Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Posts posted by noahdfear


  1. The cookies are coming from the ads on this site. Just opening this page, then clicking View>Source, I can see links to tribalfusion ads.

    They are not a threat.

     

    As for the Ÿ9Ÿ9 file, please upload it to my submission channel for analysis. Leave a link back to this topic.

     

    Other than that, are you experiencing any odd behavior?


  2. Highlight and copy the contents of the code box below.

    reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2 /f
    exit
    cls
    
    Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

     

    Reboot then see if F:\ can be accessed normally.


  3. Download ATF Cleaner by Atribune and save it to your Desktop.

    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

       

    • Windows Temp
    Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache Recycle bin

    The rest are optional - if you want it to remove everything check "Select All". Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.Reboot

     

     

    If no improvement, I recommend you try an IE reset. Open Internet Options in the Control Panel, select the Programs tab, then Click Reset Web Settings.


  4. Looks great! Remove any items in quarantine by your resident anitvirus and antispyware applications. Empty the recycle bin once more.

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.

    Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

    You can delete any other logs that were created/saved too.

     

     

    That should finish things up as far as malware. Is IE still acting up?


  5. Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

     

    Filename: CFScript.txt

    Save As Type: All Files (*.*)

     

    Registry::
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "hujavawoki"=-
    

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

     

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

     

    **NOTE - Allow ComboFix to update if prompted.


  6. TeaTimer is an excellent tool for the prevention of spyware, though it can sometimes prevent HijackThis from fixing certain things.

    Please disable TeaTimer for now. TeaTimer can be re-activated once your HijackThis log is clean.

    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose "Yes" at the Warning prompt.
    • Expand the "Tools" menu.
    • Click "Resident".
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • In the File menu click "Exit" to exit Spybot Search & Destroy.
    Reboot.

     

    Download ResetTeaTimer.bat by right clicking the link and selecting Save Target As and save it your desktop.

    Now double click ResetTeaTimer.bat to run it.

    Then since it will not be needed again delete ResetTeaTimer.bat

     

    Now do a scan with HijackThis. You should see an entry similar to the following.

     

    O4 - HKLM\..\Run: [hujavawoki] Rundll32.exe "C:\Program Files\tujumape\tujumape.dll",s

     

    Place a check in the box next to the entry then click Fix Checked.

    When complete, reboot once more, then scan with HijckThis and save the log. Post that log here.


  7. Delete the C:\R8VE.exe file.

     

    Download ATF Cleaner by Atribune and save it to your Desktop.

    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

       

    • Windows Temp
    Current User Temp All Users Temp Temporary Internet Files Prefetch Java Cache Recycle bin

    The rest are optional - if you want it to remove everything check "Select All". Finally, click Empty Selected. Now select the Firefox option and clear at least the temporary files.When you get the "Done Cleaning" message, click OK then exit.Reboot

     

     

    Open HijackThis to the Misc Tools section.

    Check both boxes in the StartupList section then click Generate Startuplist log.

    Post the contents of that log here.


  8. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

     

    Filename: CFScript.txt

    Save As Type: All Files (*.*)

     

    http://forums.pcpitstop.com/index.php?s=&showtopic=163625&view=findpost&p=1554007
    Collect::
     c:\windows\system32\wvUoNGAP.dll
    c:\windows\system32\ydadrvjv.dll
    c:\windows\system32\ttfuqd.dll
    c:\windows\system32\hwuusawa.dll
    c:\windows\system32\ssqricsq.dll.ren
    File::
    c:\windows\Tasks\hvbmgxiu.job
    c:\windows\Tasks\rcpxlyju.job
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b78f85b-59fa-11dd-b73b-806d6172696f}]
    

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

     

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

     

     

    Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

     

    Next please do an online scan with Kaspersky Online Scanner

     

    Click Accept, when prompted to download and install the program files and database of malware definitions.

    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

     

    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

     

     

    Post the Kaspersky log


  9. Hi shadowxsssr,

     

    Please visit the following webpage for instructions for downloading and running ComboFix

     

    How to use ComboFix

     

     

    Download ComboFix by sUBs from here, saving the file to your desktop.

     

     

    Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click ComboFix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

     

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.


  10. If MyWay is still being detected, I would suspect some special permissions are set on the registry items preventing removal. This procedure is documented on the Microsoft.com website for resetting registry and system file permissions. While it might not fix the problem, it should do no harm either.

     

    Download and install SubInACL from Microsoft.

     

    Close out all other programs and open windows.

     

    Highlight and copy the contents of the code box below.

    cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
    subinacl /subkeyreg HKEY_LOCAL_MACHINE\Software /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
    subinacl /subkeyreg HKEY_LOCAL_MACHINE\System /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
    subinacl /subkeyreg HKEY_CURRENT_USER /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
    subinacl /subkeyreg HKEY_CLASSES_ROOT /owner=administrators /grant=administrators=f /grant=system=f /grant=RESTRICTED=r
    subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
    subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
    exit
    cls
    
    Click Start>Run and type cmd then hit enter to open a command window.

    Right click in the command window and select paste.

    It will take a while for the commands to process, so please be patient.

    The command window should close on it's own when finished.

    Reboot for the changes to take effect.

     

     

    Now run another scan with whatever program is picking up the MyWay and have it remove the items again.


  11. The submitted file is fine. Thank you!

     

    Lets cleanup now. Now open MBAM and remove any items quarantined. Do the same with your resident antivirus.

     

    Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.

    Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

    You can delete any other logs that were created/saved too.


  12. Please upload the following file to my submission channel for analysis. Leave a link back to this topic.

     

    C:\Qoobox\Quarantine\[22][email protected]

     

    Thanks!

     

     

    Log looks good. Lets get an online scan to see if we've missed anything. Please do an online scan with Kaspersky Online Scanner

     

    Click Accept, when prompted to download and install the program files and database of malware definitions.

    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

     

    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Post the Kaspersky log here.

  13. The only thing I see that could indicate a problem is the following.

     

    ---- Kernel code sections - GMER 1.0.14 ----

     

    ? C:\WINDOWS\system32\PavTPK.sys The system cannot find the file specified. !

    ? C:\WINDOWS\system32\PavSRK.sys The system cannot find the file specified. !

    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ? system32\drivers\av5flt.sys The system cannot find the file specified. !

     

     

    First 2 and 4th file(s) are associated with Panda. The 3rd is with the User Profile Cleanup Utility from MS. Might want to do a repair install or re-install of those two apps.

     

    Again, please provide a more detailed description of the error(s) you are receiving.


  14. That is an infection in your system restore point. Need only clear those past restore ponints to be rid of it.

    Clear past system restore points and create a new one.

    Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply to turn System Restore back on. Click OK, then OK to close the System Properties dialog.

     

    Verify a new restore point was created.

    Click Start>All Programs>Accessories>System Tools>System Restore

    Select 'Restore my computer to an earlier time', then click next.

    You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


  15. Highlight and copy the contents of the code box below.

    reg delete HKU\.default\software\microsoft\windows\currentversion\policies\system /v DisableTaskMgr /f
    reg delete HKU\.default\software\microsoft\windows\currentversion\policies\system /v DisableRegistryTools /f
    reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5746e66-8fed-11dc-9a5e-001617d89ef3} /f
    exit
    cls
    
    Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

     

    Now, lets get an online scan. Please do an online scan with Kaspersky Online Scanner

     

    Click Accept, when prompted to download and install the program files and database of malware definitions.

    • Click Run at the Security prompt.
    • The program will then begin downloading and installing and will also update the database.
    • Please be patient as this can take several minutes.
    • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click View scan report at the bottom.
    • Click the Save Report As... button.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
    **Note**

     

    To optimize scanning time and produce a more sensible report for review:

    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
    Post the Kaspersky log here and let me know how the computer is performing.
×
×
  • Create New...