fenzodahl512
-
Posts
59 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by fenzodahl512
-
-
Hello.. Sorry for my late reply.. Somehow I missed the topic..
1. How's the computer now?
-
Please run as per my instruction above and post all logs here
-
combofix appears to have removed my trojan. Programs and Features have an entry for 'Coupon Bar' which could not and cannot be uinstalled. Is that a problem?
Can you recommend an antispyware product?
Thanks so much for your help. I am really impressed. I will become a paying member.
can you post me the screenshot of it?
-
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
- Tools->Options->Main tab
-
Try reinstall Firefox.. Will you got the similar warning?
-
Can you run ComboFix once again? If the similar things happen, pls tell me
-
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
- Tools->Options->Main tab
-
NO THANK U VERY MUCH. SHOULD I NEED TO DELETE THE LOG I POSTED FOR YOU IN ORDER FOR YOU TO HELP ME??
THANKS AGAIN
You can use the button to edit your log
-
Please download The Comedian.exe by Rorschach112 to your desktop
- Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
- Double click the program to run it. It will only take around several minutes to run.
- It will do a series of tasks and tell you when each one is finished.
- You will be prompted to press any key after each step
- When it is done it will close and exit itself automatically.
- You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..
NEXT
Please download OTS by OldTimer and unzip it to your Desktop..
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
- Close ALL OTHER PROGRAMS.
- Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
- At the top, tick on Scan All Users section
- At File Age set it to 90 Days
- In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
- In the Files Created Within and Files Modified Within section, set it to File Age
- At the bottom, tick on all Safe List and Use Company Name WhiteList option
- Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
- Reg - Disabled MS Config Items
Reg - Drivers32
Reg - Ext
Reg - IE Explorer Bar
Reg - NetSvcs
Reg - Safeboot Minimal
Reg - Safeboot Network
File - Lop Check
File - Purity Scan
- Please copy/paste below script into Custom Scans box
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
[*]Do NOT change any other settings.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
- Reg - Disabled MS Config Items
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..
NEXT
Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
[*]Open the renamed program and click on the Rootkit tab.
[*]Make sure all the boxes on the right of the screen are checked, EXCEPT for
- Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
-
I saw you run ComboFix..
Please uninstall these programs first.. While they are excellent programs, I prefer not to let them interfere with our diagnosis and fixes..
1. AVG Anti-Virus
2. McAfee VirusScan
3. McAfee Personal Firewall
4. Spybot S&D
Since you already run ComboFix, please delete your version of ComboFix >> download a fresh copy >> run it again >> post the log here
Link 2
Link 3
-
Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'D:\' <PRESARIO_RP>
Both files are ok and actually needed.. The warning appear simply because it can't access the files and they really should access it.. Please read below..
http://www.cknow.com/cms/articles/what-are...gefile-sys.html
Do you have any other computer problem?
-
Please download The Comedian.exe by Rorschach112 to your desktop
- Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
- Double click the program to run it. It will only take around several minutes to run.
- It will do a series of tasks and tell you when each one is finished.
- You will be prompted to press any key after each step
- When it is done it will close and exit itself automatically.
- You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..
NEXT
Please download OTS by OldTimer and unzip it to your Desktop..
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
- Close ALL OTHER PROGRAMS.
- Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
- At the top, tick on Scan All Users section
- At File Age set it to 90 Days
- In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
- In the Files Created Within and Files Modified Within section, set it to File Age
- At the bottom, tick on all Safe List and Use Company Name WhiteList option
- Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
- Reg - Disabled MS Config Items
Reg - Drivers32
Reg - Ext
Reg - IE Explorer Bar
Reg - NetSvcs
Reg - Safeboot Minimal
Reg - Safeboot Network
File - Lop Check
File - Purity Scan
- Please copy/paste below script into Custom Scans box
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
[*]Do NOT change any other settings.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
- Reg - Disabled MS Config Items
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..
NEXT
Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
[*]Open the renamed program and click on the Rootkit tab.
[*]Make sure all the boxes on the right of the screen are checked, EXCEPT for
- Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
-
Please download TDSSKiller.zip and unzip it to your Desktop
Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)
The log shall be named something like this one..
(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
- Tools->Options->Main tab
-
Hello.. Lets do this first...
Please download CleanUp! by stevengould.org and save it to your Desktop.
