[nighttide]

It appears Microsoft Security Essentials Alert has again taken over my computer. I noticed that my computer has been running extremely slowly the past couple of days and tha it was taking several clicks on the Explorer button to get on the internet and sometimes it doesn't work until I run Norton and it fixes files. Whenever I do get online and go to Google to do a search an alert box from Norton pops up and says it has blocked an attack. Then the next time I try to get on line by clicking the Explorer icon, it will not open. When I get on Safe Mode with networking and click on the Explorer icon a Microsoft Security Essentials Alert box pops up and keeps popping up and won't let me get on line. Can anyone out there help me with this? I would appreciate any help I can get, but please remember I am not too computer sauvy, so please give your instructions in the simplest language possible. Thank you for the help I've received in the past, and I hope you guys will be able to help me again. nighttide

[Advertisements]

Hi again

Do you have any idea where you got this infection from ?

OK first we will have a look at the system and pinpoint the main nasties

GMER Rootkit Scanner - Download - Homepage
[*] Download GMER
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)
  
  Click the image to enlarge it

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Minimal Output at the top
• Click on Scan all users
• Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
• Double click inside the Custom Scan box at the bottom
• A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
• Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
• Select scan.txt and click Open. Writing will now appear under the Custom Scan box
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[Essexboy]

Hi again

Do you have any idea where you got this infection from ?

OK first we will have a look at the system and pinpoint the main nasties

GMER Rootkit Scanner - Download - Homepage
[*] Download GMER
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)
  
  Click the image to enlarge it

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Minimal Output at the top
• Click on Scan all users
• Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
• Double click inside the Custom Scan box at the bottom
• A window will appear saying "Click Ok to load a custom scan from a file or Cancel to cancel"
• Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
• Select scan.txt and click Open. Writing will now appear under the Custom Scan box
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[nighttide]

Hi! Thanks for your rapid reply. I'm afraid I've hit a glitch. I did the GMER scan and saved it to my desktop and I did the OTL scan and clicked the box and when the choices came up I hit desktop but I cannot see the scan in the list. My other folders are there but no scan. What should I do? Thanks for the help. I don't know where this came from but my son has been using my computer to do reseach on a political report he's doing for school so he's visitied what I consider to be some rather unsavory sites. nighttide

[Essexboy]

The OTL log should be located at the same place as the OTL programme, or can you access safe mode and run OTL from there ?

If not we can try OTL's big brother, I will give the instructions for that just in case

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
• Select All Users
• Under additional scans select the following
  Reg - NetSvcs
  Reg - Shell Spawning
  Evnt - EventViewer Logs (Last 10 Errors)
  File - Lop Check
  File - Purity Scan
  
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[nighttide]

Hi, Here's the OTS scan log. Hope it helps. nighttide

Attached Files

•  OTS.Txt   225.4KB   90 downloads

[Essexboy]

This looks different to the last one

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> win32.exe -> C:\WINDOWS\win32.exe
NY -> rscy.xgo -> C:\WINDOWS\System32\rscy.xgo
NY -> feel0.dll -> C:\WINDOWS\System32\feel0.dll
NY -> dNeGp02030 -> C:\Documents and Settings\All Users\Application Data\dNeGp02030
[Files/Folders - Modified Within 30 Days]
NY -> 6to4v32.dll -> C:\WINDOWS\System32\6to4v32.dll
NY -> Fsajizebufisaw.dat -> C:\WINDOWS\Fsajizebufisaw.dat
NY -> Wnafotegixivaz.bin -> C:\WINDOWS\Wnafotegixivaz.bin
NY -> p6qps.dll -> C:\WINDOWS\System32\p6qps.dll
[Files - No Company Name]
NY -> 6to4v32.dll -> C:\WINDOWS\System32\6to4v32.dll
NY -> Wnafotegixivaz.bin -> C:\WINDOWS\Wnafotegixivaz.bin
NY -> Fsajizebufisaw.dat -> C:\WINDOWS\Fsajizebufisaw.dat
NY -> p6qps.dll -> C:\WINDOWS\System32\p6qps.dll
NY -> 7EgpN4 -> C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\7EgpN4
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[nighttide]

I was able to do the OTS step and have attached the log. I tried to run the ComboFix several times but either it would freeze up or say that applications need to be shut down and that I should reboot. For some reason I was not able to reboot and each time had to shut down manually. I tried to do the ComboFix step in safe mode but got the same results. By the way, the Microsoft Security Essentials Alert popup which was on my SafeMode and which would not let me get on the internet when I clicked on the Explorer icon is now gone and I can get back on the internet in SafeMode. What should I do now? Thank you for your patience with me in this matter. nighttide

Attached Files

•  11052010_222507.log   6.01KB   105 downloads

[Essexboy]

We will now run a safe mode AV scan to see what is blocking Combofix, the express scan should be fairly fast (30 minutes)

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

AS SOON AS DR WEB HAS COMPLETED

Retry Combofix from normal mode

[nighttide]

I downloaded Dr. Web anti-virus on my desktop, but when I went to Safe Mode it was not on the Safe Mode desktop. Should I down load it when I'm in Safe Mode? Or should I try something else? There were also a number of versions to download so I just chose the first one. I think its called "anti-virus pro" or something like that. Is this version ok? When you say tick the EULA does that mean English Language version? Thanks for your help. nighttide

[Essexboy]

Yes download in safe mode. When you get to the link this is the download location - top right

That will take you to the licence page, tick that you accept the licence at the bottom
Click continue and the download should start

[nighttide]

Okay, I ran Dr. Web in Safe Mode and it fixed something. The I booted into regual mode and ran ComboFix. It ran for a while and then said it had to reboot to fix something. After the rebbot it said it was preparing a log but before it finished, the computer rebboted itself, so there was no log. I re-ran Combofix, and the same scenario: ran, rebooted itself, began preparing log, and computer rebooted itself, no log available. What should I do now? nighttide

[Essexboy]

Could you re-run OTS now with the same custom scan as before

Also is the computer behaving itself now ?

[nighttide]

I did not know whether you meant to do the OTS Run Fix or the OTS scan, so I did both. I hope that didn't mess things up. While it was doing the Run Fix with the pasted fix, it froze up and I had to reboot, so I didn't get a log. I ran the Scan with the same boxes checked as before and got the attached log. While the scan was running the Norton alert box popped up with the message "Trojan. zfarc detected" and then another with the message "Trojan Horse has been removed your computer is safe". This has happened a couple of times since I noticed this computer problem. The computer does seem to be running a little better. I can open the internet with a double click on the Explorer icon, though it does open a little slowly. When I go to google search and hit a search site, a Norton box does not pop up saying "a threat to you computer has been blocked." This used to happen pretty regularly even if I was not on the internet it would pop up now and then on the desktop. Thanks for helping me get back in control of things and let me know if there is anything more I need to do. nighttide

Attached Files

•  OTS.Txt2.txt   115KB   101 downloads

[Essexboy]

Combofix has quarantined some items - but it looks like we may need to use baby steps at thsi stage and just whittle it away

This may not find anything but it is a fast programme - and it will confirm certain areas clear, then we will run MBAM to clear some slightly different areas. Again a fairly fast scan


Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[nighttide]

Now I have a major problem--I can't turn my computer on! I've checked the connections and they seem secure. I do remember this happened once before in the early stages of this problem. I thought it was just a lose connection because after giggling the wires a little it suddenly started up. What should I do now? Is there a way to start a computer that just won't start? Thanks for your help! nighttide