guards so I assumed that the guards are disabled at the time and when I want to enable all guards, I would click on that option. So I ran the ComboFix then. And allowed it to do an update. It updated and once again, it stopped at the Autoscan stage with the blinking cursor - as described in my earlier message. I let it remain scanning for about 2 hours and then I gave up and turned off my pc.

By default, Windows will hide icons that it considers inactive. There should be a little button to click to show the hidden icons, and you should find that button just to the left of where those icons are normally located.

As for ComboFix scanning for 2 hours, note that it should not normally take more than 10 or 15 minutes, and for it to go for longer than 30 minutes is abnormal. At that point, you can assume that something is interfering with ComboFix, and go ahead and close it and restart your computer. I don't see any security software other than Emsisoft Anti-Malware in your OTL log, so I am fairly certain that there is a rootkit interfering with ComboFix, and TDSSKiller's log should let me know if that is the case.

3. This morning (we are on opposite sides of the world so it is morning for me while it should be evening for you), I saw your note on running ComboFix on Safe Mode with Networking and that is what I am doing now. By the way, the Emsisoft icon has disappeared from the bar. And I don't think the ComboFix thing is ever going to finish scanning for infected files - it is still going on like the Energizer bunny.

It is normal for the Emsisoft Anti-Malware icon to not appear when Windows is in Safe Mode, because most services and startup items (which includes the ones for Emsisoftt Anti-Malware) do not run in Safe Mode. This is because Safe Mode is a special diagnostic mode intended for repairing issues with your computer, and it is not expected for you to use your computer normally while Windows is running in Safe Mode.

4. Whenever I activate Emsisoft from my desktop or start menu, I get the Welcome to Emsisoft screen where there is the option to buy the software or use the 30-day free trial - that was where I first started days ago when I had selected the 30-day free trial option and went followed the prompts until the end (I think I did get to the finish point). It doesn't start with the Security Status screen that you described. Is that a problem?

If that is happening while Windows is running in Safe Mode, then it might just be because the service isn't running. If it is happening while Windows is running normally, then it is a problem, and assuming that I am correct about a rootkit then it is probably just another symptom of that infection.

One more thing - after leaving AutoScan to run, a message from the bar at the bottom of page will pop up saying "Virtual Memory Minimum is too low..

And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards. Is that a problem?

Virtual Memory errors are not uncommon with some infections, so this could just be another symptom of that. Technically, it is always a problem when seeing Virtual Memory errors, however since I'm fairly certain that your computer is infected with a rootkit then we merely need to verify that that is the case, and then do what is necessary to get rid of it.

Re the above message "And Windows Security Center keeps telling me that Emsisoft Anti-Malware has been turned off - even after I have selected to enable all guards.", I'd like to clarify that I was referring to the times when I have stopped trying to run ComboFix and therefore, I enabled all guards.

Assuming Windows was running in Normal mode, and assuming I am correct about a rootkit infection, then that could simply be the rootkit interfering with Emsisoft Anti-Malware. Part of the function of modern rootkits tends to be to disable anti-virus and anti-spyware software, or at least fool them into thinking that the computer is not infected. The main purpose of a rootkit is to keep an infection from being removed, so the rootkit itself is not normally the main infection, but is just being used to prevent you from doing anything about the infection.

Share this post


Link to post
Share on other sites

TDSSKiller says there's no rootkit (at least none that it is capable of detecting). Lets get a scan from GMER, because I don't think I believe what TDSSKiller is saying.

Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  1. Disconnect from the Internet and close all running programs.
  2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  5. Allow the driver to load if asked.
  6. You may be prompted to scan immediately if it detects rootkit activity.
  7. If you are prompted to scan your system click "No", save the log and post back the results.
  8. If not prompted, click the "Rootkit/Malware" tab.
  9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  10. Select all drives that are connected to your system to be scanned.
  11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
  12. When the scan is finished, click Save to save the scan results to your Desktop.
  13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  14. Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

That GMER log looks rather odd to me, and there's a ZeroAccess Check in your original OTL log that shows what I am certain is a ZeroAccess rootkit infection. The ZeroAccess Check information in the OTL log should be verifiable with Malwarebytes' Anti-Malware, so please run a scan with Malwarebytes' Anti-Malware by following the instructions below:

  1. Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages):

[*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it).

[*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database.

[*] Switch back to the Scanner tab and run a Quick Scan.

