Avast WEBforum
Other => Viruses and worms => Topic started by: TokeiLampin on January 18, 2014, 12:54:21 AM
-
Can you help me?...automaticly my pc install C:\Program Files\gssoft\gswb\2.8.1.0113 and me keep uninstall then the application suddenly install without me install ...already scan with avast but found nothing
-
Hi,
Please go here: http://forum.avast.com/index.php?topic=53253.0
We need MBAM/OTL/aswMBR logs. After that I can have someone help you.. If you post logs within the next 3-4 hours it may take another 4-5 hours before someone answers since most are in the UK and are asleep.
-
OTL Done
-
aswMBR logs
-
I've notified someone to come help you.
Warning: Windows XP Support OS will end by microsoft @ April 8, 2014. After that, most security exploits will be exploited leaving your system more vunerable.
-
Using hacks and keygens is not conducive to your safety
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\gssoft\gswb\2.8.1.0113\Config.exe StartService -- (GuangSuServer)
IE - HKU\S-1-5-21-1801674531-682003330-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 184.106.170.252:8080
O2 - BHO: (Í㶹¼Ô apk °²×°Æ÷) - {000DA090-57AA-424B-A8F0-621B7C08B8F4} - C:\Program Files\WandouLabs\wandoujia_bho.dll File not found
O2 - BHO: (no name) - {452ADB5B-00BE-469D-A65F-3046146B2ED5} - No CLSID value found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1801674531-682003330-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O33 - MountPoints2\{d89f83f3-801a-11de-a1cb-d967a5b45335}\Shell\AutoRun\command - "" = H:\upx.bat
O33 - MountPoints2\{d89f83f3-801a-11de-a1cb-d967a5b45335}\Shell\open\Command - "" = H:\upx.bat
[2014/01/17 06:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
:Files
C:\Documents and Settings\Seven By Four\Desktop\Fail Kerja\TOOLS FOR DOWNLOAD AND INSTALLATION\HackPack V 1.1
C:\Documents and Settings\Seven By Four\Desktop\Jual\N90.N70.stuff\GAMES\Symbian\maumau_s60_2_35\Keygen.exe
C:\Program Files\gssoft
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
After finish OTL this are log..hope all the program stop after this
-
The program still runinng and run popup like this
-
Does this occur in any specific browser ?
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Sorry not read properly just download it from google chrome then just click lauch the program until reboot back the i found the file must run from desktop now the problem show like this. and the thing still run without click anything.
-
OK does combofix not run if it is placed on the desktop
-
Now combofix at c:/combofix and not at desktop...should i cut that c:/combofix to desktop. where to find log if i just install at c:/combofix coz not found ComboFix.txt at C:\ComboFix.txt
-
Should i uninstall it back?
using Start->run->combofix /uninstall or Start->run->copy combofix /uninstall
then install back at desktop?
-
Just download a fresh copy and save it to your desktop, then run from there
-
Already uninstall and run from desktop the not found any combofix.txt only still got combofix at c: and the adware still runinng...and 1 problem i found is when open google chroome to this forum and want click reply it download index.php ..suddenly weird :-[ :-[ :-[
-
Already uninstall and run from desktop the not found any combofix.txt only still got combofix at c: and the adware still runinng...and 1 problem i found is when open google chroome to this forum and want click reply it download index.php ..suddenly weird :-[ :-[ :-[
The index.php happens to me aswell. and I am malware free. It's an issue with the forums not you
-
Thanks god...make me worry :)...so where that combofix.txt?
-
Is the log at C:\combofix.txt ?
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
-
No see any Combofix.txt at C: only have icon like this picture only
-
Could you explain exactly when and where these ads appear ? Is it in Chrome, Internet explorer or on the desktop
-
The ads just appear suddenly...when you not open anything or you open anything like chroome internet explorer or my computer...sometime the ads show small like the picture...sometime big in center of desktop
-
OK could you reboot to safe mode and run Combofix from there please
-
And no running anything the program install back like the picture.. now i try back to run combofix from safe mode hope it works
-
At last me sucess get combofix.txt in combofix folder after run in safe mode this the log..coz when i run in normal mode now after 50 goes to deleting files computer suddenly shut down and restart... now at desktop got 1 icon Internet Explorer but not shortcut file.
