Jump to content


  • Content Count

  • Joined

  • Last visited

Posts posted by negster22

  1. You're welcome & good job!


    You're infection is removed and you're able to perform a complete scan with MBAM on all drives now  with 0 detections found, so our work s just about done now.


    We have to perform a few "housekeeping" steps to remove the clean-up tools that we used!!


    To remove Combofix and it's quarantine folder:


    Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:


    combofix /uninstall





    This will do the following:

    • Uninstall Combofix and all its associated files and folders.

    • Flush your system restore points and create a new restore point.

    • Rehide your system files and folders

    • Reset your system clock
    • Disable autorun to prevent you from contracting USB transferred infections.  You can still access all plugged in devices via My Computer (or Computer in Vista & Win7) or by hitting the (Windows key + E) simultaneously to open Windows Explorer.


    Here are some additional measures you should take to keep your system in good working order and ensure your continued security.


    1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI).  This is very important because recent statistics confirm that an overwhelming majority of infections are acquired through application not Windows Operating System flaws.  Commonly used programs like Quicktime, Java, and Adobe  Acrobat Reader, itunes, and others are frequently targeted today.  You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to. We've already updated Java and the Adobe Reader.


    Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs. 


    Note: If your firewall prompts you about access, please allow it. You may also have to approve Java running. 


    2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.  Updating to the Pro version is recommended.


    3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer. 


    You should obtain the most current Operating System updates/patches, and Internet Explorer released versions.

    The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update


    However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis.  It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.



    Finally, The Security Check scan you ran initially suggests that your hard drive is due for a defrag:


    `````````````````System Health check`````````````````

     Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)

    ````````````````````End of Log``````````````````````



    Performing a defrag should make your computer run faster, by improving disk access times.



  2. Very good job!


    Those two logs look fine.  


    You can uninstall the ESET Online Scanner from the Control Panel -> Add/Remove Programs feature.


    I want you to try to run a complete MBAM scan now in normal mode.


    If you encounter an Application Hang on mbam.exe again, then I will do something about the DRM drivers.  After which, I'll  have you try running a complete scan again. One of the drivers shows up in your RogueKiller log here:


    ¤¤¤ Driver : [LOADED] ¤¤¤

    [Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED (prosync1.sys @ 0xBA5B26C1)


    So try that for now, and let me know how it goes.

  3. That worked out well. Good job!


    Download TFC (Temporary File Cleaner) to your desktop:
    • Select the green "Download" Button to download TFC.exe
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    Download RogueKiller and save it to your desktop.
    • Close all the running processes
    • Double click RogueKiller icon to run the program
    Vista/Win7 users should right click the icon and select Run as Administrator.
    • Wait for the Prescan to finish. 
    • Now click the Scan button. 
    • Please copy and paste the report in your next reply.
    A copy of the RKreport.txt can be found on your desktop.
    • If RogueKiller is blocked, do not hesitate to try running it again. 
    • If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon.exe and try again.
    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
    • Scroll down to where it says "Java SE 7 Update 40".
    • Click the "Download JRE" button.
    • Accept the license agreement.
    • select 'Windows x86' offline from the list.
    • Save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check  J2SE Runtime Environment 5.0 Update 10  and  any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on downloaded icon to install the newest version.


    Note: If the Ask Toolbar or any other Toolbar is pre-checked for installation, UNCheck it, if you do not wish it to install (it is NOT required for the Java Update to complete properly)

    Run updates to Adobe Reader:
    • Close all programs and windows.
    • Open Adobe Reader (click on "Start".  Click on "All Programs".  Click on "Adobe Reader").
    • When Adobe Reader is loaded, click on "Help".
    • Click on "Check for updates now" (or "Updates").
    • You will see available updates in the left window.
    • Select all updates or critical items in the left window and click the "Add" icon between the windows.  click on the "Update" icon at the bottom.
    • The system will start processing the update.
    • If there are more that 2 or more updates, you will probably have to reboot between updates.
    Please perform a scan with the ESET online virus scanner.
    You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:


    • ESET recommends disabling your resident antivirus's active protection component BEFORE scanning 
    • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
    • Select the "Run ESET Online Scanner" Button.
    • Check the "Yes, I accept the terms of use" box.
    • Click "Start"
    • Approve the installation of the ActiveX control that's required to enable scanning
    • Make sure the box to
    • Remove found threats. is CHECKED!!
    • Click "Start"
    • Allow the definition data base to install
    • Click "Scan"
    When the scan is complete,
    If no threats were found:
    • Check in "Uninstall application on close"
    • Close program
    If threats were found:
    • Select "list of threats found"
    • Select "Export to Text File" & Save the Report to your Desktop as ESETScanLog"
    • Select Back
    • Place a checkmark in "Uninstall application on close"
    • Select Finish & Exit the program
    • Please copy/paste the scan report in your next reply.  It can be found in this location:
    Note to Windows 7/8 and Vista users, and anyone with restrictive IE security settings:
    Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com,  into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode)
    To sum it up, I need you to post the following in your next reply:
    1. The RogueKiller Report: RKreport.txt located on your desktop
    2. The ESET Scan Report: C:\Program Files\EsetOnlineScanner\log.txt

  4. Star Force Protection is DRM copyright protection software probably installed with one of your games.  It has a total of four low level drivers loaded and there is a possibility that it may be the culprit in stalling MBAM.  But, I don't want to do anything with it yet because I want to proceed in a stepwise fashion.  Right now, I am having you run a fixlist that will delete a Kaspersky antivirus driver.  I'm not sure why it's running on your system. Maybe TDSSKIller put it there because it wasn't in your Combofix log, and you ran combofix prior to running TDSSKiller.


    Open notepad.


    Select Format and make sure Wordwrap is UNchecked.


    Please copy the contents of the code box below. 


    To do this highlight the contents of the box and right click on it. Paste this into the open notepad. 


    Save it to your desktop (the same folder that FRST.EXE is located in) as fixlist.txt


    C:\Documents and Settings\All Users\Desktop\iMesh.lnk
    C:\Documents and Settings\Vanessa\Local Settings\temp\lowproc.exe
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [127768 2007-07-19] (Kaspersky Lab)
    2013-10-12 09:13 - 2009-07-12 09:42 - 00786140 ___SH C:\WINDOWS\system32\Drivers\fidbox.idx
    C:\Documents and Settings\Vanessa\Local Settings\temp\Setup.exe
    C:\Documents and Settings\Gordon\Local Settings\temp\Quarantine.exe
    2013-10-09 21:02 - 2013-10-09 21:03 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Gordon\Desktop\tdsskiller.exe
    C:\Program Files\OpenIt


    NOTICE: This script was written specifically for this user, for use on that particular machine. 

    Running this on another machine may cause damage to your operating system


    Run FRST and press the Fix button just once and wait.

    The tool will create and open a log on your Desktop called Fixlog.txt. Please post it to your reply


    Run an MBAM Quick Scan in normal mode and see how it goes.

  5. These two items in your MBAM scan are inconsequential as they are only present in your system restore data:


    Files Detected: 2
    C:\System Volume Information\_restore{8B88F6CD-FA94-4B7D-B351-3636856952B3}\RP1135\A0699887.dll (PUP.Optional.Wajam.A) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{8B88F6CD-FA94-4B7D-B351-3636856952B3}\RP1136\A0700480.exe (PUP.Optional.iMeshMusicBoxTB.A) -> Quarantined and deleted successfully.



    I am working on a fix for you based on the items in the FRST tool log.


    Some questions for you so I know what direction to take:


    Did you create this text file:

    C:\Documents and Settings\Gordon\Desktop\aa.txt


    And this Desktop shortcut to iMesh?

     C:\Documents and Settings\All Users\Desktop\iMesh.lnk

  6. You should be able to download AdwCleaner so I'm wondering if you are seeing what I am seeing or if you are being redirected.


    When you click the download link I provided, you should be taken to the AdwCleaner download page on the Bleeping Computer website.


    Once there you need only click the top button indicated by the red arrow in the image below, to download Adwcleaner.exe (there is no installer or setup file).




    Double-clicking AdwCleaner.exe will launch the program.


    Let me know if you are seeing what I am seeing please.



    I want you to Make files and folders visible:


    Click Start > Open "My Computer"
    Select the Tools menu and click "Folder Options."
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.


    Then I want you to open Windows Explorer (Hit the Windows Key + E simultaneously)


    Navigate to this directories and delete them both:

     c:\documents and settings\Gordon\Application Data\0D0S1L2Z1P1B


    Exit Windows Explorer



    Download Farbar Recovery Scan Tool 32-Bit (FRST.exe) and save it to your desktop.
    • Double-click FRST.EXE run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply



    Please update MBAM and run another Quick Scan.


    Post the MBAM log in your next reply




    If you are having trouble downloading the troubleshooting tools I'm directing you to use, then please download them to a USB stick (or CD) on a clean computer and transfer them over to the desktop of the computer we're working on.