[*] When it is done, please do not remove anything it detects for now. I want to see the log before I ask you to delete anything.

[*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop.

[*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.

Share this post


Link to post
Share on other sites

OK, I think I have enough information now. I have written a cleanup script for OTL (please download the latest version of OTL from this link, even if you still have the one you downloaded previously).

  1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

Quick Scan report after performing Custom Fix is attached...

Questions:

1. Once my pc is clear of infections, how do I clean my external hard drive, notebook and thumbdrives that I have been using in conjunction with my pc? Those must have been infected too.

2. Would installing Emsisoft Anti-Malware in my pc prevent re-infections when in future, I stick a virus-laden thumbdrive into it?

Share this post


Link to post
Share on other sites

1. Once my pc is clear of infections, how do I clean my external hard drive, notebook and thumbdrives that I have been using in conjunction with my pc? Those must have been infected too.

External drives would need to be scanned with a virus scanner, such as the Emsisoft Emergency Kit or Emsisoft Anti-Malware. After things are looking cleaned up I will also have you run a scan with a third-party anti-virus tool, just to make sure that we haven't missed anything, and this same tool can be used to scan your external drives.

2. Would installing Emsisoft Anti-Malware in my pc prevent re-infections when in future, I stick a virus-laden thumbdrive into it?

Yes, even if the databases for the two scanning engines in Emsisoft Anti-Malware do not contain definitions for the infection, the Behavior Blocker should warn you if a program is attempting to do something that is suspicious or dangerous.

As for the OTL log, it looks much better. I am still seeing some signs of ZeroAccess, so lets try one more script and see if that takes care of it. Here's another cleanup script and the instructions again (please download the latest version of OTL from this link, even if you still have the one you downloaded previously).

  1. Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window:
  2. Then click the Run Fix button at the top.
  3. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own).
  4. After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.

Share this post


Link to post
Share on other sites

The OTL report is attached.

Will you take me through the process of cleaning my external hard drive, notebook and thumbdrives when it is time to do so, please?

Thank you.

Share this post


Link to post
Share on other sites

The ZeroAccess infection persists. ComboFix may be required to remove it, although there is a possibility that since we already tried to use OTL that ComboFix may not be able to remove the entire infection.

There should be a way to run ComboFix without it freezing. Please disable your anti-virus software (and any third-party firewall or anti-spyware software you have installed) and then hold down the Windows key on your keyboard (normally between the Ctrl and Alt keys, with the little Windows logo on it) and then tap the R key to open the Run dialog. Type ComboFix /nombr (note that there is a blank space in between 'ComboFix' and '/mrb' even though it might not look like it) into the field and then click OK, and make sure to allow the update. If it works this time, then please attach the log to a reply for me to review.

Share this post


Link to post
Share on other sites

I first went to the Microsoft Security Center to make sure that the firewall is disabled and that there is no antivirus programme that is active. Then I ran ComboFix according to your instructions above. Once again, it got to the Autoscan window and then it went no further. The cursor just kept on blinking after the text "However, scan times for badly infected machines may easily double".

Then I got my pc to run in safe mode with networking. And ran the ComboFix again. I got the same results as I described above - it only got to Autoscan.

What can I try next?

Share this post


Link to post
Share on other sites

I find it odd that ComboFix cannot run, but that OTL appears to be completely unhindered. Lets get a DDS log, and see if it tells us any more information. Please follow the instructions below to post a DDS log:

  1. Download DDS from this link, and be sure to save it on your desktop.
  2. Disable all script blocking protection, anti-virus software, firewall/HIPS, or anti-spyware software before running it.
  3. Double click the dds icon you saved on your desktop to run the tool.
  4. A black window will appear that explains what DDS does and which will show you the progress near the bottom.
  5. When done, a window will pop up explaining that two logs will open in Notepad after you click OK. Go ahead and click the OK button to continue.
  6. Ignoring the instructions that DDS gave you, please save both of these logs on your desktop as Text Documents.
  7. Please attach both of those logs to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

OK, the DDS log is showing a driver that doesn't look good, and the file appears to be missing, so lets use The Avenger to delete it.

1. Please download The Avenger from this link, and make sure to save it on your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Save the AvengerScript.txt at the link below to your desktop, open it, and copy all the text contained in the AvengerScript.txt file, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link):

Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer!

3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon.