- Double-click CleanUp452.exe and install CleanUp! to your computer
- Open CleanUp! and click on Options.. button.
- Under General tab, choose Standard CleanUp! and then click Ok
- Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
- Let your Windows rebooted (or do it manually) and then scan again with Malwarebytes'.. Is it still there?
- Double-click CleanUp452.exe and install CleanUp! to your computer
-
Hello.. Lets do this first...
Please download CleanUp! by stevengould.org and save it to your Desktop.
- Double-click CleanUp452.exe and install CleanUp! to your computer
- Open CleanUp! and click on Options.. button.
- Under General tab, choose Standard CleanUp! and then click Ok
- Click on the CleanUp! button. When it asked you to logoff Windows, click on Yes
- Let your Windows rebooted (or do it manually) and then scan again with Malwarebytes'.. Is it still there?
- Double-click CleanUp452.exe and install CleanUp! to your computer
-
Ok, I've run OTC. Cleaned up and restarted. Defogger is now gone, I thought I needed to do a re-enable??
Everything seems good. I'm not seeing any redirects right now.
Tim
Just download Defogger and reenable them back
-
-
Looks good to me.. Lets do some cleanup...
Please download OTC and save it to Desktop.
- Make sure you have internet connection..
- Double-click OTC
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes
Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos
Also, please read these excellent articles by miekiemoes :
Read these great info's about safe internet surfing..
http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm
Please reply to this thread once more and tell us about the computer behaviour before we can close this thread B)
Have a safe and happy computing day!
Regards
fenzodahl512
- Make sure you have internet connection..
-
Update your Malwarebytes' and run a quick scan.. Remove everything that it found and post the log here B)
-
Please download TDSSKiller.zip and unzip it to your Desktop
Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)
The log shall be named something like this one..
(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)
Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
**NOTE: If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
- Tools->Options->Main tab
-
Hello,
C:\ProgramData\mswintmp.dat (Malware.Trace) -> No action taken.Not sure why "No action taken".. Can you re-run Malwarebytes' and then remove all that it found? I'm glad your computer is okay now
-
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.
Backing Up Your Registry
- Go HERE and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.) - Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later) - Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup) - Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable). - Make sure that at least the first two check boxes are ticked
- Press OK
- Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE
NEXT
Please download The Avenger by Swandog46 and unzip it to your Desktop
Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..
Begin copying here:
Drivers to disable:
_VOIDd.sys
qrzrtx
Drivers to delete:
_VOIDd.sys
qrzrtx
Files to delete:
C:\ProgramData\_VOIDkrl32mainweq.dll
C:\ProgramData\_VOIDmainqt.dll
C:\Users\Tahveli\AppData\Local\Temp\_VOID64ae.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOID99c2.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDe501.tmp
C:\Users\Tahveli\AppData\Local\Temp\_VOIDefab.tmp
C:\WINDOWS\System32\drivers\_VOIDssinettpco.sys
C:\WINDOWS\System32\_VOIDarijntaiwr.dll
C:\WINDOWS\System32\_VOIDqpgxwpdwkn.dll
C:\WINDOWS\System32\_VOIDqrkpiivfvm.dll
C:\WINDOWS\System32\_VOIDryxcvbtbwh.datNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.
NEXT
Please download Malwarebytes' Anti-Malware from HERE or HERE
Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
- Go HERE and download ERUNT
-
Hello.. Sorry I'm late.. Was outstation for three days..
Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.
O17 - HKLM\System\CCS\Services\Tcpip\..\{10D5D574-4818-4953-9E0E-218BFEAA6B97}: NameServer = 93.188.162.96,93.188.166.34
Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.
Then, please reset the router back to its factory setting.. Refer below if you do not know how..
http://www.ehow.com/how_2110924_router-bac...t-settings.html
Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it
http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
Then reboot the computer and tell me if you still got the redirect issues
-
I've Google the "80070490" error and got various answers.. Since I don't know the right answer for your current issue, and determine that your computer is now malware-free, I suggest you to post the Windows Update problem at our PC Help forum.. Link below.. Tell them I send you there
Trojan: Win32/Alureon.CO - and others - Mbam etc not updating
in Resolved Malware Removal Logs
Posted
Hello, sorry for my late reply..Please delete your version of ComboFix and download a fresh version of it.. then rerun ComboFix again and post the log here..