This system has a rootkit infection that must be addressed first. Please do not do any web surfing; no online games. Only go to website I guide you to and to this forum. That applies for the entire duration, until after we think it is clear.
BTW, If you have posted in another forum, or you are being helped elsewhere, do let us know.
Otherwise, start with the following.You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!If you are a casual viewer, do NOT try this on your system!
If you are not tomartinvt and have a similar problem, do NOT post here; start your own topic
Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
Close any of your open programs while you run these tools.
Disable Spybot's Tea Timer and keep it disabled ! Otherwise, it will prevent fixes from taking place on a permanent basis.
Right click the Spybot Icon in the system tray (notification area).
- If you have the new version, click once on Resident Protection and make sure it is Unchecked.
- If you have Version 1.4, Click on Exit Spybot S&D Resident
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot the system so the changes are in effect.
and any other filesharing peer-to-peer program ! I do not recommend their use since such filesharing/downloading from unknown sources is one of the leading causes of transmission of malware.
"File-Sharing, otherwise known as Peer To Peer
" and "Risks of File-Sharing Technology
Good & bad P2P Programshttp://www.malwareremoval.com/p2pindex.php
Next, 1. Go >> Here <<
and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.
Set Windows to show all files and all folders.
On your Desktop, double click My Computer
, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.
"CHECK" (turn on) Display the contents of system folders.
Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.
=Disable your AntiVirus and AntiSpyware
applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
If you have a prior copy of Combofix, delete it now !
from any of the links below. You must rename it
before saving it. Save it to your Desktop
. Link 1 Link 2 Link 3 * IMPORTANT !!! SAVE AS Combo-Fix.exe
to your DesktopIf your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on Combo-Fix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.IF
you should see a message like this:
then, be sure to write down fully and also copy that into your next reply here.
I expect Combofix to flag ESQULserv.sys
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt
in your next reply.
------------------------------------------------------- A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
Next, Download RootRepeal:http://rootrepeal.googlepages.com/RootRepeal.zip
RE-Enable your AntiVirus and AntiSpyware
- Extract the archive to a folder you create such as C:\RootRepeal
- Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
- Click the "File" tab (located at the bottom of the RootRepeal screen)
- Click the "Scan" button
- In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
- Click OK and the file scan will begin
- When the scan is done, there will be files listed, but most if not all of them will be legitimate
- Click the "Save Report" Button
- Save the log file to your Documents folder
- Post the content of the RootRepeal file scan log in your next reply.
Reply with copy of the C:\Combofix.txt
and the Rootrepeal log