dan12
-
Posts
119 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by dan12
-
-
My apology for delay, did you address this file c:\mfe <<Just delete this file manually at all? (find and delete)
As it's been a few days can I see a further HJT log as things can change on a daily basis.
dan
-
Hi, did you remove limewire after my advice earlier, reference p2p ?
will get to file removal don't worry
-
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)
O4 - HKLM\..\RunOnce: [GooredFixCleanup] C:\WINDOWS\system32\cmd.exe /Q /C "del C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\_gooredcleanup.bat"
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
Your good to go.
Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You don't need to put all of these programs on your system unlike your Antivirus and firewall of which you can only have one of each.
However you can have several Antimalware programs
Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:
- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
Here are some free programs I recommend that could help you improve your computer's security.
Spybot Search and Destroy 1.6.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Find here changes from older version 1.4 here
Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here
Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here
Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here
Install FireTrust SiteHound
You can find information and download it from here
Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Please check out Tony Klein's article here
Read some information here how to prevent Malware.
Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions.
>> Here << you can see how you can help us.
Happy safe surfing!
Dan
- Go to Start > All Programs > Accessories > System Tools > System Restore
-
Do we have the kaspersky scan report?
-
I noticed firfox is out of date Mozilla Firefox (3.0.7) I believe it's 3.0.8 now
boot up in SAFE MODE
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)
O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
Boot into normal mode
------------------------
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.
You can delete RootRepeal and javara
post a fresh HJT log and let me know if above went ok.
-
If you don't use mirc it's just taking up space, so uninstall it.
can I see a fresh HJT log as it's been a couple of days since I saw one.
dan
-
Hi, can I ask do you use mirc? as this could be a false positive
-
I'm confused.. ow do I delete the file you want me to delete. And what do you want me to Jotti. Sorry, I've been out of town for a few days and I'm a little fuzzy on how to work on this stuff..
c:\mfe <<Just delete this file
Now run the kaspersky scan.
Don't worry about jotti's typo error on my part
-
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
KILLALL::File::c:\windows\system32\drivers\uhzzdvnk.sysDriver:: xrxyv
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-------------------------------
Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
- Double-click on JavaRa.exe to start the program.
- From the drop-down menu, choose English and click on Select.
- JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
- Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
- A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java
------------------------
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 13.
- Go to http://java.sun.com/javase/downloads/index.jsp
- Go to Java Runtime Environment (JRE) 6 Update 13 about half way down the page and click on the Download button.
- In Platform box choose Windows.
- Check the box to Accept License Agreement and click Continue.
- Click on Windows Offline Installation, click on the link under it which says jre-6u12-windows-i586-p.exe and save the downloaded file to your desktop.
- Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
- Uncheck the Toolbar button (unless you want the toolbar)
- Reboot your computer
----------------------
Please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.
Post combofix log
java report
kaspersky report
- Double-click on JavaRa.exe to start the program.
-
Not forgot you be with you soon
-
My apology Masterguy, for not getting back to you, for some reason this was my first notification that I received after my last post to you.
As advancesetup has mentioned we try our best but we lose the odd one in the system, we are human too
I will leave you in the capable hands of advancesetup
Kind regards
dan
-
Mcafee was only doing it's job. Items flagged are quite safe as I have them in a secure place and will deal with them when I'm happy were clean.
c:\mfe <<You can delete this folder
Please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases
- Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.
Post:
jotti's report
kaspersky report
fresh HJT log
- Read through the requirements and privacy statement and click on Accept button.
-
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti
Please visit Jotti
Copy/paste the the following file path into the window
c:\program files\dMC-r10.exe
Click Submit/Send File
Please post back, to let me know the results.
Please do the same for the following file
c:\windows\system32\10E31F1BA8.sys
If Jotti is too busy please try Virustotal
-----------------------------
ATF Cleaner
Download ATF Cleaner here by Atribune.
- Double-click ATF-Cleaner.exe to run the program
Under Main choose: Select All
Click the Empty Selected button
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button
NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.
