Hello JLWin, welcome to Bleeping Computer's Malware Removal forum!
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.
Please read through the points below to ensure this process moves as quickly and efficiently as possible.
- Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
- Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
- Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
- Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
- If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
- Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
- Ensure you are following this topic. Click at the top of the page.
Unfortunately, your computer is badly infected, and as such, I must issue the following warning.
You have a choice between cleaning the infection(s) or reformatting your computer. Ultimately, the decision is personal, and up to you and whatever you're most comfortable with. Please let me know how you wish to proceed, and if you have any questions.
One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.
If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc).
Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again unless you reformat your Hard Drive and reinstall your Operating System. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.
If you would like to proceed with cleaning, please do the following.
- Note: Please read through these instructions before running ComboFix.
- Please download ComboFix and save the file to your Desktop. << Important!
- Temporarily disable your anti-virus software. For instructions, please refer to the following link.
- Right-Click ComboFix.exe and select Run as administrator to run the programme.
- Follow the prompts.
- Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
- Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
- Re-enable your anti-virus software.
- Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
- Do NOT use your computer whilst ComboFix is running.
- Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
- If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
- ComboFix will disconnect your machine from the Internet as soon as it starts.
- Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
- If you are unable to access the Internet after running ComboFix, please reboot your computer.
- Please download TDSSKiller and save the file to your Desktop.
- Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
- Click Change parameters. Place a checkmark next to:
- Loaded Modules
- Detect TDLFS file system
- Verify file digital signatures
- Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
- Click Start Scan. Do not use the computer during the scan.
- If objects are found, change the action to skip.
- Click Continue and close the window.
- A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
Farbar Recovery Scan Tool (FRST) Scan
- Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
- Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
- Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
- Click Yes to the disclaimer.
- Ensure the Addition.txt box is checked.
- Click the Scan button and let the programme run.
- Upon completion, click OK, then OK on the Addition.txt pop up screen.
- Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.
- TDSSKiller log (attached)