Jump to content

Recommended Posts

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach logs for:

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Ok, here is the combofix log. It ran as you said, a couple of the windows weren't there but maybe because I'm on Windows 7 instead of XP?

Seemed to work fine but we'll see..... Should I be using Microsoft Security Suite along with the Emsisoft antimalware and firewall?

Edited by ShadowPuterDude
Removed unnecessarily quoted post
Link to post
Share on other sites

Do no use the reply with quote button. Scroll down the page just a bit further and use the Add Reply button.

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 26.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-6u26-windows-i586.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (66754620) - {1BF0A3D6-B2D2-BFF3-1E6B-3CCF6E39D43F} - C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll ()
    O3 - HKLM\..\Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O20 - AppInit_DLLs: (C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll) - C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll ()
    O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
    [2011/06/13 07:22:24 | 000,167,936 | ---- | M] () -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll
    [2011/06/13 07:22:24 | 000,000,133 | ---- | M] () -- C:\Windows\System32\1822949634
    
    :Commands
    [Purity]
    [EmptyFlash]
    [ResetHosts]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

The fix failed to execute properly. Some browsers do not properly copy the linefeeds. Copy & Paste the fix in my previous post to notepad, and make sure it looks exactly like the one I posted. Then Copy & Paste it from notepad to OTL and run the fix.

Attach the resulting log.

Link to post
Share on other sites

I didn't mention before, when I ran the fix with OTL, I had to copy to wordpad and then to the box on OTL as it wouldn't copy right from notepad either. Maybe a thing with Microsoft 7?

Overall, the compputer seems to be running better, I'm not getting messages saying I have to run scans as I did before. The only negative I see is that it takes longer to boot and be ready to use. Not unworkable, but longer.

My last SCAN:

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    
    :Commands
    [ClearAllRestorePoints]
    [CreateRestorePoint]
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [start Explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Everything seems about the same. Emptying the Caches didn't make a big difference. When I restarted my computer this am, I got a message box:

header: oaui.exe

Instruction at 0x77d02239 referenced memory at 0x00000014. The memory could not be written. Click to terminate program.

I have noticed the light on the front of the laptop stays on after I close indicating there is still an open program. Just the past couple days.

Last log:

Link to post
Share on other sites

oaui.exe is the Online Armor User Interface. There appears to be a conflict, as OAUI is trying to write to a memory location that is either already in use or is a protected location. Which, of course, will cause OAUI to crash. Your slow loading issues may be related to OAUI.

You will want to start a thread in the Customer Support forums. Reference this thread.


Now to remove most of the tools that we have used in fixing your machine:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)

CFscript.txt

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    4l5a4i.png
  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck amuvj8.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Link to post
Share on other sites

Everything worked ok except I can't delete Qoobox. It is in a file BackEnv which won't let me open it or delete it as the drop down states I'm not an administrator and can't access. I am in the admin. mode on my computer but it must mean for the program.

Otherwise, all is good except for the problem I put on another board. Computer is starting fine and no problems surfing or working on it.

Thanks so much!

Link to post
Share on other sites

Copy the contents of the below quote box to Notepad; Save As InstallTakeOwnership.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\*\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F"

[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t"

Close Notepad.

Locate InstallTakeOwnership.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.


Right-click on the Qoobox folder, select "Take Ownership". You should now be able to delete the Qoobox folder.

Link to post
Share on other sites

Doesn't seem to be working.

Does it matter what format it's saved in? e.g. txt, rich txt, etc. Saving it in txt X2 and it still opens a box that indicates I need administrator approval when I click QooBox and delete.

The other question is after I right click and choose "take ownership" it opens a C command board that just flashes and closes but I don't have a chance to read it.

Link to post
Share on other sites

You should be using notepad to save the file and nothing else.

Once you take Ownership of the Folder you should have no problems deleting the Qoobox folder.

Yes, a Command Console window will open briefly as some commands are being executed that change folder permissions.

I've attached the registry patch, download to your Desktop. Unzip and double-click to merge to your registry.

Link to post
Share on other sites

You are welcome.

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...