TheDarkKnight

Hey Smile2go, Not sure. Please try this one instead: Please do a scan with the Kaspersky Online Scanner. To optimise scanning time and produce a more sensible report for review: Close any open programs.Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.Click on the Accept button and install the components it needs.Click on Full Scan.The scan will take a while, so please be patient and let it run.When the scan has completed, it will display a window with a list of the issues it has found.Please click Details.Under the categories that have found entries, please copy and paste their reports into your next reply.

Good morning Smile2go, Please re-run RogueKiller. Click on the Delete button. The report has been created on the Desktop. Please post it in your reply. ===== Then, please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is checked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. ===== In your reply I would like to see both logs please.

Hello dakahuna, Please try this tool. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review.

Good morning dakahuna, Please try this tool instead. Please download Malwarebytes Anti-Rootkit here. Unzip the contents to a folder on the Desktop. Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7). Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Please post the two logs produced. Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

Good evening dakahuna, Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL [2013/05/23 09:11:04 | 000,000,000 | ---D | M] (DownloadTerms) -- C:\Program Files (x86)\Mozilla Firefox\extensions\eoppnrqmocgit@fmwplidnapyokntwh.net O2 - BHO: (DownloadTerms) - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\James\AppData\Local\DownloadTerms\temp.dat File not found [2013/06/02 12:30:45 | 000,002,048 | -HS- | M] () -- C:\$Recycle.Bin\S-1-5-18\$b34c27af1791aeb3babb7ddd255f041b\@ [2013/06/10 08:14:57 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$b34c27af1791aeb3babb7ddd255f041b\L [2013/06/13 08:10:50 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$b34c27af1791aeb3babb7ddd255f041b\U [2013/06/13 08:04:51 | 000,000,804 | ---- | M] () -- C:\$Recycle.Bin\S-1-5-18\$b34c27af1791aeb3babb7ddd255f041b\L\00000004.@ [2013/06/10 08:14:57 | 000,000,000 | -HSD | M] -- C:\$Recycle.Bin\S-1-5-18\$b34c27af1791aeb3babb7ddd255f041b :Commands [EmptyTemp] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ===== Then, please download to your Desktop: TDSSKiller.zip from here and extract it (right click on it => "Extract here"). >>> TDSSKiller: Double-click on TDSSKiller.exe to run the application. Click Change parameters. Make sure you check the box Loaded modules. A window will popup and say Reboot is required. Please click Reboot now. Then click Change parameters again. Check the box Detect TDLFS file system. Click on the Start Scan button. If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. If you are asked to reboot the computer to complete the process, click on the Reboot Now button. Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply. Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). ===== In your reply please post the following: OTL fix log TDSSKiller log. How is your computer running now?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Good morning RoboPan, I'm afraid I have bad news about your computer. Your log shows a dangerous trojan residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer. Please consider disconnecting this computer from the Internet after you finish reading this and use a known clean computer to follow my suggestions regarding your personal information. If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be removed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please visit the following sites for more information on internet theft and when to reformat! How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall I will of course do my best to help clean the computer of any infections that I can see if you would like to continue. If you have any questions before making a final decision, please feel free to ask. Instructions on how to format and reinstall Windows can be found here ===== If you decide you wish to attempt to clean your computer in spite of this threat then please proceed with these instructions: Please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all. ===== Also, please download Malwarebytes Anti-Rootkit here. Unzip the contents to a folder on the Desktop. Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7). Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Please post the two logs produced. Please note: This tool is still in BETA mode, so please ensure you have backed up any important files. ===== Please post the 4 logs from OTL and MBAR in your reply. How is your computer currently running?

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please read all these directions before proceeding. When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier. Be sure to read these: Download Kaspersky Rescue Disk 10 How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it? How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk? Please go to a clean computerDownload the .iso image file. Create a CD (or flash drive if you prefer). On the infected computer: put the disk in the drive and reboot. Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10? Then, please print the following directions: Boot from Kaspersky Rescue Disk 10: Restart your computer and put the disk in the drive while booting. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically. Select the required interface language using the arrow-keys on your keyboard. Press the Enter key on the keyboard. In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode Click Enter. Click 'A' to accept the agreement. Select operating system from dropdown menu (select Windows whatever). Select Objects to scan: check Disk boot sectors, Hidden startup objects, C: Click My Update Center and update. Back to other tab and click Start Object Scan. When scan has completed save a report: On the upper part of the Kaspersky Rescue Disk window, click on the Report link. On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button. On the upper right hand corner of the Detailed report window, click on the Save button. After clicking Detailed Report and 'SAVE', a browse window opens. Double-click on the \ Click 'disks'. All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt. Click on the Save button. The report has been saved to the file. Remove the disk from the drive (or disconnect USB) and reboot normally.

Hey Sekhmet, OK no worries.

