Kenny94

February 27, 2016

Thanks guys! David, thank you for putting together the registry script at
Here Nice!

October 17, 2014

Hi,

Appears this happen after a download?

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

October 16, 2014

Hi neeeneee and welcome to Malwarebytes!

Let's take look before we remove software or run any scans.

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

June 20, 2012

Download ComboFix.exe to your desktop. But do Not run it.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\Desktop\combofix" /uninstall

This will remove folder C:\Qoobox and the ComboFix.exe icon.

June 20, 2012

Follow these steps to uninstall Combofix and all of its files and components.

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

Make sure there's a space between Combofix and /

Then hit enter.

June 20, 2012

You should change all passwords with the infection your PC had. Avast is another excellent AV. Yes you should remove Avira before you install Avast.

As for your the Boot folder it has some system files and it's best to leave it. You can remove Qoobox this belongs ComboFix and is not need it anymore.

June 19, 2012

Your Computer is Clean

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Tips for Speeding Up Your PC

Visit My Blog for Malware and Spyware Tips

June 19, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKU\S-1-5-21-3786737421-1029651582-3655982258-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [bcwext] rundll32.exe "C:\Users\shinyaku\AppData\Local\Temp\bcwext.dll",SteamAPI_RestartApp File not found
O4:64bit: - HKLM..\Run: [mandh] rundll32.exe ",ConvertMeshSubsetToSingleStrip File not found
O4 - HKU\S-1-5-21-3786737421-1029651582-3655982258-1000..\Run: [ctfmon.exe] C:\windows\system32\rundll32.exe C:\PROGRA~3\jmdoexeali.dat,StartAs File not found
O4 - HKU\S-1-5-21-3786737421-1029651582-3655982258-1000..\Run: [] File not found
[2012/01/10 20:00:19 | 000,002,048 | -HS- | C] () -- C:\Users\shinyaku\AppData\Local\{2b2f1e3f-3eba-e768-7501-387a192c6460}\@
[2011/12/13 22:57:20 | 076,004,920 | -H-- | C] () -- C:\ProgramData\ilaexeodmj.dat

:files
C:\Users\shinyaku\AppData\Local\{2b2f1e3f-3eba-e768-7501-387a192c6460}
C:\Users\shinyaku\AppData\Local\Temp\bcwext.dll
C:\ProgramData\jmdoexeali.dat
ipconfig /flushdns /c

:Commands
[emptytemp]
[clearallrestorepoints]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Please post the OTL fix log in your next reply.

Note: A copy of an OTL fix log is saved in a text file at C:\_OTL\MovedFiles

Step 2

Launch Malwarebytes' Anti-Malware
Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
Go to Scanner tab and select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

OTL Fix log
Malwarebytes' Anti-Malware log

June 18, 2012

Hi,

I'm reviewing your log and will have some more instructions for you in a short while. Thanks for your patience!

June 16, 2012

But It still have the pop-up of bcwext.dll when I open laptop.

Lets get a deeper look into the system and see if something shows up.The dialouge box that pops up means there's still malware present.

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

June 16, 2012

We need to Re-run Eset scan one more time.To see if those entries (that ComboFix removed) will be recreated.. But Re-run Eset as in the below:

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

June 15, 2012

Okay, lets make sure all is cleaned one more time. Drag ComboFix to the recycle bin and grab the latest version before trying to scan again (use the same link and as before.

Note:

No need to rename ComboFix this time around. Post log updated log please.

June 13, 2012

Let me ask someone on bcwext.dll. I can't find anything on this..... :wacko: I'll get back to you in the next few days.

June 12, 2012

Hi,

The dialouge box that pops up "The specified module could not be found" is it still present? Also, any other problems with this PC?

June 9, 2012

Okay,

Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Processes

:Services

:Reg

:Files
C:\dnload\Games\PC\Battlefield 2 full game MP - SP Fixed v_1.5 -=AviaRa=-\Battlefield 2\key-generator.exe
C:\dnload\Program\Fruity.Loops.Studio.9.Producer.Edition.XXL.rar
C:\dnload\Program\gamebooster2.1EN.exeC:\dnload\Program\Nero-7.10.1.0_eng_full.exeC:\Users\Public\Hadoken should blast Mcafee.zap
C:\Users\shinyaku\Desktop\stuff\Fruity.Loops.Studio.9.Producer.Edition.XXL\Fruity.Loops.Studio.9.Producer.Edition
c:\dnload\games\pc\need.for.speed.underground.2\no cd crack\speed2.exe
c:\dosbox\war\crack.exe
c:\program files (x86)\image-line\hardcore\presets\i cracked my tube!.hdprg
c:\program files (x86)\image-line\sawer\presets\ambient\mc cracked.sawer
c:\program files (x86)\mount&blade with fire and sword\sounds\fire_small_crackle_slick_op.ogg
c:\users\shinyaku\desktop\stuff\fruity.loops.studio.9.producer.edition.xxl\fate.the.traitor.soul-rituel\fate.the.traitor.soul-rituel\cracktro.exe
c:\users\shinyaku\desktop\stuff\fruity.loops.studio.9.producer.edition.xxl\fruity.loops.studio.9.producer.edition.xxl-salad\official key\readme crack installation.txt
c:\users\shinyaku\documents\xilisoft corporation\video converter ultimate\crack.js
c:\users\shinyaku\games\unreal tournament 2004\ut2004 keygen (xp only).exe


:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next

Please download the latest version of Hitman Pro from one of the following locations:

For 32-Bit Operating Systems

For 64-Bit Operating Systems

After the download completes please double click the program to run it.
Accept the terms of the license agreement and click Next
Let the scan run. It will not take long
When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
Upload log.xml here for review please

In your next reply, please include these log(s):

1.OTM\MovedFiles (Most recent one. The day you ran it)

2.HitmanPro3 Report

June 8, 2012

Hi stuck,

This machine contains to many pirated programs which are the source of the infection. Until these are removed from the machine; cleanup is pointless as these cracked versions will continue to reinstall malware. At this point I would recommend you wipe the machine, do a clean install of windows and only install legal copies of software. Also, we have rules here on pirated programs:

http://forums.malwarebytes.org/index.php?showtopic=97700

June 8, 2012

The dialouge box that pops up "The specified module could not be found" the software/malware is looking for this DLL or the hook.dll. As a result the software/malware is stopped, because the DLLs needs the software to run. Let's look at one more scan.

Run CKScanner

Please download CKScanner by from Here
Important: - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a couple minutes or less, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

June 8, 2012

The dialouge box that pops up "The specified module could not be found" is it still present?

June 7, 2012

Let's do the following:

Download CCleaner from here to clean temp files from your computer.

Close all open internet browser windows
Double click on the ccsetup file to start the installation of the program.
Select your language and click OK, then click Next.
Read the license agreement and click I Agree.
Click Next to use the default install location. Click Install then click Finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the Windows tab, under Internet Explorer, uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit)
If you use Firefox or any other Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.
Click on the Options icon at the left side of the window, then click on Advanced.
uncheck Only delete files in Windows Temp folders older than 24 hours.
Click on the Cleaner icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the Registry feature unless you are very familiar with the registry as it has been known to find legitimate items for removal, which can cause issues with other programs.
After CCleaner has completed its process, click Exit.

Next

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

June 7, 2012

How are things now with your PC?

June 7, 2012

Log created on 06 03 2012--------> this was the last log you posted. Can you post the last OTM log that you just ran?

June 6, 2012

The below items were not in the last ESET report? Did recently download the below items?

Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Processes

:Services

:Reg

:Files
C:\dnload\Games\PC\Battlefield 2 full game MP - SP Fixed v_1.5 -=AviaRa=-\Battlefield 2\key-generator.exe
C:\dnload\Program\Fruity.Loops.Studio.9.Producer.Edition.XXL.rar
C:\dnload\Program\gamebooster2.1EN.exe
C:\dnload\Program\Nero-7.10.1.0_eng_full.exe
C:\Users\Public\Hadoken should blast Mcafee.zap
C:\Users\shinyaku\Desktop\stuff\Fruity.Loops.Studio.9.Producer.Edition.XXL\Fruity.Loops.Studio.9.Producer.Edition.XXL-SALAD\flstudio_9.0.exe
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[clearallrestorepoints]
[Reboot]

Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

June 5, 2012

Click removed with Avira Security Alert for now. As for you temp files with TFC. I have another cleaner when we are almost done. We need to do another ESET Online Scanner as you did before. Please post the log.

There are some older versions of Java and Adobe Acrobat Reader on your computer. These can be a source of the infection/infections.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel

Adobe Reader 9

Java™ 6 Update 22

Reboot your computer once all Java and Adobe Reader components are removed.

Please acquire the latest version of Java Click Here and Adobe Reader Click Here
Uncheck Include in your download (optional Free McAfee Security
Scan Plus or any other toolbar with Adobe.)

Next

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
[*]Now click on:
[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

June 5, 2012

We need to clean out your temp files at this point. Check your PC Security as well.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot, if not, do this yourself to ensure a complete clean

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Next

Download Security Check by screen317 and save it to your Desktop.

Double-click Security Check.exe to start the application
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.

June 5, 2012

Smile we are getting closer. Good job you done there!

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

KILLALL::
ClearJavaCache::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Be sure to save the ComboFix log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Next

Update Run Malwarebytes

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Post the contents of Combofix.txt and the Malwarebytes in your next reply. Also, let me know how your PC is doing?

Events

Profiles

Forums

Posts posted by Kenny94

Important Information