Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Total XP security malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Total XP security malware

Unread postby jessf » April 8th, 2010, 10:03 am

3. I did not have any problems.
4. My Gmail is working & I am no longer being directed to ad sites when I use a search engine. Everything seems to be working properly. Thank you very much for your help. Is there anything else I need to do? How could I prevent all of this in the future?
You do not have the required permissions to view the files attached to this post.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm
Advertisement
Register to Remove

Re: Total XP security malware

Unread postby gringo_pr » April 8th, 2010, 4:31 pm

double post
Last edited by gringo_pr on April 8th, 2010, 5:33 pm, edited 1 time in total.
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby gringo_pr » April 8th, 2010, 4:38 pm

Hello

You need to update to SP3 and now is a good time as your computer is looking clean. you can download it here - http://windowsupdate.microsoft.com/ or you can download it from here http://www.microsoft.com/downloads/deta ... laylang=en

I would like you to run this online scan to be sure there is no leftovers

:Kaspersky scan:

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

Let me have the log from kaspersky when it is done

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 9th, 2010, 8:41 am

Ok, I downloaded the Service Pack 3.

I am having trouble running Kaspersky. It's giving me the error:

Kaspersky Online Scanner 7.0 download and operation require Java framework version 1.5 or later.

However, when I go to the Java website, it says I have the latest version downloaded.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 9th, 2010, 5:07 pm

ok no problem please try this one

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 10th, 2010, 12:55 pm

Here is the log from the Eset scan. It said it found 23 infections, but my computer still seems to be running well.

# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a5099d61229b6747805c85d458dae733
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-10 05:15:12
# local_time=2010-04-10 01:15:12 (-0400, Atlantic Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5890 16777214 0 2 49528990 49528990 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 9 158748 155775025 0 0
# scanned=79489
# found=23
# cleaned=0
# scan_time=6620
C:\Documents and Settings\jessc0125\Shared\electropop.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2010-04-07_08.48.13.zip multiple threats 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2010-04-08_08.52.19.zip multiple threats 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\av.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\ave.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\av.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\vma.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL.vir Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\odupopak.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\oweterot.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rifojehu.dll.vir a variant of Win32/Kryptik.CRQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rodusano.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\silugihi.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\tovuriro.dll.vir a variant of Win32/Kryptik.CRQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\zonokiro.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.DFO trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a5099d61229b6747805c85d458dae733
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-10 04:40:38
# local_time=2010-04-10 12:40:38 (-0400, Atlantic Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5890 16777214 0 2 49568790 49568790 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 9 198548 155814825 0 0
# scanned=79882
# found=23
# cleaned=0
# scan_time=7944
C:\Documents and Settings\jessc0125\Shared\electropop.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2010-04-07_08.48.13.zip multiple threats 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2010-04-08_08.52.19.zip multiple threats 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\av.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\ave.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\avG\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\av.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\jessc0125\Local Settings\Application Data\Microsoft\Windows Defender\vma.exe.vir a variant of Win32/Kryptik.DKW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL.vir Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\odupopak.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\oweterot.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rifojehu.dll.vir a variant of Win32/Kryptik.CRQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\rodusano.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\silugihi.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\tovuriro.dll.vir a variant of Win32/Kryptik.CRQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\zonokiro.dll.vir a variant of Win32/Kryptik.DNI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\av.exe.vir a variant of Win32/Kryptik.DFO trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe.vir a variant of Win32/Kryptik.DLI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan 00000000000000000000000000000000 I
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby gringo_pr » April 10th, 2010, 1:54 pm

Good afternoon

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\Documents and Settings\jessc0125\Shared\electropop.mp3
SkipFix::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

ESET is only reporting backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Image

:DeFogger:

    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:


:Turn On Automatic Updates:

    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:
    you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also

    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

    • Malwarebytes' Anti-Malware- Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.


please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1816
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: Total XP security malware

Unread postby jessf » April 10th, 2010, 8:30 pm

Ok, I followed all your instructions. Things are running very smoothly now, thank you for your help, you can close the thread now.
jessf
Active Member
 
Posts: 12
Joined: March 31st, 2010, 5:48 pm

Re: Total XP security malware

Unread postby Dakeyras » April 12th, 2010, 10:45 am

As this topic is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8735
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware