vzdevman 0 Posted October 9, 2012 Report Share Posted October 9, 2012 I downloaded Emsisoft and ran a scan .. it found Heuristic.Possible.MBR.Rootkit (A) when scanning rootkits located in \DosDevices\PhysicalDrive0. It was told it could not be deleted and to post here to find out how to remove it manually. I have attached log files. Thanks Link to post Share on other sites
jeffce 1 Posted October 9, 2012 Report Share Posted October 9, 2012 Hi and welcome!! Please download TDSSKiller Double click TDSSKiller.exe Press Start Scan but do nothing else as we are just looking for what is there. If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right. Attach the log in your next reply A copy of the log will be saved automatically to the root of the drive (typically C:\) ---------- Link to post Share on other sites
vzdevman 0 Posted October 10, 2012 Author Report Share Posted October 10, 2012 The log from TDSSKiller.exe is attached as requested. Thanks for your help. Link to post Share on other sites
jeffce 1 Posted October 10, 2012 Report Share Posted October 10, 2012 Hi, Please run TDSSKiller again and this time please select Cure to remove the entries found. Attach the new TDSSKiller log to your next reply. ---------- Download Combofix from the link below, and save it to your desktop. Link **Note: It is important that it is saved directly to your desktop** If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer. -------------------------------------------------------------------- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here -------------------------------------------------------------------- Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please attach the C:\ComboFix.txt for further review. ---------- Link to post Share on other sites
vzdevman 0 Posted October 10, 2012 Author Report Share Posted October 10, 2012 Attached are the 2 log files. Link to post Share on other sites
jeffce 1 Posted October 13, 2012 Report Share Posted October 13, 2012 I apologize for any delay. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below: ClearJavaCache::File::c:\program files\Coupons.com CouponBar\tbcore3.dllRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"=-[-HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{8660E5B3-6C41-44DE-8503-98D99BBECD41}"=-[-HKEY_CLASSES_ROOT\clsid\{8660e5b3-6c41-44de-8503-98d99bbecd41}] Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix may request an update; please allow it. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Post the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. ---------- Please attach the new ComboFix log and let me know how your system is running. Link to post Share on other sites
jeffce 1 Posted October 15, 2012 Report Share Posted October 15, 2012 Are you still with me? Link to post Share on other sites
jeffce 1 Posted October 16, 2012 Report Share Posted October 16, 2012 Due to lack of feedback, this topic will now be closed. If you are the original poster and you still require help, please start a new thread. ------------------- Link to post Share on other sites
Recommended Posts