Good morning sekhmet, Time to bring out the big guns. Please read all these directions before proceeding. When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier. Be sure to read these: Download Kaspersky Rescue Disk 10 How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it? How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk? Please go to a clean computerDownload the .iso image file. Create a CD (or flash drive if you prefer). On the infected computer: put the disk in the drive and reboot. Follow the directions here, but you will find some differences. Familiarise yourself with How to create a report file in Kaspersky Rescue Disk 10? Then, please print the following directions: Boot from Kaspersky Rescue Disk 10: Restart your computer and put the disk in the drive while booting. Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically. Select the required interface language using the arrow-keys on your keyboard. Press the Enter key on the keyboard. In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode Click Enter. Click 'A' to accept the agreement. Select operating system from dropdown menu (select Windows whatever). Select Objects to scan: check Disk boot sectors, Hidden startup objects, C: Click My Update Center and update. Back to other tab and click Start Object Scan. When scan has completed save a report: On the upper part of the Kaspersky Rescue Disk window, click on the Report link. On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button. On the upper right hand corner of the Detailed report window, click on the Save button. After clicking Detailed Report and 'SAVE', a browse window opens. Double-click on the \ Click 'disks'. All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt. Click on the Save button. The report has been saved to the file.

Hey Sekhmet, So what is happening on your computer currently? Any popups, slowness, weird sounds, search redirects, etc?

Hello Sekhmet, Please download the Kaspersky Virus Removal Tool from here to your Desktop. Double-click the Removal Tool. Click the cog in the upper right corner: Select down to and including your main drive. Once done please select the Automatic Scan tab and press Start Scan. Allow AVP to delete all infections found. Once it has finished select the Report tab. Select the Detected threats report from the left and press the Save button. Save it to your Desktop and post the contents in your next reply.

Good morning sekhmet, Thank you. That is good. You mentioned a warning appeared. Not sure why that is. Please try the below tool. Please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Hey Sekhmet, ComboFix seems to be running with reduced function. Are you running from an Administrator account? Please try running it in Safe Mode.

Hey Sekhmet, That's ok. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review.

Hello Sekhmet, Please download to your Desktop: TDSSKiller.zip from here and extract it (right click on it => "Extract here"). >>> TDSSKiller: Double-click on TDSSKiller.exe to run the application. Click Change parameters. Make sure you check the box Loaded modules. A window will popup and say Reboot is required. Please click Reboot now. Then click Change parameters again. Check the box Detect TDLFS file system. Click on the Start Scan button. If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. If you are asked to reboot the computer to complete the process, click on the Reboot Now button. Once the tool has finished, please click Report. Please copy and paste the contents of that log in your reply. Note: A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt).

I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. Please download Malwarebytes Anti-Rootkit here. Unzip the contents to a folder on the Desktop. Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7). Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Please post the two logs produced. Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

Hey BrianLevy, ESET often identifies installers for programs as weird "infections", such as this one. No need to worry about it. ===== A little housekeeping to uninstall ComboFix: Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK: ComboFix /uninstall And AdwCleaner: Please double click on adwcleaner.exe to run the tool. Click on Uninstall. Confirm with Yes. To remove all of the tools we used and the files and folders they created do the following: Double click OTL.exe. Click the CleanUp button. Select Yes when the "Begin cleanup Process?" prompt appears. If you are prompted to reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. Right-click the Recycle Bin and please select Empty Recycle Bin. ===== Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup: IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure. As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program. Please consider installing and running the following program (there is a free version available): SpywareBlaster A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options. Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates. Please also read Tony Klein's excellent article: How did I get infected in the first place. Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

Hey BrianLevy, Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable. Please follow the instructions below to update Java: Please go to the below link and download the latest Windows XP version: http://www.java.com/en/download/manual.jsp Save it to your Desktop. Please go to Start > Control Panel > Add Or Remove Programs. Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them: Select Remove. Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed. Also, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it: Please go to Start>All Programs>Adobe Reader. Open Adobe Reader and navigate to Help>Check for Updates. Please follow the prompts to install the latest version. ===== In your reply please let me know how the updates go.

Hello BrianLevy, That log is fine. Please download TFC to your Desktop. Open the file and close any other windows. It will close all programs itself when run; make sure to let it run uninterrupted. Click the Start button to begin the process. The program should not take long to finish its job. Once its finished it should reboot your machine; if not, do this yourself to ensure a complete clean. ===== Please download Security Check by screen317 from here or here. Save it to your Desktop. Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Good morning BrianLevy, Great! Outlook is one of those funny programs...when it starts to have issues it is often hard to resolve. My advice is to backup your messages, contacts, autocontacts and anything else you have in Outlook and reinstall it. Often a reinstall of Outlook fixes any issues, while trying to solve the issues can take ages. ===== Please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic.

Please give that a go and see how it goes.

Hey BrianLevy, Please download Windows Repair from here. Extract and launch Repair_Windows.exe. on the Start repairs tab and then click on Start. Check mark the following options: Reset Registry Permissions Reset File Permissions Repair WMI Remove Policies Set By Infections Checkmark the Restart System When Finished option. Click the Start button. Restart your computer when it is has finished.

Hey BrianLevy, If you reformat that will wipe everything and give you a clean slate. It will certainly remove the problem. If you wish to continue please try uninstalling IE and see if it reinstalling will help. My apologies that this is taking ages. It seems you have some corrupt Windows files or settings and finding them is proving difficult.

Hey BrianLevy, Please make sure MBAM is uninstalled and not in the Control Panel. Then, navigate to Program Files on your C:\ drive and delete Malwarebytes. Now try installing it. Did that work?