Jump to content


Trusted Malware Techs
  • Content Count

  • Joined

  • Last visited

About Swandog46

  • Rank

Previous Fields

  • Teams:
    Nothing Selected
  1. Everything looks great --- your HijackThis log is completely clean. Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. 1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. I cannot stress enough how important this is. 2) In order to protect yourself against spyware, you should consider installing and running the following free programs: Ad-Aware SE A tutorial on using Ad-Aware to remove spyware from your computer may be found here. Spybot-Search & Destroy A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features. SpywareBlaster A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here. SpywareGuard A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here. Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle. 3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here: http://www.mozilla.org/products/firefox/ 4) Also make sure to run your antivirus software regularly, and to keep it up-to-date. 5) Finally, consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, or Sygate. A tutorial on understanding and using firewalls may be found here. Please also read Tony Klein's excellent article: How I got Infected in the First Place Hopefully this should take care of your problems! Good luck.
  2. No problem --- happy to help Those thumbs files were always there, but they are hidden, and you probably didn't have viewing of hidden files enabled before. For your protection we can disable it again (and it will make the thumbs files disappear anyway): 1) Go to My Computer, and click on the "Tools" menu 2) Click "Folder options" 3) Select the "View" tab 4) Make sure "Show hidden files and folders" is NOT selected 5) Make sure "Hide extensions for known file types" is CHECKED 6) Make sure "Hide protected operating system files (recommended)" is CHECKED Click Apply and OK. Those Restore files are system restore backups. Please follow the directions on this page: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam to disable System restore temporarily. Then restart your computer, and follow the directions again to turn System Restore back ON. Please do not forget to turn it back on!!! Then run a full scan with Ad-Aware, and let me know if it comes up clean.
  3. Just one more HijackThis line to fix: O2 - BHO: (no name) - {85A8D8EC-063D-475C-88B4-B23149E5A8BC} - (no file) Other than that, everything looks great. Do you have any remaining symptoms of infection?
  4. Thank you --- I got those files. This is looking good! I would like to get just one more file from you... can you please run Suspicious File Packer again, and pack this file: C:\WINDOWS\SYSTEM\conres.cpl Then please send it to me at the same address. Now let's see if we can get rid of this junk. 1) Please download the Killbox. Unzip it to the desktop but do NOT run it yet. 2) Then please run Killbox. 3) Select "Delete on Reboot". 4) Copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\WINDOWS\ujrlhm.exe C:\WINDOWS\SYSTEM\DATADX.DLL C:\WINDOWS\AUNPS2.DLL C:\WINDOWS\SYSTEM\AUNPS2.DLL c:\Windows\Start Menu\Programs\StartUp\cknu.exe C:\WINDOWS\SYSTEM\conres.cpl C:\PTUE.EXE C:\Program Files\uthm 5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". 6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. Then please restart your computer. Run HijackThis, click Scan, and check (some of these may be gone by the time you get to this step): O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected] O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart O4 - HKCU\..\Run: [Xhvzs] \ptue.exe O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe O4 - Startup: cknu.exe Close all open windows and click Fix Checked. Restart once more and post new logs from HijackThis and TrackQoo.
  5. Hi AmoLaZucca Well, at least from my end it seems like it worked wonderfully! I do see a whole bunch of other infections in your log including Qoologic that I would like to clean up in order to make SURE it worked correctly, but I am very pleased with the results! Thank you for agreeing to be my first test "in the wild" of this method. Now, to the other infections --- I would first like to harvest some files from you if you don't mind. That way I can get to work on a removal method for this different infection as well. The more we learn, the more people we can help. Please download the Suspicious File Packer from here: http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\WINDOWS\SYSTEM\DATADX.DLL C:\WINDOWS\ujrlhm.exe C:\WINDOWS\AUNPS2.DLL C:\WINDOWS\SYSTEM\AUNPS2.DLL c:\Windows\Start Menu\Programs\StartUp\cknu.exe Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at Swandog46[AT]go[DOT]com (replace [AT] with @ and [DOT] with .) Please include a link to this log, as well as your most recent HijackThis log. Thank you! Then please run HijackThis, click Scan, and check: O2 - BHO: (no name) - {85A8D8EC-063D-475C-88B4-B23149E5A8BC} - (no file) O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,[email protected] O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\ujrlhm.exe reg_run O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart O4 - HKCU\..\Run: [Xhvzs] \ptue.exe O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe O4 - HKCU\..\Run: [uate] C:\Program Files\uthm\area.exe O4 - Startup: cknu.exe Close all open windows and click Fix Checked. Go to Start -> Control Panel -> Add/Remove Programs and remove Web Offer, if it appears. Then delete the folders: C:\Program Files\Web Offer C:\Program Files\uthm Also delete the files: C:\WINDOWS\AUNPS2.DLL C:\WINDOWS\ujrlhm.exe c:\Windows\Start Menu\Programs\StartUp\cknu.exe C:\WINDOWS\SYSTEM\AUNPS2.DLL C:\WINDOWS\SYSTEM\DATADX.DLL Now we need to do a little diagnostics. Please download the following tools to assist in removing this infection! Download WinPFindUnzip it somewhere you will remember like the Desktop Dont do anything with it yet! Download Track qooUnzip it somewhere you will remember like the Desktop Reboot into Safe ModeRestart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Doubleclick WinPFind.exe Click "Start Scan" It will scan the entire System, so please be patient! Once the Scan is Complete Go to the WinPFind folder Locate WinPFind.txt Place those results in the next post! Reboot back to Normal Mode! Double Click on "Track qoo.vbs" Note - If you Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to Run, its harmless! Wait a few seconds and a notepad page will pop up, Save those results and place them in the next post along with the results of WinPFind! We'll get to the bottom of all this, don't worry
  6. Hi AmoLaZucca I've asked thatman if I can step in and help here, because I've been working on a tool to remove this infection on Windows 98 and ME systems. It's a tough one, as you can see from all the steps you two have been trying! Please download this file: http://www.geekstogo.com/forum/index.php?a...pe=post&id=2765 Unzip it to your desktop, and run RunThis.bat. A window will open, and your desktop will disappear, then reappear. Be patient until the batch says it is completed. Then please restart your computer, and post a new HijackThis log as well as the text of the log.txt file which should be in the same folder as RunThis.bat. In the interests of full disclosure, I will warn you that although I have had total success thus far in my tests, this IS still a test-run, and you should be aware that there may be bugs (though to the best of my knowledge I have worked them all out). Thank you!
  • Create New...