  • Please paste the contents of the attached AvengerScript.txt file above (which you should have already copied) into the white box in The Avenger (see example picture below).
  • Click on the Execute button in the low-right corner (see example picture below).
    paste_script_into_avenger.png
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

OK, go ahead and run a Quick Scan with Malwarebytes' Anti-Malware and attach the log to a reply for me. After that, run a scan with OTL again and attach that log to a reply as well. I just want to verify that everything is looking better before we move on. ;)

Share this post


Link to post
Share on other sites

OK, those logs are looking a lot better. Malwarebytes' Anti-Malware is detecting a download wrapper from Softonic, and you can find an explanation of why download wrappers are not necessarily good at this link. It is not actually necessary to delete this Softonic download wrapper, however if you wish to do so then just look for a file named SoftonicDownloader_for_microsoft-digital-image in your downloads folder, which appears to be in your My Documents folder.

Lets go ahead and run a third-party virus scan just to make sure we are not missing anything, and to check your USB hard drive. Here are the instructions (it does not include a step to scan your USB hard drive, however you should have the ability to select any extra hard drives you want to scan before starting the scanning process):

  1. Turn off your anti-virus software.
  2. Click on this link.
  3. Click on the ESET Online Scanner button.
  4. Put a check in the box that says YES, I accept the Terms of Use.
  5. Click the 'Start' button just to the right of the checkbox.
  6. Uncheck the box that says Remove found threats (this is very important).
  7. Click on Advanced settings.
  8. Put a check in the box that says Scan for potentially unsafe applications.
  9. Verify that Scan for potentially unwanted applications is also checked.
  10. Verify that Enable Anti-Stealth technology is also checked.
  11. Click the Start button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning (this can take a long time).
  12. When the scan is done, if it shows a screen that says Threats found!, then click List of found threats, and then click Export to text file... (if nothing was found, then just let me know that no threats were found).
  13. Save that text file on your desktop, and then attach it to a reply (using the More Reply Options button in the lower-right corner of this forum topic) for me.
  14. Close the ESET online scan.

I will take a look at the log, and let you know if anything needs removed.

Share this post


Link to post
Share on other sites

OK, just a few more things to delete according to that log. We'll use The Avenger to delete them. Here's the instructions:

1. Please download The Avenger from this link, and make sure to save it on your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Save the AvengerScript.txt at the link below to your desktop, open it, and copy all the text contained in the AvengerScript.txt file, and it will be pasted into The Avenger in a later step (if you do not know how to copy and paste, then there are instructions at this link):

Note: the above code was created specifically for the person requesting assistance in this forum topic, and it is based entirely on the logs they supplied from their computer. No one else should attempt to run The Avenger with this script, as it may damage their computer!

3. Now, open the avenger folder on your desktop and start The Avenger program by double-clicking on its icon.

  • Please paste the contents of the attached AvengerScript.txt file above (which you should have already copied) into the white box in The Avenger (see example picture below).
  • Click on the Execute button in the low-right corner (see example picture below).
    paste_script_into_avenger.png
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt to a reply by using the More Reply Options button to the lower-right of where you type in your reply.

Share this post


Link to post
Share on other sites

OK, is Emsisoft Anti-Malware working now? Can you run a Deep Scan with it? If so, please attach the log to a reply for me to review.

Share this post


Link to post
Share on other sites

At my first attempt at doing a Deep Scan with Emsisoft Anti-Malware, the scan goes on until the 79% mark and no further. It still looks like the scanning is going on but it kept showing 79% and the message was that it was scanning one of my .doc files. I left it for at least 30 mins and then I stopped the scan. I deleted that particular .doc file and then did my 2nd attempt at scanning.

This time, the scan went smoothly until the 80% mark and then it got stuck and it kept on scanning one of my jpeg files.

What should I try now?

Share this post


Link to post
Share on other sites

Seems like I was wrong about Emsisoft Anti-Malware getting stuck at 80%. While replying to you a couple of minutes earlier, a message popped up to say that scanning is complete. Here is the log.

Share this post


Link to post
Share on other sites

That's looking pretty good. No threats detected. There are a few reasons why the scan could be taking a long time around 80%, and it could just be that it has come across a large ZIP or CAB archive that the BitDefender engine is extracting in order to scan the contents.

Is your computer displaying any other odd symptoms, or does it seem OK now?

