also @ TechSpot: Asus' new lineup of Z87 Haswell motherboards revealed

PC not working-virus attacking it

Discussion in 'Virus and Malware Removal' started by whs1818, Jan 19, 2013.

Page 3 of 3

  1. whs1818 Newcomer, in training Posts: 30

    Norton Internet Security (out of date), Avast Free Antivirus, and Malwarebytes Anti-Malware

    I ran the cleaner and there was no change in the condition of IE.
    whs1818, Mar 1, 2013
    #41

  2. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download the Fix IE Utility to your desktop.

    Before running the utility, make sure that all your Internet Explorer windows are closed!

    • Extract the contents of the .zip file to your desktop.
    • Double click the Fix IE Utility button to run the tool.
    • Click Run Utility
    • Click OK when you see 'Re-registered all files'
    • Open Internet Explorer and see how it works.
    Jay Pfoutz, Mar 2, 2013
    #42

  3. whs1818 Newcomer, in training Posts: 30

    It is working now. It runs a little slow but so does my computer as a whole now. Is there something I can do to speed it up? Also, since things are working now does this mean that the virus is gone or do I still have work to do to remove it?
    whs1818, Mar 2, 2013
    #43

  4. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Adware Cleaning

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    Junkware Removal Tool

    Please download Junkware Removal Tool to your desktop.
    • Warning! Once the scan is complete JRT will shut down your browser with NO warning.
    • Shut down your protection software now to avoid potential conflicts.
    • Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
    • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Copy and Paste the JRT.txt log into your next message.


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.



    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
    Jay Pfoutz, Mar 3, 2013
    #44

  5. whs1818 Newcomer, in training Posts: 30

    # AdwCleaner v2.113 - Logfile created 03/04/2013 at 08:19:10
    # Updated 23/02/2013 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
    # User : Owner - WADE
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Owner.WADE\My Documents\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****


    ***** [Registry] *****

    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v8.0.6001.18702

    [OK] Registry is clean.

    -\\ Mozilla Firefox v8.0.1 (en-US)

    *************************

    AdwCleaner[S1].txt - [2031 octets] - [24/01/2013 14:00:35]
    AdwCleaner[S2].txt - [1201 octets] - [04/03/2013 08:19:10]

    ########## EOF - C:\AdwCleaner[S2].txt - [1261 octets] ##########
    whs1818, Mar 4, 2013
    #45

  6. whs1818 Newcomer, in training Posts: 30

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.6.7 (03.03.2013:1)
    OS: Microsoft Windows XP x86
    Ran by Owner on Mon 03/04/2013 at 8:57:10.18
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
    Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
    Suspicious HKLM\..\Run entries found. Trojan:JS/Medfos.B?

    Val Name Type Value Data
    ======== ==== ==========
    vcmlup REG_SZ rundll32.exe "C:\Documents and Settings\Owner.WADE\Application Data\vcmlup.dll",ADeviceGetReport
    fprksv REG_SZ "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner.WADE\Application Data\fprksv.dll",Display
    prylag REG_SZ "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Owner.WADE\Application Data\prylag.dll",set_write_fn




    ~~~ Registry Keys

    Failed to delete: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{6a1806cd-94d4-4689-ba73-e35ea1ea9990}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}



    ~~~ Files

    Successfully deleted: [File] C:\WINDOWS\tasks\ISP signup reminder 1.job
    Successfully deleted: [File] C:\WINDOWS\tasks\ISP signup reminder 2.job
    Successfully deleted: [File] C:\WINDOWS\tasks\ISP signup reminder 3.job



    ~~~ Folders

    Successfully deleted: [Folder] "C:\Program Files\bigfix"
    Successfully deleted: [Folder] "C:\Program Files\coupons"





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Mon 03/04/2013 at 9:05:00.92
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    whs1818, Mar 4, 2013
    #46
     

  7. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Waiting on results from ESET scan. :)
    Jay Pfoutz, Mar 4, 2013
    #47

  8. whs1818 Newcomer, in training Posts: 30

    C:\Documents and Settings\All Users\Application Data\9CD8C475A5F602CD00009CD827A10655\9CD8C475A5F602CD00009CD827A10655.exe Win32/Adware.SystemSecurity.AL application cleaned by deleting - quarantined
    C:\Documents and Settings\All Users\Application Data\pcdfdata\upkhqqwa.exe Win32/Kryptik.AVEL.Gen trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Owner.WADE\Application Data\deypsy.dll a variant of Win32/Medfos.KY trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Owner.WADE\Application Data\fprksv.dll a variant of Win32/Medfos.LE trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Owner.WADE\Application Data\gredm.dll a variant of Win32/Medfos.KY trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Owner.WADE\Application Data\prylag.dll a variant of Win32/Medfos.LE trojan cleaned by deleting - quarantined
    C:\Documents and Settings\Owner.WADE\Local Settings\Application Data\ovcgdqiw.exe Win32/Adware.SystemSecurity.AL application cleaned by deleting - quarantined
    whs1818, Mar 4, 2013
    #48

