rmurphy
-
Content Count
353 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by rmurphy
-
-
Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.
lease download Deckard's System Scanner (DSS) and save it to your Desktop.
- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
-Ryan
- Close all other windows before proceeding.
-
Congratulations, your log is clean
For information on how to protect yourself in the future, read Infection Prevention
Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.
-Ryan
-
Yeap, just that one item to be deleted.
Everything looks good except we need to get the recovery console installed on your computer.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.
Download the file & save it as it's originally named, next to ComboFix.exe.
Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
Please do not reboot your machine until we have reviewed the log.
Other than that, everything looks good. How is the computer running?
-Ryan
-
You will want to print out these instructions, or save them to notepad so that you can refer to them later.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Let's make a new restore point and clear the others:
- Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer
Please download ComboFix from Here
1. Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::C:\Documents and Settings\Jennifer Mackin\Desktop\IPOD Movies\BitLord_1.1.exe
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
- Combofix.txt
- A new HijackThis log.
-Ryan
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
-
Welcome to BestTechie. I'm Ryan, and I'll be helping you.
Everything looks good, but let's see if Kaspersky will find anything.
Please do an online scan with Kaspersky WebScanner
Click on Accept
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
- Scan using the following Anti-Virus database:
-Ryan
- The program will launch and then begin downloading the latest definition files:
-
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
-
Please try to do the following in normal windows; if it will not work, you should be able to do it in safe mode.
Go to Start>Run.
Enter sfc /scannow (notice the space between c /) and press OK.
If Windows finds system files that need to be replaced, you will be asked for your windows CD.
Once sfc has finished, download ComboFix from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-Ryan
-
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please go to the ESET Online Scanner and follow the prompts. When it asks about finding unwanted applications, check that box. Ensure that the box that says fix threats remains UNchecked. Post the report once it finishes scanning.
-Ryan
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
-
The first hijack this log was clean along with the Kaspersky log, and with the exception of two programs, the uninstall list was fine as well.
== Remove Programs ==
Please go to Add/Remove Programs in the Control Panel, and remove the following programs
- Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant
Reboot your computer.
== Install Latest Java ==
Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.
Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.
Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.
Once it has finished downloading, double click it, and follow the prompts to install.
If it asks to reboot, select Yes.
Once you have done that, take a look at the following page: http://users.telenet.be/bluepatchy/miekiem...owcomputer.html
Let me know if that helps speed up your computer.
-Ryan
- Java 2 Runtime Environment, SE v1.4.2_03
-
Hello NYLuvaGrl, and welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.
Please take a look at the following topic: http://www.besttechie.net/forums/How-To-Po...Log-t12175.html
It contains instructions on how to post a hijack this log. Please post your log in this topic as a reply, and I'll take a look at it and let you know what to do next.
-Ryan
-
Hello alamarinara, welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.
Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log
Download ComboFix from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-Ryan
-
Hello mwmarshall, welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.
== Clear Temporary Files ==
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
== Kaspersky Web Scanner ==
Please do an online scan with Kaspersky WebScanner
You will need to use Internet Explorer to do this
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
- Scan using the following Anti-Virus database:
== Request Logs ==
Please post the log from the Kaspersky scan. I would also like to see an uninstall list.
- Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
-Ryan
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
-
Hello sho, welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.
== Clear Temporary Files ==
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
== Kaspersky Web Scanner ==
Please do an online scan with Kaspersky WebScanner
You will need to use Internet Explorer to do this
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
- Scan using the following Anti-Virus database:
== Request Logs ==
Please post the log from the Kaspersky scan. I would also like to see an uninstall list.
- Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
-Ryan
- Close all Internet Explorer, Firefox, and Opera windows before continuing.
-
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
-
Yes. It is detecting the file as infected because it contains definitions of actual viruses. Please see the following avast! forum thread for more information: http://forum.avast.com/index.php?topic=23746.0
-Ryan
-
Wsock32.dll is also legitimate.
Windows should be replacing all of those legitimate files that avast is moving. You should be able to tell it to ignore those files.
You can also upload those files at http://www.uploadmalware.com and they will be sent to antivirus companies so they can fix their virus definitions.
-Ryan
-
Try this scanner:
Please go HERE to run Panda's ActiveScan. You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- If it wants to install an ActiveX component allow it
Post the contents of the ActiveScan report.
-Ryan
- Once you are on the Panda site click the Scan your PC button
-
The first items (except for pskavs.dll, which is a fasle positive) are located in the system restore points. Let's clear those out now.
- Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer
Kernel32.dll and winstock.dll are both legitimate system files.
Just to confirm, is that last file wsock32.dll, or wsock.32dll?
-Ryan
- Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
-
Can you tell me what it found and where it was located?
-Ryan
-
Please uninstall any filesharing programs you may have installed on the computer. From the uninstall list, the ones I saw were:
- BitTorrent 5.0.9
DC++ 0.699
eMule
Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)
O15 - Trusted Zone: *.kdb.co.kr
O15 - Trusted Zone: *.nprotect.co.kr
O15 - Trusted Zone: *.nprotect.com
O15 - Trusted Zone: *.nprotect.net
O15 - Trusted Zone: http://*.wedisk.co.kr
O15 - Trusted Zone: http://*.wedisk.net
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg8.cyworld.com/ImageUpload/CyIm...pload_10217.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {32E08E96-5B55-47AE-87EC-DE8FDF9266E3} (Jviewer Control) - http://208.70.74.58/Jviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games ?Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {474AD63A-9B7E-40FE-8E4E-7067CC0F8D3D} (IB_OnAir.IBOnAir) - http://ionair.sbs.co.kr/onair/IB_OnAir.CAB
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C899971-E9D6-4496-8077-98378408E340} (MPControl Control) - http://mplay.sbs.co.kr/players/SBSiMPControl.cab
O16 - DPF: {6368221B-31D9-4BE6-8937-B4F37B3930B8} (NpZoneMgr Control) - http://update.nprotect.net/npzone/kdb_vista/npZoneMgr.cab
O16 - DPF: {7513B187-5954-4C64-ABF4-E652FE899F24} (Wedisk Control) - http://www.wedisk.co.kr/app/WeDisk.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CAB
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games ?Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} (BugsInstallEx Control) - http://install.bugs.co.kr/install/BugsInstallerEx.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1010 Class) - http://www.hangame.com/common/HanSetup1010.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://update.nprotect.net/nprotect/kdb/npkcx.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games ?Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: spxcoins32 - C:\WINDOWS\SYSTEM32\spxcoins32.dll
Close all open windows except for HiJack This and click fix checked.
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Remove the following files in bold (if found):
C:\WINDOWS\SYSTEM32\spxcoins32.dll
Reboot your computer.
Please go to Microsoft Update and make sure you have all high security and critical updates installed.
Please rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.
-Ryan
- BitTorrent 5.0.9
-
Congratulations, your log is clean
For information on how to protect yourself in the future, read Infection Prevention
Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.
-Ryan
-
How's the computer running? Did the help desk give you any information when they said you were infected?
-Ryan
-
How is the computer working?
-Ryan
-
Please go to Add/Remove Programs in the Control Panel, and remove the following program: Java 2 Runtime Environment, SE v1.4.2_14
Delete the following file: C:\WINDOWS\Temp\npnuninst.exe.npz
Download ComboFix from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
-Ryan
Now Receiving Pop Ups With Pop Up Blocker[RESOLVED]
in Malware Removal
Posted
Please download ComboFix from Here
1. Please open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
-Ryan