Share this post


Link to post
Share on other sites

My pc seems ok for the most part. It is slow to connect to the internet - ie, I double click on the Mozilla Firefox icon and instead of the almost instant response that I used to get, I now have to wait something like half a minute before the hour glass icon pops up signifying that the pc is trying to connect. But perhaps that is a problem I have to work on with my internet service provider.

The pc also becomes very slow when I have been using it for an hour or so - by then, even shutting the pc down takes a long time. Perhaps I need to do some maintenance/defrag/check for bad sectors or something like that?

What should I do with my flash drives and external hard disk and notebook now? I am sure they are all infected like my pc was. Now that I have installed Emsisoft Anti-Malware in my pc, is it safe to connect those devices to my pc so that they can be cleaned too? Would it take customized script written by you (after analysis of logs) to get my notebook cleaned?

Thank you very much for helping me clean my pc :)

Share this post


Link to post
Share on other sites

Lets get a fresh OTL log, just to verify that nothing weird has happened since the last one you posted.

  1. Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  2. Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  3. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  4. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  5. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

Hi, the OTL.txt is attached. But unlike the OTL.txt that opened automatically after the scan was completed, Extras.txt did not open. I tried using the search function to find the file and many Extras.txt were found ! All had 9/26 as the modification date - that's the date we started this chain of email exchanges. I stopped and abandoned the search when the 139th Extras.txt was located. Looks like Extras.txt reproduced itself?

Share this post


Link to post
Share on other sites

Did the search tell you what folders the Extras.txt files were in? That certainly seems like a lot of them, and OTL doesn't normally do that.

Since some weird things are still happening, lets get a log from MBRScan:

  1. Please download MBRScan and save it to your desktop.
  2. Doubleclick on MBRScan.exe and click the Report button..
  3. Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  4. When the scan is finished, a log file will appear.
  5. Save that log file to your desktop and post its content in your next reply.

Share this post


Link to post
Share on other sites

Hi, I did a search for Extras.txt again this morning and this time, there were only 2 files found. This seems much closer to the truth than 139+ files that were found by yesterday's search.

One file is located in the Archive Root Directory. ZIP Information: CRC32: BBF0D1F9, Index: 0, Compression: Deflated, Packed Size: 6 KB. This is prob the zipped version. The other is located at C:\Documents & Settings\Me\Desktop\EEK - looks to be the result of unzipping and is likely the file I sent to you right at the beginning of this string of emails.

In the past, when I search for files, the search runs through all the directories and is completed quite swiftly. But now, the search goes on and on and it doesn't seem to get through all the directories - it looks like the search is cycling through the same directories over and over again. I finally stopped the search by clicking on the [stop] button.

I attach MBRScan report. The scan took less than a minute to complete.

Share this post


Link to post
Share on other sites

Lets try ComboFix in Safe Mode With Networking one more time. Here's he link to instructions on starting your computer in Safe Mode With Networking. Here's a link to download the latest ComboFix.

If it works this time, then attach the log to a reply. If not, then restart the computer in Safe Mode (as opposed to Safe Mode With Networking), and hold down the Ctrl key then tap the R key to open the run dialog. Type ComboFix /nombr and then click OK and see if ComboFix works OK that way.

Share this post


Link to post
Share on other sites

Looks like Emsisoft blocking my access to yahoo mail. Emsisoft flashed an alert that said something about yahoo mail being suspicious when I was trying to get to www.mail.yahoo.com

Share this post


Link to post
Share on other sites

That seems a bit odd, however I'd need to see the line from the log to know more.

Since you are experiencing some odd issues, lets try a more generic system repair tool, and see if it helps:

Please download Windows Repair (all in one) from this link.

Install the program then run it.

(note that it will occasionally need to restart your computer as you run through the steps below)

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22001645.gif

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

(for Windows XP, if you do not have your Windows XP CD, then you will need to skip this step)

p22001646.gif

Go to Step 4 and under "System Restore" click on Create button:

p22001644.gif

Go to Start Repairs tab and click Start button.

p22001166.gif

You don't want it to run through every fix in the list, so please ensure that ONLY items seen in the screenshot below are selected as seen in the screenshot (they're all checked by default, so uncheck the ones that are not checked in the screenshot below):

p22001647.gif

If there are any fixes in the list that are not in the screenshot above, then please uncheck them as well.