    PS. I have been having trouble reaching Bleeping Computer today (& yesterday) so you should know that if you're experiencing the same issue, it's not due to your computer's infection.

    or for the renamed version which should download very quickly with no interference >>HERE<<.
    You do have to be careful avoid ads soliciting you to download programs on the computer security help sites. That is often how the sites support themselves but it can get confusing when trying to download anti-malware tools.
    It is too late for me now.  I will pick this up again tomorrow.


    That's fine.  We will continue tomorrow and have a Good night!

  8. Let's concentrate on removing the malware from your C:\ drive for now and you can try scanning your F:\ drive in the background.   :)


    What MBAM found is called a PUP short for Potentially Unwanted Program.  it just started scanning for these type of nuisance programs that often come bundled with free software.




    I did notice in your Combofix log these recently created (10-8) entries:


    2013-10-08 20:29 . 2013-10-08 20:29 -------- d-----w- c:\documents and settings\Gordon\Application Data\0D0S1L2Z1P1B
    2013-10-08 20:29 . 2013-10-08 20:29 -------- d-----w- c:\documents and settings\Gordon\Application Data\DigitalSite
    2013-10-08 20:29 . 2013-10-08 20:29 -------- d-----w- c:\program files\OpenIt



    Did you just install the program OpenIt because  c:\documents and settings\Gordon\Application Data\DigitalSite was written to at the same time that OpenIt folder was?


    Please rescan with MBAM to see if the PUPs were removed.


    Now we have to run Combofix again with a script:

    1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled). 
    2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" function on the Notepad Menu.
    Killall:: Driver::kbuzyias5zubw File::c:\windows\system32\kolgwvd.exec:\documents and settings\Gordon\Start Menu\Programs\Startup\PowerReg Scheduler.exec:\windows\pss\PowerReg Scheduler.exeStartup DirLook::c:\documents and settings\Gordon\Application Data\0D0S1L2Z1P1B Registry::[-HKLM\~\startupfolder\C:^Documents and Settings^Gordon^Start Menu^Programs^Startup^PowerReg Scheduler.exe][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000000 ClearJavaCache::
    3. Disable all anti-malware and antivirus active protection by referring to these directions HERE
    4. Close All Open Windows and Browsers,
    Referring to the picture above, drag CFScript.txt into ComboFix.exe 
    This will cause ComboFix to run again. 
    If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.
    If ComboFix prompts you to update to a newer version, make sure you allow it to update. 
    Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it).

  9. Good news!! Your TDSSKiller log is clean. 


    It will take me a while to review your Combofix log for anything else that needs to be removed.


    While I'm doing that I'd like you to see if MBAM will complete a quick scan now.  Try that and be sure to update it first.


    Post the MBAM log.


    The run this Adware Removal Program:


    Download : ADWCleaner to your desktop.
    NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.
    Close  all programs and click on the AdwCleaner icon.
    Click on Scan  and follow the prompts. Let it run unhindered.
    When the scan has finished, look through the scan results and uncheck any entries that you do not wish to remove.
    When you are satisfied with the selection, simply click on theClean button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. 
    Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.
    The report will be saved in the C:\AdwCleaner folder.

  10. Now I get the message that I'm about to view pages over a secure connection



    I would be more concerned if it said you were about view pages over an insecure connection.


    It's probably related to ComboFix resetting  a number of Internet Explorer's settings to make it more secure, including making it the default browser.


    Please post C:\combofix.txt so I can see what is happening on your computer and how Combofix dealt with your infection.


    Also, if you have the TDSSKIller log already please include that.


    I clicked on your link and I got a message about downloading IEXPLORER.EXE.  I dont think this is correct eventhough the link shows combofix.


    I do not feel happy about this at all and will not download.

    This is the whole point.  Renaming an anti-malware executable is one of the ways to thwart malware.  I could have you rename Combofix.exe as you download it,, but this is a genuine version that is already renamed for that purpose.


    Knowing this, I hope you feel confident about following my instructions as given.  Please proceed.

  12. Thanks for the information you provided.
    Just end process on Combofix.exe, and we'll try another similar approach.
    You have an infection which is showing you the file attributes of the legitimate version of atapi.sys but the one (driver) that is really loaded is infected and needs to be replaced.
    Delete Combofix from your desktop and download this  renamed version, also to your desktop. 
    Next, boot into Safe Mode.
    To start the computer in safe mode:

    1. Click Start and then click Shut Down.


    2. In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.
    3. As your computer restarts but before Windows launches, press the F8.  
    4. Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.
    Launch Combofix.exe by dragging and dropping the same CFScript.txt into the renamed Combofix icon on your desktop.
    When Combofix finishes running it should reboot and open a log:
    Please post that log in your next reply.
    You can read information on what we are going to do next here:
    Please download TDSSKiller.exe
    Double-click TDSSKiller.exe to launch the program.
    Click Start scan.
    When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Leave the default options as is, and click Continue.
    Allow your system to reboot if a reboot is indicated. Please let me know if that was the case.
    Click on Report and post the contents of the text file that opens.
    Note: By default, the utility outputs the log into system directory (the drive your operating system is installed on, normally C:\).
    The Log has a name with this format: TDSSKiller.Version_Date_Time_log.txt.
    Please post that log in your next reply.

