LandzDown Forum

Hi, walemon.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please start Internet Explorer and do the following:

• Click on the Tools menu. 
• Select Internet Options.
• Click on the Connections tab.
• Click on the LAN Settings button so you are on the Local Area Network (LAN) settings screen.
• Under the Proxy Server section, please UNCHECK the checkbox labeled "Use a proxy server for your LAN".
• Press OK button to close this screen.
• Press the OK button to close the Internet Options screen.

This should fix the problem with Internet Explorer.

Next, please download rkill from one of the following links and save to your Desktop:

One, Two,Three or Four

• Double-click rkill to run.
• A command window will open then disappear upon completion, this is normal.
• Please leave rkill on the Desktop until otherwise advised.
  
• Do NOT restart your computer after running rkill as the malware program(s) will start again and you will need to run rkill again.

Notes:  If you you receive security warnings about rkill, please ignore and allow the download to continue.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  Update Malwarebytes' Anti-Malware and
  Launch Malwarebytes' Anti-Malware
• Click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  
• Click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Following that, Download DDS.scr by sUBs from one of the following links and save it to your desktop.
Link 1
Link 2

• Double-Click dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Due to the length of the logs, it may be necessary to create two replies in order to provide all the requested information.

Hi, walemon.

Some malware will not allow processes to run unless they have a certain filename. Since you were not able to run the version of RKill you downloaded, please try a different filename offered below.

   1. rkill.exe
   2. rkill.com
   3. rkill.scr
   4. rkill.pif
   5. WiNlOgOn.exe
   6. uSeRiNiT.exe

When you restart, try going into SafeMode as some of the processes may not load then.

Let's try this:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  .

Now, please run ComboFix:

• Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
• Double-click ComboFix.exe on your desktop and follow the prompts.
• As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
• After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click "Yes" to continue scanning for malware.
• When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

I'm so desperate I was wondering what would happen if you complete the transaction with this fake virus. Would it be removed?

Try running ComboFix in Safe Mode.  If that doesn't work, delete the version you downloaded and we'll try renaming it, which must be done before downloading.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop, using the SaveAs and name it something like Moon.123 or WaleFix.scr (Select anything that is alpha-numeric).

Double click on the renamed ComboFix & follow the prompts.

When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.