Click on box next to the Restart/Shutdown System When Finished (leave it set to Restart System just below that). Then click on Start to begin the repair process.

Share this post


Link to post
Share on other sites

I just got a little more information about the Yahoo! issue, and it may just be a false positive. If this was just an accident on the part of one of our researchers, then they should have it fixed soon. ;)

Share this post


Link to post
Share on other sites

I bought Emsisoft Anti-Malware and Online Armor. The Online Armor is really irritating because there is that window which keeps asking me to select either Allow or Block keeps popping up. It did that every step of the way when I was running the Windows Repair program last night. For now, I have turned off the Online Armor. What do I do to enjoy the protection of Online Armor w/o having to deal with the irritating Allow-Block window?

Windows Repair - The Start/Repair step takes a long time. I checked the 12 Repair Options that you said to check but I finally turned off the pc when the log showed that the program was fixing 4/12. And all that time, the online Armor kept flashing up the Allow Block window. Is the Start/Repair step supposed to take a long time to complete (like an hour?)

Yahoo Mail - I've got access again. Thanks.

Share this post


Link to post
Share on other sites

Any program that you trust can be added to Online Armor as Trusted, or added to the exclusions in Online Armor to be ignored completely by the HIPS and the firewall. Please note that you will probably need to disable Online Armor when running any of the utilities that I post instructions for, as most of these utilities check things or do things that Online Armor can interfere with.

How long it takes can depend on the computer and whether or not the security software is running at the time. I think I forgot to add that to the instructions I posted for you, so that's probably why it took so long. If you disable Online Armor and Emsisoft Anti-Malware then it should run faster.

Share this post


Link to post
Share on other sites

I have done the Windows Repair to completion. Computer is still slow. I will do a defrag and see if that helps. If it doesn't, it is probably time to buy a new pc.

Thank you very, very much for your help and patience.

Share this post


Link to post
Share on other sites

You're quite welcome. ;)

Here's some final instructions for after you finish your defrag:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Add or Remove Programs
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Adobe Acrobat Reader is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Add or Remove Programs
    .

  4. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you
    do not
    need to uninstall it).

  5. Click on
    this link
    to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader.

(please note that some people do prefer to use third-party PDF viewers such as
PDF X-Change Viewer
and
Foxit Reader
which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader)

4. Make Sure Your Computer Has The Latest Windows Updates:

  1. Right-click on the little Online Armor icon in the lower-right corner of the screen (to the left of the clock), and select the option to enable
    Learning Mode
    . We recommend that you
    always
    put Online Armor in Learning Mode when installing Windows Updates, even though you shouldn't have any problems with Online Armor and Windows Updates on Windows XP.

  2. Click on the
    Start
    button.

  3. Go to
    All Programs
    .

  4. Click on
    Windows Update
    .

  5. If you have never run Windows Update, then it will probably need to install an ActiveX control and update the Windows Update software before it can continue, so make sure you keep an eye out for that pale-yellow bar that pops up at the top of the page when Windows Update needs to install a new component, and click on the yellow bar and select to allow it.

  6. Once it is loaded, click on the
    Express
    button.

  7. It will check for available updates, and once it is done you can click the
    Install Updates
    button.

  8. It may ask you to accept a license agreement before it installs, so make sure you say
    Yes
    .

  9. When it is done installing updates, it may ask you to restart your computer, so close anything you are working on and allow it to restart.

  10. Note that the update process can take a while, and you may need to run it several times before all of the updates get installed.

  11. Make sure to turn Learning Mode off in Online Armor once you are done installing Windows Updates.

5. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

6. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    My Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System Restore
    tab.

  5. Click the check box to
    Turn off System Restore
    .

  6. Click the
    Apply
    button at the bottom-right, and answer
    Yes
    to the question.

  7. Depending on how much data is saved in the System Restore, it could take more than a few minutes to empty it.

  8. Click the check box to
    Turn off System Restore
    again and click
    OK
    to turn the System Restore back on.

  9. Click on the
    Start
    button again.

  10. Go to
    All Programs
    .

  11. Go to
    Accessories
    .

  12. Go to
    System Tools
    .

  13. Click on
    System Restore
    .

  14. Select
    Create a restore point
    on the right, and click
    Next
    at the bottom.

  15. Enter a description for the restore point, and click
    Create
    .

  16. Click
    Close
    to finish the process.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.