Help removing Trojan.Ransom and PUM.UserWLoad

[one1nee]

i have uninstalled combofix and also done delfix.

and i should installed Winpatrol, WOT, SpywareBlaster, MVPS Hosts File or just one of them?

[Larusso]

all of them

[one1nee]

hi, daniel

i have download all softwares you mentioned. and i also have updated firefox to the latest version along with updated the add-ons.

and i just ran Malwarebytes and no threats found.

thank you so much for helping me and be very patient with me. i hope i will have clean n secure computer from now on.

i cant thank you enough for stick with me. thank you again.

regards,

Maria =)

[one1nee]

oh, sorry, before close this threat.

may i know how to disable MVPS Hosts file?

i dont know if this because of it or not, but after i download it, i experincing cut-off connection for several time. the internect access network is connected, but i cant connect to internet or the connection was cut. i have to turns off my computer but it happen again. i read the instruction hot to uninstall (http://winhelp2002.mvps.org/uninstall.htm). but i cant even found the HOSTS.MVP, so i cant rename it as it instructed. and i'm very confused with their explanation..

i have called my Internet provider and they said all was normal, but then they said they cant check my IP number. thats why i thought is it possible because of MVPS Host file?

thx.

[Larusso]

Please press the + R Key and type notepad into the Run box.

Copy/paste the entire contents of the codebox below, into notepad:

@echo off
dir "Windir\SYSTEM32\DRIVERS\ETC" > "%userprofile%\Desktop\look.txt"
sc qc dnscache >> "%userprofile%\Desktop\look.txt"
sc query dnscache >> "%userprofile%\Desktop\look.txt"
notepad "%userprofile%\Desktop\look.txt"
del %0

• Now on the top of the window choose File --> Save as
  
• Into the Save as line type in look.bat
  
• Change the Save as type to All Files (*.*)
  
• Save it on your Desktop.
  It should look like this
  
• Run the look.bat with rightclick "Run as Admin"

a notepadwindow will appear, please post its content here.

[one1nee]

thank you for replying me.

here's the result :

[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: dnscache

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tdx

: nsi

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: dnscache

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

Ps : for additional info, i contacted my Internet provider and even i'm able to browse to internet, they failed to detect my IP adress.

and i might sound like a broken record, but thanks for helping.

[Larusso]

for additional info, i contacted my Internet provider and even i'm able to browse to internet, they failed to detect my IP adress

No clue what causes this. If the hosts file is the reason, I'll run in circles and scream.

Made a typo in my batch file

Please press the + R Key and Copy/Paste the following single-line command into the Run box and click OK

cmd /c dir "%Windir%\SYSTEM32\DRIVERS\ETC" > "%userprofile%\desktop\look2.txt"

A look2.txt will be created on your desktop, please post its content here.

[one1nee]

yeah, i'm also confused. just now, i experienced the on-off connection 2 times in 10 minutes. like before, the network connection says it connected and no red 'x' in the icon as well. i just got cut off the connection and cant access internet. but this time, it come back after 5 minutes without me restarting the computer... (both time were after i just check the TCP properties, closed it without doing anything and then the connection was back), it just like the connection is unstable, but it isnt. the internet provider tech also confused that i can browse internet but they can access my IP address.. this never happen to me before. it just right after i installed all the softwares above, but most likely after i download MVPS Host Files.

here's the result :

Volume in drive C has no label.

Volume Serial Number is B883-0057

Directory of C:\Windows\SYSTEM32\DRIVERS\ETC

04/04/2013 11:40 PM <DIR> .

04/04/2013 11:40 PM <DIR> ..

04/02/2013 01:56 PM 575,742 HOSTS

06/11/2009 04:39 AM 3,683 lmhosts.sam

06/11/2009 04:39 AM 407 networks

06/11/2009 04:39 AM 1,358 protocol

06/11/2009 04:39 AM 17,463 services

5 File(s) 598,653 bytes

2 Dir(s) 26,955,927,552 bytes free

[Larusso]

Really suspect.

delfix should have create a restore point before you installed all this software. Lets give it a try ( first time in 5 years I needed this )

Windowskey and in the search line type "system restore".

Choose the most recent one which should be from yesterday. If this one is not available, do not choose an older one.

[one1nee]

umm, it said this :

"No restore point have been created on your computer's system drive. To create a restore point, open System Protection'

what should i do next?

[Larusso]

Please download this file http://winhelp2002.mvps.org/DefaultHosts.zip and extract it on your desktop.

Press the Windows + R Key and copy/paste the bolded line below in the commandline

%Windir%\SYSTEM32\DRIVERS\ETC

Rename the existing HOSTS in something like HOSTSbak ( doesn't really matter )

Next copy the extracted HOSTS file from your desktop in this folder.

Reboot and let me know if anything changed.

[one1nee]

hi, i just checked with my internet provider and they said they can be read my IP adress now. and since last night, my sister can browse without the connection being cut (i just got back this morning). so should i still changed the Hosts file name and extract the one you gave me or not?

i dont know what caused the IP cant be read and the connection unstable (eventho the modem said it was connected). the provider didnt know either. they just asked if i have made changes with my computer or if my modem has trouble lately (which is not).

thank you.

[Larusso]

Really strange things going on here.

Leave all as it is for at least 3 days and let me know if you expire this issues again. I'll keep this topic subscribed

[one1nee]

Hi, daniel.

thank you coz you are willing to give it a time to see if something happen again (hopefully not).

I really appreciat it. but start from tommorrow morning until Friday (April 12th), i would in and out of the city, and might wont be able to check on my computer (or might be dead tired when i'm able to go back n forth in the same day). would you mind if this thread still open at least until this weekend, when i am already free and able to logged into internet and check my computer and not just to logged in for 1-2 hours?

i really dont think that i can ask help from my sister, since she is worse than me in computer thing =(

thank you.

[Larusso]

would you mind if this thread still open at least until this weekend,

No problem as long as I am aware of

[one1nee]

hi daniel,

sorry, i just able to logged in now. i have used my computer n internet for around 8 hours and the connection is fine (a bit slow, but i think its more because of my connection).

so, should i still do the steps above? (

[Larusso]

When you dont have troubles anymore, I would leave it as is.

[one1nee]

sorry, i accidentally posted my comment.

i mean should i still do the steps above (rename hosts, extract default hosts, etc).

and how about the look.txt and look2.txt? should i keep it in my desktop?

thank you

[Larusso]

Not needed.

Feel free to delete all files we used from your desktop

[one1nee]

dear Daniel,

done.

thank you for staying with me until now. and be patient with me. hopefully i wont experience any problem again (*praying*)

thank you so much for all the advises n help =)

have a great day =)

[Larusso]

You are welcome

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!