uKash removal on W98 laptop - Help!

[scuba_pup]

[attachment=3324][attachment=3325]

Okay Thank you...

On a clean PC, open notepad and copy & paste the following:

HKU\Robert\...\Winlogon: [Shell] explorer.exe,C:\DOCUME~1\Robert\LOCALS~1\Temp\nmasdanjc.exe [52736 2013-01-25] (?????????? ??????????)
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\temp\sepsanjc.exe, [52736 2013-01-25] (?????????? ??????????)
3 DMSKSSRh; \??\C:\DOCUME~1\Robert\LOCALS~1\Temp\DMSKSSRh.sys [x]

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

<hr>
While in OTLPE, double click the OTLPE icon.

• Select the Windows folder of the infected drive if it asks for a location.
• When asked Do you wish to load the remote registry, select Yes.
• When asked Do you wish to load remote user profile(s) for scanning, select Yes.
• Ensure the box Automatically Load All Remaining Users is checked and press OK.
• OTL should now start
• Click the Scan All Users checkbox.
• Change Standard Registry to All
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

First log file

Opened OTLPE ver 3.1.48.0 and it does not have a Scan All Users checkbox.

Have Services (safelist), Drivers (safelist), Std Registry (safelist - will change to all), Extra Registry (None). have LOP and Purity checked. Only other options are Output (Std Output), File Age (30 days), USe Company Name Whitelist (unchecked), Skip MS files (unchecked) Use No Company Name Whitelist (checked), Files Created within (File Age), Files Mod within (File Age). Then of course the four options top left Run Scan being the most top left.:huh:

Have run the scan with Services Safelist and Drivers Safelist - file OTL.txt attached.

No file extra.txt on HDDs or USB - certainly not minimised.
Window had popped up for "Buy WindowsBlinds".

Ran again with Services ALL and Drivers all - again just one file, no Windows Blinds window and OTL2.txt attached.

 

[kuttus]

Okay. Now please run the OTL once again with the following fix.

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:Files
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
C:\Documents and Settings\Fiona\Local Settings\Application Data\fusioncache.dat
C:\Documents and Settings\All Users\Application Data\addr_file.html
C:\Documents and Settings\Robert\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Documents and Settings\Robert\Application Data\inst.exe
C:\Documents and Settings\Robert\Application Data\pcouffin.cat
C:\Documents and Settings\Robert\Application Data\pcouffin.inf
C:\Documents and Settings\Robert\Application Data\pcouffin.sys
ipconfig /flushdns /c

:Commands
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>
<hr />

 

[scuba_pup]

[attachment=3335][/align][align=justify]

Okay. Now please run the OTL once again with the following fix.

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:Files
C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
C:\Documents and Settings\Fiona\Local Settings\Application Data\fusioncache.dat
C:\Documents and Settings\All Users\Application Data\addr_file.html
C:\Documents and Settings\Robert\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Documents and Settings\Robert\Application Data\inst.exe
C:\Documents and Settings\Robert\Application Data\pcouffin.cat
C:\Documents and Settings\Robert\Application Data\pcouffin.inf
C:\Documents and Settings\Robert\Application Data\pcouffin.sys
ipconfig /flushdns /c

:Commands
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>
<hr />

Have run OTL with that Fix script. Log from this attached "FixScript.txt"

Then rebooted - (unsure if Reatogo or Normal PC boot?). Have opted for Reatogo and then to run OTL scan again and post reply?

 

[kuttus]

Now take the CD out and restart the computer with out the CD.... Now you will be able to start the computer with out a Virus Pop up...

After the restart download and Run the OTL from here.......

 

[scuba_pup]

[attachment=3349][attachment=3350]
Hi Kuttus,

Booted OK - have RealPlayer update pop-up aslo AVG reboot request and AVG enable Web Protection.

Ran OTL and attached two files from the scan - used All Users checkbox and All for Registry + LOP and Purity.

 

[kuttus]

Okay.

STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />

You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

<ol>
<li>Download <>Malwarebytes Chameleon from <a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">here</a> </>and extract it to a folder in a convenient location</li>
<li>Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.</li>
<li>If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window <em><>Note:</> Do not attempt to open <>mbam-killer</> as that is not a Chameleon executable and serves a different purpose)</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>

<hr />

 

[scuba_pup]

[attachment=3364]

Okay.

STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />

You should be able to run both scans while in Normal mode...
STEP 2: Run a scan with Malwarebytes Anti-Malware in Chamelon mode

<ol>
<li>Download <>Malwarebytes Chameleon from <a title="External link" href="http://downloads.malwarebytes.org/file/chameleon" rel="nofollow external">here</a> </>and extract it to a folder in a convenient location</li>
<li>Make certain that your PC is connected to the internet and then open the folder where you extracted Chameleon to and double-click on the Chameleon help file and then follow the onscreen instructions to use it.</li>
<li>If the Chameleon help file itself will not open, then double-click each file one by one until you find one that works, which will be indicated by a black DOS/command prompt window <em><>Note:</> Do not attempt to open <>mbam-killer</> as that is not a Chameleon executable and serves a different purpose)</em></li>
<li>Follow the onscreen instructions to press a key to continue and Chameleon will proceed to download and install Malwarebytes Anti-Malware for yo</li>
<li>Once it has done this, it will attempt to update Malwarebytes Anti-Malware, click <>OK</> when it says that the database was updated successful</li>
<li>Next, Malwarebytes Anti-Malware will automatically open and perform a Quick scan</li>
<li>Upon completion of the scan, if anything has been detected, click on <>Show Result</></li>
<li>Have Malwarebytes Anti-Malware remove any threats that are detected and click <>Yes</> if prompted to reboot your computer to allow the removal process to complete</li>
<li>After your computer restarts, open <>Malwarebytes Anti-Malware</> and perform a Full System scan to verify that there are no remaining threats</li>
Please add both logs in your next reply.
</ol>

<hr />

Hitman Pro result attached.

 

[kuttus]

Okay..


STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>

STEP 2: Run Temp File Cleaner by OldTimer
<ol>
<li>You can download the TFC utility from the below link
<a title="External link" href="http://oldtimer.geekstogo.com/TFC.exe" rel="nofollow external"><>TFC DOWNLOAD LINK</></a> <em>(This link will automatically download Temp File Cleaner on your computer)</em></li>
<li>Please double-click <>TFC.exe</> to run it. (<>Note:</> If you are running on Vista or 7, right-click on the file and choose <>Run As Administrator</>).</li>
<li>It <>will close all programs</> when run, so make sure you have <>saved all your work</> before you begin.</li>
<li>Click the <>Start</> button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. <>Let it run uninterrupted to completion</>.</li>
<li>Once it's finished it should <>reboot your machine</>. If it does not, please <>manually reboot the machine</> yourself to ensure a complete clean.</li>
</ol>
<hr />

STEP 3: Clean your temporary files to gain more hard drive space and remove the junk files
<ol>
<li>Download Ccleaner from the below link:
CCLEANER DOWNLOAD LINK</a> <em>(This link will automatically download Ccleaner on your computer)</em></li>
<li>Install Ccleaner by following the prompts</li>
<li>Start Ccleaner and the following should be selected by default, if not, please select:
<img src="http://i52.tinypic.com/4l5a4i.png" alt="Posted Image" /></li>
<li>Click <img src="http://i56.tinypic.com/16jox2o.png" alt="Posted Image" /> and choose <img src="http://i40.tinypic.com/5x3nu8.gif" alt="Posted Image" /></li>
<li>Uncheck <img src="http://i51.tinypic.com/amuvj8.gif" alt="Posted Image" /></li>
<li>Then go back to <img src="http://i41.tinypic.com/2jb4qyb.gif" alt="Posted Image" /> and click <img src="http://i25.tinypic.com/nf47ev.gif" alt="Posted Image" /> to run it.</li>
<li>Exit CCleaner.</li>
</ol>

---

 

[scuba_pup]

[attachment=3372][attachment=3373]

On trying to run a scan post re-booting (after the second of the above scans) MWB reported it failed to load mbam-killer and that the DB was corrupt and asked to download it again. Scan now running after this. (Task Manager will not open when running the scan).
Scan results (quick)
[attachment=3374]

 

[kuttus]

STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />

 

[scuba_pup]

[attachment=3384][attachment=3383]

 

[kuttus]

Okay Thank you.... Please do the other scan's also and update me to logs.....

 

[scuba_pup]

Kuttus - am now up tp date with your instructions - files attached above (just seen that you have seen this already) and nothing from ESET with this post as no threats found.

 

[kuttus]

Okay Cool... So how's everything working on the computer now? Are you facing any issues on the computer now?

 

[scuba_pup]

Okay Cool... So how's everything working on the computer now? Are you facing any issues on the computer now?

There is nothing wrong that I can see! Does this mean I have finished the treatment? Anything I should note or do?

 

[kuttus]

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated

• Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 7 Home Edition - Don't use it with Online Armor
• Avira AntiVir Personal
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

• Online Armor
• Comodo Firewall - If you are an advance user

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware
• Temp File Cleaner by OldTimer

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

<hr />
What's next?

1. Bulild up your malware defenses by starting a new thread in Security Configuration Wizard forum.
2. Learn how to avoid malware by reading this article <a href="http://malwaretips.com/blogs/how-to-easily-avoid-pc-infections/">How to easily avoid malware</a>
3. Be an active member in the MalwareTips community!

 

[kuttus]

This thread is now closed.​

Reason:&nbsp;<span style="color: #ff0000;">Resolved</span>​

<span style="color: #ff0000;"><>The procedures contained in this thread are for this user and this user only.&nbsp;&nbsp;Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.&nbsp;&nbsp;</></span>

<span style="color: #ff0000;"><>DO NOT use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.</></span>

All members requesting Malware Removal Assistance are required to follow all procedures in the thread