----------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::c:\windows\system32\uactmp.dbC:\register.batc:\documents and settings\Raven\register.batFolder::c:\program files\LimeWireDirLook::c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}C:\mfeC:\e51e30ab8bb3b01752a8c619c942Registry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148dd71f-040f-11dc-95e1-00038a000015}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
------------------------------
: Malwarebytes' Anti-Malware :
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform full scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt
Post:
combofix log
malwarebytes report
jotti's report
- Double-click ATF-Cleaner.exe to run the program
-
You did fine ,I will start to look over the logs soon
-
Ok, don't worry.
Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
-
You will be able to run in normal mode now
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::c:\windows\system32\drivers\uhzzdvnk.sys c:\windows\system32\vtfojmze.fzv Folder::c:\program files\Full Tilt Pokerc:\program files\BitTorrentc:\documents and settings\Stephen Conroy\Application Data\utorrentDriver::xrxyv;xrxyvVTFOJMZERegistry::[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}][HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VTFOJMZE]"ImagePath"=-
Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Can you update malwarebytes and do a full scan.
Post:
combofix report
Malwarebytes report
-
Ok, try in safe combofix in safe mode please.
-
Run in normal mode please
working in safe mode with networking you have no protection at all.
-
Your very welcome.
I'm pleased all went ok.
dan
-
ok, may be best then run disinfector through then you can delete the application.
well if that is all will close up.
Kind regards dan
-
I noticed you have allowed some sites into your trusted zone!
If you use these sites frequently, and trust the sites, and are comfortable leaving these entries in your Trusted Zone, that's up to you.
however, realize that you are taking a big security risk by allowing any site to have unfettered access to your Trusted Zone.
This is your call it's your machine, I can only advise you.
Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O15 - Trusted Zone: http://*.gonintendo.com
O15 - Trusted Zone: http://download.windowsupdate.com
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit
Post a further HJT log and let me know how things are with the pc
dan
-
- Close all programs so that you are at your desktop.
- Double-click on the My Computer icon.
- Select the Tools menu and click Folder Options
- After the new window appears select the View tab.
- Place a checkmark in the checkbox labeled Display the contents of system folders
- Under the Hidden files and folders section select the radio button labeled Show hidden files and folders
- Remove the checkmark from the checkbox labeled Hide file extensions for known file types
- Remove the checkmark from the checkbox labeled Hide protected operating system files
- Press the Apply and then the ok button and shut down my computer
- Now your computer is configured to show all hidden files.
- For you and the tools to be able to see appropriate files we need to Show Hidden Files
This installer can go..
mbam-setup.exe
This folder needs to go
C:\Documents and Settings\Yuri Naumtchik>dir f:\"Nokia Music Manager"\N-1-5-21-1895552279-3129831995-389225551-6003
Run the Desinfector through again.
- Close all programs so that you are at your desktop.
-
Create a NEW folder on your Desktop named: BadFiles
Start Root Repeal and click on the Drivers tab and then click the Scan button.
Then right click on this file: UACpwvyeppf.sys and select Dump File
This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.
Then type in the name UACpwvyeppf.sys and save it in that folder.
You can quit Root Repeal now.
Then zip up that file and upload it to: uploads.malwarebytes.org
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
Start Root Repeal again and click on the Drivers tab and then click the Scan button.
Then right click on this file: UACpwvyeppf.sys Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.
Now update and scan with malwarebytes again, a quick scan
Post the report
-
Both Norton and McAfee are active on this pc, check the running processes you will see Norton and McAfee , you can see them in 02's, 04's,023's
Please remove or disable one of them.
Send me a further uninstall list please.
Edit:
Looks like I have an apology to make regarding McAfee
will catch you soon
Malwarebytes won't install at all!!
in Resolved Malware Removal Logs
Posted
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
You can delete RootRepeal
just need to reverse what you did earlier for me when you checked BOOTLOG it may well be done already ,like to ake sure.
Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and uncheck BOOTLOG
Click on OK and you will be prompted to RESTART Windows. Please do restart now.
Let me know when done and can you tell me how things are now.