-
OK still some more to get
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\gssoft
C:\Documents and Settings\Seven By Four\Application Data\gssoft
C:\Program Files\gssoft
C:\Documents and Settings\Seven By Four\Application Data\Wandoujia2
File::
C:\Program Files\mozilla firefox\components\scbypassv64.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
When i run in normal mode after 50 then goes to word delection computer suddenly black then restart...only can make in safe mode that thing...after finish and reboot back and combofix.txt log was created then computer suddenly restart back is that normal?..so here the log you need
-
Could you run the same Combofix script from safe mode please as the gssoft folders do not appear to have been selected for deletion
-
I run the same script like that at safe mode and that what i get ...is that script correct?
-
Here it is again
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\gssoft
C:\Documents and Settings\Seven By Four\Application Data\gssoft
C:\Program Files\gssoft
C:\Documents and Settings\Seven By Four\Application Data\Wandoujia2
File::
C:\Program Files\mozilla firefox\components\scbypassv64.dll
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\gssoft
C:\Documents and Settings\Seven By Four\Application Data\gssoft
C:\Program Files\gssoft
C:\Documents and Settings\Seven By Four\Application Data\Wandoujia2
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here the log and combofix.txt
-
How is the computer now ?
-
After that make still got that adware and program still install then me run back the script for second time...and combofix alert some new update me click update then it update and seems like install back...it run on normal mode and on 50 after want delete computer restart like before then i click F8 and run on safe mode ... with no CFScript.txt and until now seems not see any popup or install any program.
-
So they are no longer present ? Please do not use cracks or keygens as this is where the malware came from. If you continue you will get infected again, although next time it could be Virut
-
Actually first time me det this from microsoft udate for internet explorer..after me update that suddenly me see that proram come install ...me uninsttal then it keep insttal back...then 2-3 days after that the popup come
-
Has it now gone ?
-
Is all coming back to me now - celine dion...after me left it without running any application the advertise run back...the program keep install
-
Could you run me a fresh OTL scan please... Have you recently downloaded any new software ?
-
Not running anything just leave it without open anything then see it automaticly install and run..
-
OTL
-
OK lets try this
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
SRV - [2013/12/23 09:57:14 | 001,336,768 | ---- | M] (www.guangsu.cn) [Auto | Stopped] -- C:\Program Files\gssoft\gswb\2.8.1.0113\Config.exe -- (GuangSuShuRuFaService)
O2 - BHO: (Í㶹¼Ô apk °²×°Æ÷) - {000DA090-57AA-424B-A8F0-621B7C08B8F4} - C:\Program Files\WandouLabs\wandoujia_bho.dll File not found
[2014/01/27 04:51:58 | 001,430,976 | ---- | C] (www.guangsu.cn) -- C:\WINDOWS\System32\gswb.ime
[2014/01/27 04:50:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
[2014/01/27 00:40:08 | 000,000,000 | ---D | C] -- C:\Program Files\gssoft
[2014/01/26 01:36:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Seven By Four\Application Data\Wandoujia2
[2014/01/17 06:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\gssoft
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I found some information about that popup but in chinese
http://user.qzone.qq.com/1205313146/blog/1385196159
-
Did you run the OTL fix as that will clear out the temporary files as well
-
OTL finish log
-
Quick Scan setting and OTL Log
-
I can see no further sign in the log, has it gone ?
-
Nop...still install and that dos also popup
-
And this
-
OK did that return today straight after the OTL fix or was it a time later ?
Run a fresh OTL please
-
Later aroud 3 -4 hours i thing ...if that i need put script or just run
-
No need for the script just ensure all users is selected and there is a tick in lop and purity
-
Ops just run it with script and click run scan...i will post new after this like you said
-
Ok this one with no script like picture below
-
OK prior to this re-installing what were you doing ? Were you visiting a specific website ?
I would like you to set Avast hardened mode to aggressive to see if we can catch the dropper in action
(https://dl.dropboxusercontent.com/u/73555776/Hardened%20mode.JPG)
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
SRV - [2013/12/23 09:57:14 | 001,336,768 | ---- | M] (www.guangsu.cn) [Auto | Stopped] -- C:\Program Files\gssoft\gswb\2.8.1.0113\Config.exe -- (GuangSuServer)
O4 - HKU\S-1-5-21-1801674531-682003330-839522115-1003..\Run: [Google+ Auto Backup] "C:\Program Files\Google\Google+ Auto Backup\Google+ Auto Backup.exe" /autostart File not found
O4 - HKLM..\RunOnce: [GSMutualRunOne] C:\Program Files\gssoft\gswb\2.8.1.0113\Mutual.exe (www.guangsu.cn)
[2014/01/28 22:33:48 | 001,430,976 | ---- | C] (www.guangsu.cn) -- C:\WINDOWS\System32\gswb.ime
[2014/01/28 22:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
[2014/01/28 22:33:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\gssoft
[2014/01/28 22:33:15 | 000,000,000 | ---D | C] -- C:\Program Files\gssoft
[2014/01/28 22:33:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Seven By Four\Application Data\gssoft
[2014/01/28 22:33:48 | 000,000,000 | ---D | C](C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\????) -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\????
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok already set that ...and i thing already delete that popup registry using this method found on internet
Folder Delete:
C: \ ProgramFiles \ Common Files \ JHKCSign (difficult to remove, first directory dll file restart after a change of name to delete.)
Delete the registry:
Delete: HKEY_CLASSES_ROOT \ CLSID \ {13F2CBB7-8754-4dc2-98E4-BF42423EF9A3}
Delete: HKEY_CLASSES_ROOT \ ConMenu.ConMenu
Delete: HKEY_CLASSES_ROOT \ Interface \ {28BAA3FB-E763-4CD8-8EDB-0AE875079802}
Delete: HKEY_CLASSES_ROOT \ TypeLib \ {88D5328E-895E-4391-A3F9-DF15EC9F343B}
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ JHKCSign
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ JHKCSign-SETUP
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellIconOverlayIdentifiers \ __ JHKCSign
Delete: HKEY_LOCAL_MACHINE \ SOFTWARE \ uusee_config
and found about that stupid gssoft from this link
http://www.threatexpert.com/report.aspx?md5=63404e559fbc7fca3f555db3715fff6b
-
Here
-
So far only this popup out
-
I believe that warning is to do with your weatherbug programme. You may need to uninstall and then reinstall it
Is it still staying gone ?
-
Any suggest how to make that weatherbug ..
Still Got
-
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
Your log sir
-
So far that advertise small on right down corner still popup out...the big one still not see yet.
-
Just now the dos popup out but and click close..the big advertise and install still not yet
-
Could you delete the start menu item by right clicking and selecting delete
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please copy and paste log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
-
After Uninstall can delete ..not try before uninstall...just left the tick like default right no need to tick or untick anthing
-
Just run that in default no tick or untick ..only generate FRST.txt no see any Addition.txt in desktop..me run that FRST in Desktop
-
Avast Detect I Thing It Cannot Install But How Suddenly It Install?...from Microsoft Update Hole?
http://www.avast.com/en-us/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_ise_90_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_vir=Win32:Evo-gen%20[Susp]&p_prc=C:\DOCUME~1\SEVENB~1\LOCALS~1\Temp\setup_qd017.exe&p_obj=http://down.guangsu.cn/qdn/setup_qubudao.gif&p_var=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_elm=7&p_lex=13192&p_lid=en-us&p_lng=en&p_lqa=1&p_lqe=1&p_lst=0&p_lsu=36&p_pro=2&p_bld=empty&p_vep=9&p_ves=0&p_vbd=2013&p_hid=cd883500-f254-44b7-8343-ba5ec8d14253&p_ram=3327&p_cpu=-1.0
-
At least Avast is stopping it from downloading now.. Are you running any torrents or downloading any programmes/files
Also can you uninstall 360
Download the attached fixlist.txt to the same location as FRST
Run FRST and press FIX
A log will be generated, please post that
-
Not see any 360 anywhere any suggestion how to uninstall
-
This fixlist will remove it
Download the attached fixlist.txt to the same location as FRST
Run FRST and press fix
On completion run a fresh FRST scan please
-
Done sir here the log
-
I can see no sign of it now.. Did you delete the start menu items ?
-
You means from button start-->All Programs--> ?? if that yes already...but seems my computer easily hang now...on desktop when click some icon to open like folder or anything it stuck..but mouse pointer can move..it comes after that avast start block that site
-
Just now the dos popup out but and click close..the big advertise and install still not yet
-
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from here (http://www.malwarebytes.org/)
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Attach the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
-
Free Version?
-
Yes untick the trial option
-
No see any trial but already scan like you said ...MBAM-log-2014-02-01 (01-18-32).txt is after scan show result and mbam-log-2014-01-31 (23-48-19).txt is log after check and remove selected...before me run MBAM that dos popup still popup and make my pc a bit hang and laggy...after scan not see any registry show how that thing keep run..
-
Are this normal? Coz that small advertise still popup after MBAM
-
When does this ad appear ? Is it at logon or when you open a browser. If a browser which one
-
The advertise just out random...sometime i not do nothing it open..it no time it flexible
-
Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
Do you want to skip supplementary searches?
click NO[/list]
- If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
-
That dos prompt always make my pc hang and lag when it show up..cannot download avast block that thing.
-
Temporarily disable the Avast shields to download silent runners. it is safe. To remove that dos box we may have to run an sfc which will require the windows CD
-
Here the log.. did i need to make it now ? sfc /scannow ..if you said yes i try it now or you want see the log first?
The message exceeds the maximum allowed length (10000 characters).
-
I cannot see where the little ad is hiding... I will investigate this
Meanwhile
Run a command prompt and type in the following followed by the enter key :
sfc /scannow
Let it run to completion and then reboot
-
Ai Ai sir
-
So far after that Silent Runners.vbs and sfc /scannow ...only see that small advertise popup
-
Could you right click the ad and select properties please and then screenshot that
-
The DOS still here... after that Silent Runners.vbs and sfc /scannow ..that advertise popup...cannot click right...only left click funtion and open my default browser to page of what being advertise..already use procexp.exe to detect where that run coming from but not show at procexp.exe .
-
OK I will have to investigate this deeper... Do you have anything in your startup folder C:\Documents and Settings\(user)\Start Menu\Programs\Startup
-
Thank you sir..this you want from my C:\Documents and Settings\(user)\Start Menu\Programs\Startup ... got 1 and 1 hidden like picture and i already open with notepad to show what write inside
-
As you can see that thing install back...arghhh where it coming from ...so sad :'( :'( :'( :'( :'(
-
Could you give me the file location of weather.exe please
-
Here sir
-
Weather.exe scan on http://virusscan.jotti.org/
some old information about that trojan from microsoft
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TrojanDownloader%3aWin32%2fZlob.gen%21H
-
OK I wonder why that temp folder is not being emptied. After this fix could you post the log that appears on the desktop and then run an OTL scan selecting all users
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:Files
C:\Documents and Settings\Seven By Four\local settings\temp\*.*
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok done like the log attachment below...the weird thing the log not save in desktop it just pull out and me need to save it to desktop..but weird thing suddenly happen my pc suddenly blank but not restart then the desktop show back...i hope there are no file in windows are running to download that file without my notice...and the picture attachment show my setting for all user quick scan..and the log attach also.
-
And for your information after i post that log the popup advertise show and i cannot right click to get properties and get info about that popup
-
This is a bit of a nightmare trying to locate the miscreant
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O2 - BHO: (Í㶹¼Ô apk °²×°Æ÷) - {000DA090-57AA-424B-A8F0-621B7C08B8F4} - C:\Program Files\WandouLabs\wandoujia_bho.dll File not found
[2014/02/03 23:49:05 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\AI_RecycleBin
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and run shortcut cleaner from here http://www.bleepingcomputer.com/download/shortcut-cleaner/
-
Ya it also nightmare to me..thought already gone suddenly coming back :-[ :-[ :-[ :-[
-
After this run you will need to reset your desktop wallpaper, let me know if this stops it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O24 - Desktop WallPaper: C:\Documents and Settings\Seven By Four\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Seven By Four\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Just waiting if got any popup or install...now desktop all black wallpaper...and explorer.exe easy crash
-
Set yourself a new wallpaper by right clicking the desktop and selecting personalise. How is explorer crashing ?
-
Yeah already set back...explorer crash when i open some folder and google chroome also take low to open when click...and sometime crach and ask to kill or wait...but just let it for 10 second it normal back...so far 04:11 +8 Malaysia time no popup yet...no dos yet or anything being install
-
OK run it for a bit longer and let me know the result if the popup still remains gone :)
-
So far 18:07 +8 Malaysia time no popup yet...no dos yet or anything being install ;D ;D ;D ;D ;D ;D
-
At last after i open some folder to find some of video clip i download and open it with VLC and play it and open chroome to find the lyrics then the small add popup coming out :)
-
Well I would guess that the video was downloaded from a torrent and is infected.. If you download illegal or cracked software this will happen. Run a fresh OTL please
-
The file already long in my computer...already 1-2 years..and it download from youtube not a torrent...still want OTL?
-
Aye to see if it is the same problem... Now I know where it is
-
Aye aye captain :) ;D ;D ;D
-
Well at least it is consistent, it has made the same changes again.. You will need to reset the desktop background
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O24 - Desktop WallPaper: C:\Documents and Settings\Seven By Four\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Seven By Four\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Aye aye captain :) ;D ;D ;D
-
On 1830 Malaysia time +8
-
Are you synching your drive at all as the internet link registry entry has returned
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
:Files
C:\Program Files\Common Files\ITui
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Nop sir
-
Delete your current copy of combofix please
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Delete or combofix /uninstall
-
Delete it and then download the fresh copy
-
Aye aye captain :) ;D ;D ;D
-
OK lets see if this can kill the reg key
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Desktop Manager.lnk
C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"=-
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Desktop Manager.lnk]
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here Captain ;D ;D ;D ;D
-
OK that killed the link which has now revealed the culprit netsvc
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
NetSvc::
vvdsvc
Driver::
vvdsvc
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here Captain ;D ;D ;D ;D
-
This is being a right pain in the posterior
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\vvdsvc]
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here Captain ;D ;D ;D ;D
-
That did not want to take either, do you still have that small ad ?
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /RS
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
So far after windows update no see..but pc a bit lag
-
OK so all ads are now history ?
Run the OTL scan and I will see if we can speed you up a bit
-
So far no big and small and...the dos promp also no..and no new install from that adware...already run OTL but 3 times keep hang at same place already disable antivirus also same...any idea Captain??
i use this thing you said put at OTL and run scan not quick scan
netsvcs
%SYSTEMDRIVE%\*.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /RS
CREATERESTOREPOINT
-
As the ads have gone then stop OTL as I no longer have need to search that area of the registry
If the computer is still a bit slow then run an OTL quick scan so that I can have a look
-
So no need put that Quote or put?
-
This OTL log Quick Scan tick on "Scan All Users" "LOP Check" "Purity Check"
-
OK run the MSConfig utility and remove the tick from the following startup options and reboot
Acrobat Assistant 8.0
Adobe Acrobat Speed Launcher
AdobeAAMUpdater-1.0
AdobeCS5ServiceManager
Apoint
APSDaemon
DivXUpdate
Getting started with MacDrive 8
HTC Sync Loader
KernelFaultCheck
KiesTrayAgent
MacDrive 8 application
NBKeyScan
RIMBBLaunchAgent.exe
snpstd3
StartCCC
StartTSL
SwitchBoard
TkBellExe
Let me know if that improves the speed
-
Some me found some not in there
Found
Apoint
RIMBBLaunchAgent.exe
snpstd3
SwitchBoard
NBKeyScan
KiesTrayAgent
Getting started with MacDrive 8
MacDrive 8 application
HTC Sync Loader
APSDaemon
DivXUpdate
Adobe Acrobat Speed Launcher
AdobeCS5ServiceManager
Not Found
Acrobat Assistant 8.0
AdobeAAMUpdater-1.0
KernelFaultCheck
StartCCC
StartTSL
TkBellExe
-
Any change in the performance ?
-
So far cannot tell..but how about the thing i not found...and 1 more come after i make that...the desktop suddenly black...and the Taskbar suddenly missing after it show desktop back.. and about 30 second it show back the taskbar...already start twice but same thing happen..it that my explorer.exe got problem?
-
1 more thing what about this to i red in box...are this run is normal?
-
They are windows elements but they are not essential so they can be stopped.
Lets tidy up and see if that makes an improvement
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755).
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Ai Ai Captain ..thank you for your help..me will update anything if found it thank you very much :) ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D
Lol that delfix delete some of my note :)
Deleted : C:\Documents and Settings\Seven By Four\Desktop\Info Campur.txt
Deleted : C:\Documents and Settings\Seven By Four\Desktop\Info Travian.txt
Deleted : C:\Documents and Settings\Seven By Four\Desktop\Info.txt