  13. Hello and Welcome to Malwarebyte's Malware Help Forum!


    First, please download and run the AVG Removal Tool that is appropriate for your system from this page:



    It will open a command window and do some processing to check the status of security programs and other programs that may be vulnerable on your computer.
    Please post back the log that it creates when it's finished.
    Next, please Run ComboFix by following the steps provided in this sequence:
    Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:
    Very Important!  BEFORE downloading Combofix, temporarily disable your antivirus and  antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective. This guide can help you if you are unsure of how to do that:
    Using ComboFix  ->
    Please download Combofix to your desktop from >>HERE<<
    Running Combofix
    In the event you already have Combofix, please delete it as this is a new version.
    • Close any open browsers and programs.
    • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
    • If Combofix asks to update, please allow it to do so.
    • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities.  This is for your safety !!
        1. To Launch Combofix
     Click Start --> Run, and enter (copy/paste) this command exactly as shown, including the quotes:
    "%userprofile%\desktop\combofix.exe" /killall
        2. When finished, it will produce a log file located at C:\ComboFix.txt
        3. Post the contents of that log in your next reply.
    Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. 
    Please copy and paste  C:\ComboFix.txt into your next reply.
    NOTE: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

  14. Download DDS and save it to your desktop from HERE or HERE.


    Temporarily disable your antivirus and antimalware real-time protection by following the directions that apply for your specific antivirus here:


    Double-click dds.scr (right-click and choose Run with Administrator if your have Vista or Windows 7) to run the program.

    • When done, DDS will open two (2) logs:
      • DDS.txt
      • Attach.txt

      [*]Save both reports to your desktop

      [*]Please copy and paste dds.txt into your next reply and hold on to attach.txt for now.

    Re-enable your antivirus and anti-malware programs

    Please Perform an MBAM Quick Scan:

    • Please open your MalwareBytes Anti-Malware Program
    • Click the Update Tab and search for updates
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected. <-- very important
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy & Paste the entire report in your next reply.

  15. Hi and Welcome!

    I would like to help you but I need more information.

    Please post a complete description of your problem and what you have done to rectify it so far.

    If you have run troubleshooting or Malware Removal programs such as MBAM, I need to see those logs.

    Please follow the instructions in the following topic and copy/paste the logs that are generated into your next reply:


    Thank you!

  16. C:/OEM/Preload/Autorun/APP/Acer Backup Manager/Data1.cab|>mui.exe Error File is a Decompression Bomb

    :Volume{cb2a7676-8f0e-11df-8051-806e6f6e6963/D2D/Images/POP0109Z0OX00CE18.SWM|>mui.exe Error File is a Decompression Bomb

    A CAB file is a compressed installation file. Even it were infected it would pose no threat because it would have to be decompressed to become active. However, I don't think that detection poses any risk - it is just an anomaly of AVAST scanning:

    A decompression bomb is a file that unpacks to an enormous amount of data - thus "flooding" the unpacking engine. It's quite hard to detect such files reliably, so it's possible that it gives some false alarms ocassionally.

    You should configure AVAST so it dos NOT scan archives. Not only would this eliminate these detections that are causing you undue concern but scan times would be substantially decreased because all these huge archives take a very long time to extract during the scanning process.

    As for the Java detections, you can clear the Java cache:

    Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*] Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

    Likewise, you can clear the Chrome Cache


  17. I fully understand your lack of internet issues. No need to apologize though it is appreciated.

    This is the AVAST USER MANUAL in PDF Format:


    If you go to page 41, it will tell you how to create a Report file:

    How to create a report of the scan results

    You can c rea te a permanent record of the resul t of each scan by c rea t ing a report

    which you can then view later. To create a report, first access the options menu as

    desc ribed on page 25 and select “Settings”. Next click on “Reports” and in the next

    sc reen, chec k the box “Crea te report file” as shown below.

    Save the Report as a TXT file by using the Text File radio button under "Type of File", and then attach it to your next reply.


  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.