After Viprer review

Scott0 · Apr 1, 2009

Guys,

Need someone to take a look at my logs. Ran the new ViprerRescue5070 and it found 55 problems. It corrected 52. Deleated the quarantined items and then started the Major Geeks Procedures. After all the scans were completed there was a total of about 75 more problems found and corrected. VipreRescue is a great tool to clean up a machine from a no boot state to a working boot because the scan can be done from a CD using the command prompt. So I will keep it for those "no can boot due to" infection problems. But it needs to be followed up with your excellent procedured to finish the job. I have only attached logs per the read me procedures. Please review my logs and let me know if I am good to go. Thanks in advance for the help.

dr.moriarty · Apr 4, 2009

Welcome to MajorGeeks!

We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

Scott0 · Apr 5, 2009

Dr. Moriarty,

Thank you for taking a look at my modest attempt at resolving problems with my computer. Obviously “I see but I do not observe”. The Cannon ( 4 and 56 ) give me inspiration but I have fallen down on the job. I await your instructions with eager anticipation. ;-)

Scott

dr.moriarty · Apr 6, 2009

Hello, Scott0

The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

* Where is your anti-virus and "real-time" anti-spyware protection?

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Click to expand...

Step 2:
Now we need to use ComboFix to remove some malware.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\documents and settings\Administrator\Application Data\suwydoce.vbs
c:\program files\Common Files\ugusoluz.vbs
c:\program files\Common Files\foneh.bat
c:\windows\idyxyxyka.ban
c:\windows\guparely.db
c:\windows\system32\zevoxu.pif
c:\program files\Common Files\ynacevuby.com
c:\windows\ybevepib._sy
c:\windows\imebudyfo.bin
c:\program files\Common Files\ipyzo.dat
c:\windows\system32\zuditysu.dat
c:\documents and settings\Administrator\Application Data\zuqycil.com
c:\documents and settings\Administrator\Application Data\odukonivaq.bin
c:\documents and settings\All Users\Application Data\xacan.reg
c:\program files\Common Files\edywokilu.vbs
C:\Documents and Settings\Administrator\Application Data\uruzatedub._sy
C:\Documents and Settings\Administrator\Application Data\zapawomyh.dl
C:\Documents and Settings\Administrator\Local Settings\Application Data\eqolysom.ban
C:\Documents and Settings\Administrator\Local Settings\Application Data\usacyket.db
C:\Documents and Settings\All Users\Application Data\otehokibo._dl
C:\Documents and Settings\All Users\Application Data\yvonyhylep.inf

Driver::
EraserUtilDrv10821
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Run Ccleaner

Step 4:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

C:\combofix.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

Scott0 · Apr 6, 2009

Dr. Moriarty,

Attached are the logs you requested. In reference to the anti-virus and "real-time" anti-spyware protection, there is a plan. I intend to clean up the computer and then put Deep Freeze on the machine to lock down the OpSys. But if you think anti-spy and virus protection are still needed, so be it. I will add them before activating Deep Freeze.

Just for my general information I would like to know if files like foneh.bat, suwydoce.vbs, ugusoluz.vbs, foneh.bat etc. etc from your Kill list for combofix are common problems? If this is the case I would like to make a list and search and destroy them for each of my existing machines.

BTW, have you ever had the chance to visit the Reichenbach Falls? They on my "to do" list. Some day......Some day.

Scott0

dr.moriarty · Apr 9, 2009

Hello, Scott0

To answer your questions about DeepFreeze:

*With credits to "chaslang"
If you have no active protection, your core Windows system files and other files are all at risk of infecting downloads and potentially unprotected areas of the Windows partition. In addition if you do not have a proper bi-directional firewall, your PC could infect other PCs on a network while you are currently working online even though Deep Freeze is active. Deep Freeze does not protect you from any malware actions (incoming or outgoing) while your PC is running. Also having active antivirus and antispyware protection can possible warn you of other security weeknesses/exploits within your Windows OS or with other running software. Deep Freeze will not do this.
Click to expand...

Scott0 said:

I would like to know if files like foneh.bat, suwydoce.vbs, ugusoluz.vbs, foneh.bat etc. etc from your Kill list for combofix are common problems?
Click to expand...

Yes these are common problems. We see infections like this all the time. The names of the files are not always the same because these kinds of infections generate randomly named files and folders to make it harder for a generic fix to be created. The best solution is run our R & R Me First Guide on each machine and start a new thread for each. *I do not recommend that you use ComboFix without supervision!

Question: Are these machines for a business or personal use?

------------------------------------------------------------------------------------------------------------

Step 1:
Now we need to use ComboFix again.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.

Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\windows\ixuvelipyv.reg

Folder::
c:\documents and settings\All Users\Application Data\vmfidydc
c:\program files\vdicmyc
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 2:
Run Ccleaner

Step 3:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

C:\MGlogs.zip

C:\combofix.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

Scott0 · Apr 9, 2009

Dr, Moriarty,

Attached are the two files you requested. The following is a response to your questions along with a few observations and questions of my own. Sorry in advance if it is a bit wordy.

All machines I have are for personal use. They either belong to friends that I am trying to help or to family members. I feel that it is unethical, not right and just plain unfair to take advantage of people who supply help on a volunteer bases. If one is running a business, it's objective is to make money. Then one should pay to make sure one can continue to make money through securing and fixing one’s system. Three of my machines will be used for a Lab in prep for taking the Microsoft certification tests. They may be old but are functional for the task. The remainder belongs to family or friends.

I am a “wanbe’ geek. I help friends when I can and in so doing gain knowledge along the way. This particular machine was used in a business and is now retired. It was replaced by a Dell more than 6 months ago. My friend, from high school back in 1969, wanted to just use it to surf the internet. He found lots of virus pop ups problems and was going to junk it. Hence my involvement . I have formed a hypothesis based on your last post. Deep Freeze is Ok for a standalone machines as long as it has antispyware and anti malware installed. From my latest readings, Deep Freeze can even update antispyware and anti malware while maintaining its lockdown status. Unproven, so I need to try it.

I have found that the Microsoft OS is labor intensive. You need to run antispyware, anti malware and root kit scons on a regular base. While this is normal operating procedure for IT personnel it is just a pain in the a$$ for the average user. That is unless you are willing to (or can) pay the $75 to $`150 dollars per year for programs that will do auto scans. Even then you probably need an IT person to set it up. Most users want a “gent in the car and turn the key and it works” experience”. From a technical view this is just plain dumb. From a human perspective this is perfectly normal.

Questions:
Is my Deep Freeze hypothesis correct or does it need modifications? Based on your info is there a way I can identify infections, as you do, so I can eliminate or block them?
Again, sorry for the diatribe. Looking to gain as much knowledge and info as I can get.

Scott0

PS: I have attend meetings of several Sherlockian society meetings: The “Sons of the Copper Beeches” Philadelphia, Epilogues Of Sherlock Holmes, North NJ and “ The Red Circle” in Washington Dc. If you intend to attend one of these meetings please let me know. I will make sure I am there.

dr.moriarty · Apr 10, 2009

Scott0

Since Microsoft gained market dominance of desktop operating systems in the 1990's, Windows by far is the most popular operating system for virus writers. According to Symantec's own figures, the hackers are inventing up to 15,000 new infections every day, designed specifically to get around the latest anti-virus protections.

Deep Freeze is Ok for a standalone machines as long as it has antispyware and anti-malware installed. <--- Add "firewall, anti-virus and 'real-time' anti-malware blocker" also.
Click to expand...

* A link to our recommended freeware or shareware is at bottom of this post.

Based on your info is there a way I can identify infections, as you do, so I can eliminate or block them? <--- Lots of reading and web research, perhaps even attending one of the malware removal training schools like I did.
More info on that: http://forums.majorgeeks.com/showthread.php?t=182555
Click to expand...

Other than Mozilla Firefox (1.5.0.12) is way out of date - Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

Scott0 · Apr 12, 2009

Dr Moriarty,

Thank you for all your help and advice. Your skill and expertise are greatly appreciated. I am always up for learning and picked up a lot with our sessions.

Live Long and Prosper,

Scott0

dr.moriarty · Apr 12, 2009

:major

You're Welcome and "Thank You", Scott0.

"Peace and long life" \V/

dr.m

Log in or Sign up

After Viprer review

Scott0 Private E-2

Attached Files:

combofix.txt

mbam-log-2009-04-01 (.txt

MGlogs.zip

Saslog 04-01-2009 - 11-41-00.log

dr.moriarty Malware Super Sleuth Staff Member

Scott0 Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Scott0 Private E-2

Attached Files:

combofix-log.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

Scott0 Private E-2

Attached Files:

combofix 040909 log.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

Scott0 Private E-2

dr.moriarty Malware Super Sleuth Staff Member