  9. whs1818 Newcomer, in training Posts: 30

    There is a RUNDLL error message that shows upon start-up. It reads "Error loading C:\Documents and Settings\Owner.WADE\Application Data\vcmlup.dll The specified module could not be found." When I open IE, a message appears stating that my last session was closed unexpectedly. Would I like to restore my last session or go to my home page. This occurs even if IE is closed completely when I log off. As of now my computer seems to be running faster-at least as fast as before the virus. Sometimes it will run fine for a while then slow down after I am logged in for several minutes. I will let you know if that happens this time. I thought I knew how to check svchst.exe, but didn't find anything that showed me how it was running. I went to task manager under the processes tab. Is this the right place to look, if so what am I looking for, or where should I go to find this? This is all I have noticed that is current.
    whs1818, Mar 4, 2013
    #49

  10. Jay Pfoutz Malware Helper Posts: 4,286   +49

    SystemLook x86 scan

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Jay Pfoutz, Mar 5, 2013
    #50

  11. whs1818 Newcomer, in training Posts: 30

    SystemLook 30.07.11 by jpshortstuff
    Log created at 10:05 on 05/03/2013 by Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "vcmlup.dll"
    No files found.

    ========== regfind ==========

    Searching for "vcmlup"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vcmlup"="rundll32.exe "C:\Documents and Settings\Owner.WADE\Application Data\vcmlup.dll",ADeviceGetReport"

    -= EOF =-
    whs1818, Mar 5, 2013
    #51

  12. Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


    Any more issues? Let me know. :)
    Jay Pfoutz, Mar 5, 2013
    #52

  13. whs1818 Newcomer, in training Posts: 30

    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vcmlup deleted successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    G:\cmd.bat deleted successfully.
    G:\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 771543 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 56504 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 13210483 bytes
    ->Flash cache emptied: 343 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner

    User: Owner.WADE
    ->Temp folder emptied: 21792802 bytes
    ->Temporary Internet Files folder emptied: 3367073 bytes
    ->FireFox cache emptied: 63627123 bytes
    ->Flash cache emptied: 3807725 bytes

    User: OWNER~1~WAD

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 346641 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 176837 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 66938716 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 388980 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 167.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 03052013_161300

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
    whs1818, Mar 5, 2013
    #53

  14. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download the Fix IE Utility to your desktop.

    Before running the utility, make sure that all your Internet Explorer windows are closed!

    • Extract the contents of the .zip file to your desktop.
    • Double click the Fix IE Utility button to run the tool.
    • Click Run Utility
    • Click OK when you see 'Re-registered all files'
    • Open Internet Explorer and see how it works.
    Jay Pfoutz, Mar 6, 2013
    #54

  15. whs1818 Newcomer, in training Posts: 30

    IE seems to be running fine. So does everything else. I haven't noticed my computer slowing down at all and don't have any error messages.
    whs1818, Mar 6, 2013
    #55

  16. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE

    Remove tools, temp files, old Restore Points

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL sometimes hides your Desktop and Start menu so the cleanup can be completed. Do not be alerted, as this is normal.
    • It may open a log for you, but I don't need that.

    To remove all of the tools we used and the files and folders they created do the following:
    Double click OTL.exe.
    • Click the CleanUp button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Jay Pfoutz, Mar 6, 2013
    #56

  17. whs1818 Newcomer, in training Posts: 30

    It wouldn't let me paste it for some reason so I attached it.

    Attached Files:

    whs1818, Mar 6, 2013
    #57

  18. Jay Pfoutz Malware Helper Posts: 4,286   +49

    Firefox update

    Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > About Firefox > Check for Updates.

    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Adobe Reader Update!

    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.


    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.


    Any other questions before I mark this topic solved?
    Jay Pfoutz, Mar 7, 2013
    #58

  19. whs1818 Newcomer, in training Posts: 30

    I have completed those updates and installed some AV and malware programs that you recommended from that site. Thank you for all of your help with my computer problems. I greatly appreciate it.
    whs1818, Mar 7, 2013
    #59

  20. Jay Pfoutz Malware Helper Posts: 4,286   +49

    You're welcome. Topic solved. :)
    Jay Pfoutz, Mar 7, 2013
    #60
Page 3 of 3
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.