Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Year starts as a victim of usrqp - just won't stay dead

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 17th, 2008, 2:48 pm

Your logs appear all clean.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

We can now remove Combofix. To do this, do the following:
Go to Start > Run - type in ComboFix /u & click OK

This is a good time to clear your existing system restore points and establish a new clean restore point:

  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select drive will open. Click OK
  • Either a scan will open up and take a few minutes or it will go directly to Disk Cleanup for ...
  • Select the More options tab
  • Find System Restore. Click Clean up

Set correct settings for files that should be hidden in Windows XP
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please checkHide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
Also visit this page to read up on prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Happy surfing and stay clean!

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama
Advertisement
Register to Remove

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 17th, 2008, 7:59 pm

Thanks markamus,

I will try to follow all of the above advice. It’s a shame that we have to put in so much effort to fight this crap.

I really appreciate all your help,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 17th, 2008, 10:07 pm

Hi markamus,

Something went terrible wrong just minutes after my last reply!

When I start WordPerfect it now first prompts me with two info dialogs that a file can not be opened. But the program continues and I can open documents just fine.

When I start Firefox, it opens two tabs, one is 404 Not found and the other is http://www.weblog.com/Mozilla and a 'can not find what you are looking for' page. It should have only opened my home page - which it does when I click the Home icon.

When I start WinTV, it starts, but a Message info dialog that says: C:\PROGRAM~1\WINTV\Files\WinTV\WinTV2k.EXE contains an invalid path. While that box is displayed, the TV program runs fine behind it. When I click the OK button, it closes the TV window.

I did only ‘two’ things that might have led to these very odd problems.

NOTE: I use WP, WinTV, Firefox continuously and constantly every day, many times a day, and know for a fact that all three were working fine just minutes before I did the following:

1) January 17, 2008 (6:12pm)
I removed all three versions of ComboFix by using a cmd prompt and CD’ing to the D:\Me-XP\Downloads\malware\FirstComboFix, SecondComboFix, ThirdComboFix directories and running ComboFix.exe /u (Each time I would get a new ComboFix, I would first move the program and any log files from the desktop to these directories - I did not remove an old version of ComboFix before installing a new one.)

Also deleted VundoFix.exe from desktop and moved a VundoFix.txt file from C:\ to D:\Me-XP\Downloads\malware\Vundofix122907-09-19-AM.txt

Also moved a Kaspersky log file from desktop to same place.

I deleted the shortcut to hijackthis from desktop.

2) January 17, 2008 (6:20pm)
I created a new System Restore Point at 6:19 called “After MalWare Removal Forum”.

Then when I restarted WP to open this document, I got two errors about wp programs that could not be started, and yet here I am (ie typing this in wordperfect). WEIRD!

The two errors from WordPerfect are exclamation information dialogs:

The file ‘Files\Corel\WordPerfect’ as specified in the execution parameters, cannot be opened.

and

The file ‘2000\programs\wpwin9.exe’ as specified in the execution parameters, cannot be opened.

(I don’t know why the paths in the above errors is truncated, but the full path to the program is C:\Program Files\Corel\WordPerfect Office 2000\programs)

Summary: Either running ComboFix.exe /u 3 times from three folders or creating a Restore Point caused all these weird problems.

So, I looked at the System Restore points, and had only two listed for today (and no other days were bold, so no other restore points!). One restore point was the one I just created at 6:19 PM, and a second ‘System Checkpoint’ created just a few minutes before at 6:17 PM. I suspect that the ComboFix /u run(s) created the 6:17 restore point.

So, I decided to do a system Restore to the System Checkpoint, since it was just a few minutes before I noticed problems. But after the restore I still have the same problems.

NOTE: Some frequently started programs start fine such as Outlook Express and Spider Solitaire.

NOTE: I never did get to the step to run cleanmgr - right after creating a system restore point was when the problems started.

Do you have any idea of what might have gone wrong?

Thanks,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 18th, 2008, 3:14 pm

Hi markamus,

I figured out my problem with programs such as WP, WinTV and Firefox not starting properly after I ran ComboxFix /u. A little Googling on the errors I got from WordPerfect led me to remember that when I ran ComboFix.exe /u the first time, SpyBot prompted me that a registry value was changing from something like” %1 %*” to %1 %*. And the WordPerfect people were also having problems related to a %1 parameter in or out of double quotes.

