TechSpot

GOYINORO virus took over, please help

By tm5rto
Apr 12, 2010
  1. Hello, everyone! This malice, "goyinoro.dll" took over my computer, can't access my email on IE, will not let me run Malwarebytes, it's all messed up. I read some of threads of similar problems, it looked to me like you're the guys who can help me get rid of this menace!
    Any advice would be greatly appreciated!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. I'll be glad to help with the malware, but I need more information:

    First: what does "all messed up" mean? It's hard to fix something when I don't know what's wrong!
    Second: Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running a scan again.

    EDIT: I forgot to add: If this allows you to run Mbam, please pick up out Preliminary Virus and Malware Removal thread HERE and continue with the steps.

    Leave all 3 logs in your next reply.
     
  3. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Hi and it's great to be a part of this forum!

    OK, the problems. First thing I noticed was that my default search in IE was changed, and an error message telling me that a program corrupted my settings. When I tried to change it back, i wasn't able to. The computer, Dell XPS, with a cable connection, has slowed to a crawl. I feel like I'm running 400mhz processor.

    Then I tried accessing my email (hotmail) and wasn't able to. Got error message that said there was no internet connection. Same for the Yahoo email.

    I ran task manager to see what's running. I saw several suspect programs (dll), tried to shut them down in the start up, to no avail. I ran Advanced SystemCare, tried to "kill off" those .dll, they just keep popping up again. I tried msconfig, that's when I saw the "goyinoro.dll". Can't get rif of it.

    I tried to run Malwarebytes. It didn't run, and I was prompted to delete the shortcut. I figured this whatever is interfering.

    I went online to look for solutions and found you guys. It seemed like this has to be handled on individual basis, so here I am.

    I am running the SuperAntiSpyware scan right now. I already ran and saved the HiJackThis log.
     
  4. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Oh, and the reason I am able to use the internet at all as of right now, is that I did a System Restore, back a week or so.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Go back into the msconfig utility: Selective Startup Startup menu and uncheck this entry.
    Reboot into Normal Mode.
    Close and ignore the nag message. Stay in Selective startup.

    As for this:
    You have now changed the entire system and lost whatever was done between the System Restore date and now.

    Please rescan with Malwarebytes, Superantispyware and HijackThis if they were done before the system restore.
     
  6. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Here are the scan logs.
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I want you to understand what happened so if it comes up again, you will know why you should not have done a System Restore and what happened when you did:

    The Superantispyware log shows several entries like this:
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{79E4142D-8097-4C49-A359-E7B01AD7F9DF}\RP867\A0109035.DLL/b]
    System Volume is where the restore points are kept. The scan shows numerous restore points are infected with malware, so when you did the restore, if you choose one of those restore points, then that malware would reinfect the system. When you choose a restore point, you can't tell which have malware.

    Before we go any further, I need to know who your ISP is and what connection you have with WinMX which is a peer-to-peer file sharing program. What I'm seeing in the HJT log doesn't make much sense and it's on top of the Vundo and MyWebSearch malware.

    You have put in a proxy override through your router to direcwaysupport.com which looks to be for Hughes Satellite and systemcontrolcenter.com, a domain controlled by two nameservers having a total of four IP numbers, also Hughes.net. Then there are 'test' for the WinMX IP.

    There are IPs for CO, CA and I think Hughes services part of Canada.
     
  8. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Thanks for the info about the System Restore, I'll know what to do in the future. Meanwhile, I will not use of the previous restore points.

    I shouldn't have anything from WinMX, I haven't used it in many years. I recently lived in a remote New Mexico place, with little internet options. So, I tried Hughes, but hated it and got rid of it right away. I'd like to get rid of all of that old stuff, not sure how. I'm not sure who my ISP is right now, I just relocated to Florida, and for now staying in a hotel :( It is a cable connection, but I'm not sure what company provides it.
    With my job, I lived in California, Northern New York, New Mexico, and now Florida. In NY, the cable internet was provided by RoadRunner, in NM we finally got the cable service from PVT Cable.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks. I didn't want to remove anything you needed for your ISP. You must be using an air card to connect in the various locations.

    Please reopen HijackThis to 'do system scan only.' Check each of the following entries, if present. Do not click on Fix Checked until all the entries have been checked:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.direcwaysupport.com;www.systemcontrolcenter.com;192.168.0.1;127.0.0.1;<local>
    O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
    O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
    O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
    O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
    O1 - Hosts: 205.238.40.1 test3204.winmx.com test3208.winmx.com
    O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
    O4 - Startup: PowerReg Scheduler.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    When through, please run the following:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave the Combofix report and Eset scan log in your next reply.
    I think you will experience a noticeable improvement.

    Regarding PowerRegScheduler: powerreg scheduler.exe is an unclassified malware by PowerReg. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.
     
  10. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Here are the logs. What a difference in performance already!
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Morpheus\morpheustoolbar.exe
    Downloads\Nero-8.2.8.0_eng_trial.exe
    Folder::
    
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1229272821-1757981266-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-1229272821-1757981266-839522115-1003\Software\SecuROM\License information*]
    
    Registry::
    
    Driver::
    Viewpoint Manager Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    You have AVG backups on the system, but it appears that you are now using Avira. If this is correct, please run this AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

    You also have multiple old versions of Java. These are vulnerabilities on the system: Please download JavaRa and unzip it to your desktop.

    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • Choose Englishfrom the drop-down menu and click on
      Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted.
    • When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Then download and install Java Runtime Environment (JRE) 6 Update (Current)
    Java Updates

    Remind me to have you reset your Host files when we're through.
    By the way, I'll have you remove all the cleaning tools and logs they created when we're through.
     
  12. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    The log from CF included.
    Wow, the machine is running great! Internet is flying! I don't know how to thank you enough, Bobbye!
     

    Attached Files:

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I practice magic in my spare time- sometimes it works well here!;)

    A couple more cleanups though:
    1. Please go to the Control Panel> Add/remove Programs> uninstall c:\program files\Morpheus
    Then use Windows explorer: Windows key + E> click on My Computer> Local Drive> double click on Programs> find C:\Program files\Morpheus and do a right click> delete on the program folder.
    Close Windows Explorer.

    2. Run the AVG removal tool as instructed here in Post #11:
    3. There are still old versions of Java on the system. If you didn't run Javara, please do so and don't forget to download the most current version. If you did run the program, look on Add/Remove Programs and uninstall any Java except v6u19> http://www.java.com/en/download/manual.jsp

    4. Reset the Host files: MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    5. Add Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

    Let me know if this handles the original malware problems. If it does, I'll have you remove the cleaning tools and logs they created.
     
  14. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Thanks again, Bobbye!

    I couldn't find Morpheus anywhere, even using Revo Uninstaller. I did run AVG Remover and updated Java as directed, before. Is it still showing up?

    With your amazing help, it seems that all of the nasties are gone! I am so amazed at your knowledge and expertise. I couldn't make heads or tails out of those logs! :)
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome.Glad to help. Morpheus is gone- I waved my magic wand and said"Be gone" and it went!

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if you need help in the future.
     
  16. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    You are indeed a magician, Bobbye! Everything worked perfectly! I can not thank you enough for your amazing help!

    Pete K. tm5rto
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome- glad to help. And with this, I will tuck my magic wand in my pocket;) so I will have it for the next person! stay clean- here are some tips!

    Please follow these simple steps to keep your computer clean and secure:

    1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
    4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
    5. Use an AntiVirus Software(only one)
    See Virus, Spyware, and Malware Protection and Removal Resources

    6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
    Comodo or Zone Alarm
    7.Consider these programs for Extra Security
    • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. .
     
  18. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Bobbye,
    Maybe I celebrated too soon :( All of a sudden, IE's settings got weird, will not display the homepage (excite.com), or email page(hotmail). The boot up takes forever now, too
    I ran Malwarebytes, no problems found.
    I tried to System Restore it, but now the System Restore will not launch! I tried the Safe Mode route, no joy.
    Did something hijacked it again, or did I mess something up?
    I included the HJT log. OK, I tried to include the log. Will not let attach, neither from Additional Options or from message shortcut menu :(
     
  19. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Switched to Firefox, seem to be unaffected by whatever is wrong with IE. Was able to attach the log
     

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Interestingly enough, although you switch to Firefox, the log shows 3 entries for IE8. The multiple entries can come with IE8, but if you aren't running it, that could be suspect.

    There's only one entry in the log to be concerned with and we need to explore that further:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2]. Close any open browsers.
      [3]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [4]. If Combofix asks you to install Recovery Console, please allow it.
      [5]. If Combofix asks you to update the program, always allow.
      [6]. Close any open browsers and Double click on combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix.
    [/list].

    And you still have the Eset online AV, so run a scan with that- be sure to update first. Leave the 2 logs in next reply. We'll see if it's something new or if we possibly missed something.
     
  21. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    The ComboFix/ESET one-two combo seem to fix the problem. The IE is working fine, I was able to launch the programs which were hijacked. But now I'm a little paranoid.
    I enclosed the logs from the CF and ESET
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    As long as you continue to use files sharing programs, you're going to have malware: This is my last effort. When I saw uTorrent, I almost just closed the thread.

    Your flash drive needs to be disinfected.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\documents and settings\Pyotr\Application Data\uTorrent
    c:\\Program Files\\uTorrent\\uTorrent.exe
    
    FileLook::
    c:\windows\system32\ealregsnapshot1.reg
    c:\documents and settings\Pyotr\Local Settings\Application Data\Downloaded Installations
    
    DirLook:
    C:\ProgramData
    
    Folder::
    c:\program files\Common Files\Akama
    c:\program files\uTorrent
    c:\program files\Morpheus
    
    Registry::
    
    Driver::
    
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ============================
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent and Morpheus for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  23. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    OK, got it - NO P2P at all! I uninstalled the uTorrent. I did try it AFTER my computer started acting up this last time. But from now on I will not take any chances. I included a fresh HJT log. before I do the ComboFix
     

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Check in the Control Panel> Add/Remove Programs> uninstall the Adobe reader v7.
    The Java should now be v6u19. IF you have any earlier versions there, uninstall them also.

    Use Windows Explorer: Right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs> Look for Morpheus and uTorrent. Do a right click> Delete on each of the folders if found.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    The following will give you an idea of things to stay away from!
    Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life. :
     
  25. tm5rto

    tm5rto TS Enthusiast Topic Starter Posts: 114

    Bobbye, thanks again for all of your help and advice! Especially about the maintenance :) I'll make sure we stay away from all of that crap!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...