But still, I wasn’t sure if the registry key at:
My Computer\HKEY_LOCAL_MACJINE\SOFTWARE\Classes\exefile\shell\open\command should be %1 %* or “%1 %*” or (%1 %*). (When WP, Firefox and WinTV were not working right, the value was %1 %* (ie no quotes).

Being pretty sure that ComboFix would change the value when installed, I did just that, downloaded a new ComboFix and ran it and SpyBot prompted that the registry was changing to add the double quotes around the key.

And sure enough, WinTV, Firefox and WP all ran just fine with no error messages.

I then ran : Start > Run - type in ComboFix /u & click OK
and fully expected another SpyBot alert that the registry key was changing to remove the double quotes - which I intended to deny - but it didn’t. The key is still set to: “%1 %*” and everything works fine.

January 18, 2008 (12:40pm)
I just rebooted because System Restore said that the restore points were disabled till I rebooted. After rebooting, I got a SpyBot prompt that the registry key was changing from %1 %* to “%1 %*”, and I allowed it. WinTV and WP and Firefox work fine.

One last thing: What is wrong with my System Restore Points? Besides the last few days, It has been years since I looked at or used or made a restore point. But now, the System Restore program will not show me any older restore points. For example, right now, when I click on Restore My Computer, I get the Calendar and the list of restore points, but I have only one System Checkpoint listed from 12:33 today (when I ran the Combox /u command I suspect), but I can not select yesterday - when I created my own restore point nor any other date.

I’ve looked at the configuration for System Restore in Control Panel - System - System Restore and it is turned on and all three drives (C:, D:, E:) are being monitored and set to use 12% of each disk.

So, do you have any idea why I don’t have many historical restore points? Hmmm - I do now run CCleaner and ATF Cleaner every day - maybe they delete the restore points?

Thanks,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby markamus » January 20th, 2008, 3:10 pm

Hi bison7120,

Do you know if the restore points were set after everything was cleaned? Or are the restore points set after your PC was cleaned the ones that are giving you problems? My previous instructions will purge all old restore points so just the ones set afterwards will be active. Please let me know so we can see which way to go from here.

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby bison7120 » January 20th, 2008, 10:42 pm

Hi markamus,

Well, I think I’m OK now. Looking right now at the available System Restore Points shows that I have three days worth. The 18th and 19th have System Checkpoints and today also has an automatic one when I upgraded Quicktime.

But back on the 17th, I began to follow your final instructions to first uninstall ComboFix, then Create a manual restore point - which I did. I never did get to the next steps to run cleanmgr and clean all the restore points. (Because I noticed that weird problem where certain programs would not start properly because ComboFix had changed a registry key related to running .exe programs.)

But, that manual restore point I created on the 17th is no longer available - nothing prior to the 18th is bold in the System Restore calendar widget. (As I mentioned before, I rarely ever look at the restore points - except I have looked a couple of times in the past few weeks while we worked on my issues - and I never had anything - no system checkpoints - no nothing. I have no idea when the restore points initially stopped being created - could be years - or it could be very recently.)

I’m pretty sure that ComboFix was messing with the restore points. I notice that as ComboFix runs, it says it is creating a restore point, so I would have expected to seen those has available restore points - but do not.

I’m thinking that the version of ComboFix I downloaded and ran on the 18th (just because I knew it would set the registry key correctly for exe programs), also may have had a fix that dealt with restore points. After I ran ComboFix that day, and verified that the exe issue was resolved, I then uninstalled it. Then I went to System Restore (just to see) and the program said that Restore points were disabled and that I needed to reboot (they were not disabled the day before when following the final instruction I had created a manual restore point). So I rebooted - and now today I see that I’m getting a System Checkpoint everyday.

I know I tend to go on and on, but I just thought that my experience might be helpful to others by giving plenty of details.

So, once again, I’m in good shape. I may or may not continue with the final instructions to use cleanmgr to remove all old checkpoints because the only ones I seem to have are good ones from after all the malware was removed.

Thanks,
bison7120
bison7120
Active Member
 
Posts: 12
Joined: January 1st, 2008, 3:36 pm

Re: New Year starts as a victim of usrqp - just won't stay dead

Unread postby Elrond » January 21st, 2008, 7:36 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware