More Virus Dramas :-(

[Starbuck]

Hi borojamie

 

Is there a setting on reatogo for me to allow read-write access on my portable hd as i cannot wriet files to it for some reason despite it working on my other system

in a PE environment only bare minimum drivers are added, that's why a usb stick will work but maybe not your portable HD.

 

I was hoping to get down to Wales this weekend for the Cardiff - Boro match but unfortunately im stuck on duty

Ar right, now i understand the 'Boro' in your username. ;)

Living just outside Swansea, we don't talk about Cardiff as a football team! http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif

 

I dont know if that will give me access to format the c: in NFTS or the ctrl alt F10 just does it automatically.

If the F10 method doesn't give you the reformat into NTFS option, it can be done afterwards:

XP: Convert Fat32 to NTFS | Windows | Tech-Recipes

 

Let's see if this helps us:

 

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

:Otl
DRV - File not found [Kernel | On_Demand] --  -- (SYMIDSCO)
O20 - AppInit_DLLs: (pulasiya.dll) -  File not found
O20 - AppInit_DLLs: (c:\windows\system32\jozavuyo.dll) - C:\WINDOWS\System32\jozavuyo.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\jukabama.dll) - C:\WINDOWS\System32\jukabama.dll File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found
O21 - SSODL: kedilizos - {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - C:\WINDOWS\System32\jukabama.dll File not found
O21 - SSODL: wulinuned - {5156fb13-d1e6-451c-9839-5e758268ec36} - C:\WINDOWS\System32\jozavuyo.dll File not found
O22 - SharedTaskScheduler: {5156fb13-d1e6-451c-9839-5e758268ec36} - kupuhivus - C:\WINDOWS\System32\jozavuyo.dll File not found
O22 - SharedTaskScheduler: {80ee93a7-48fb-47e4-acb5-3a5b1de435cb} - mujuzedij - C:\WINDOWS\System32\jukabama.dll File not found
[2010/02/22 22:45:09 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\byxo7.dll
[2010/02/21 20:13:36 | 000,038,400 | ---- | C] (Rox) -- C:\WINDOWS\System32\svsnjleie4.dll

:commands
[emptytemp]

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file fix.txt

Save the file to a USB stick.

 

Start OTLPE as you did previously from CD

 

• Insert your USB drive with fix.txt on it
  
• Start OTLPE
  
• Drag and drop fix.txt into the Custom scans and fixes box
  
• If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done to normal mode if possible
  

 

BTW: a copy of Otl should have been placed on your windows system.

If you do get into windows, check for:

C:\Otl.exe

Fix.txt

[borojamie]

 

Ar right, now i understand the 'Boro' in your username. ;)

Living just outside Swansea, we don't talk about Cardiff as a football team! http://fc06.deviantart.com/fs4/i/2004/250/7/1/ROFL_by_b4sti.gif

 

:-) know what you mean lol! yea i have mates at st athan and the rivalry is quite harsh lol hopefully we'll get 3 pts today :-)

 

Thanks for the fix but unfortunatly my system is still looping. Ive attached the OTL PE report and then rebooted to normal but unfortunately it did not get through :-(

 

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SYMIDSCO deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:pulasiya.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\jozavuyo.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\jukabama.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\sdra64.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\kedilizos deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80ee93a7-48fb-47e4-acb5-3a5b1de435cb}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\wulinuned deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5156fb13-d1e6-451c-9839-5e758268ec36}\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{5156fb13-d1e6-451c-9839-5e758268ec36} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5156fb13-d1e6-451c-9839-5e758268ec36}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{80ee93a7-48fb-47e4-acb5-3a5b1de435cb} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80ee93a7-48fb-47e4-acb5-3a5b1de435cb}\ not found.

C:\WINDOWS\system32\byxo7.dll moved successfully.

C:\WINDOWS\system32\svsnjleie4.dll moved successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: .DEFAULT

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Administrator_ON_C

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: HelpAssistant_ON_C

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Jamie_Panico_ON_C

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: LocalService_ON_C

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: NetworkService_ON_C

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: S-1-5-18

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

 

Total Files Cleaned = 0.00 mb

 

 

OTLPE by OldTimer - Version 3.1.30.3 log created on 03062010_124301

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Starbuck]

Hi Jamie,

 

Seems both 'Boro' and 'Swansea' weren't up to it today. :(

 

I'm going to have a look over all the reports tomorrow to see if i've missed anything and also to check to see if there's a way around this 'looping'.

We can't just throw the towel in after all this work. :cool:

 

Edit:

ok, back sooner than i thought.

Seems the author of OTLpe has added the possibility of using the restore points to restore the registry hives.

 

Run this custom scan and hopefully will list all your restore points.

Also let me know when was the lastime that the system was running perfectly normal.

 

Start OTLpe again.

At the top click on 'None'.

Under the Custom Scan box paste this in:

 

restorepoints

 

Click on the 'Scan' button.

 

This will only produce a report showing the restorepoints, it won't run a full scan.

 

Let it run and do not interrupt it. It might take some time depending on how many restore points are found.

Edited March 6, 2010 by Starbuck

[borojamie]

Hi mate,

 

Hope you arehaving a good weekend.

 

Yea was a shame today both matches were bad results :-(

 

Thanks for all your help mate it is much appreciated, Ive ran teh restore point custom scan and posteed it below altho it isnt showing any restore points :-(

 

I think the last time my laptop was 'safe' was on/around 20 Feb altho I havent installed anything/used anything in the immediate times except a couple of office files which ive now backed up, so assuming we can restore id suggest 10 Feb would be definately far back far enough to cover us.

 

Cheers mate,

 

Jamie

OTL.Txt

[Starbuck]

Hi Jamie,

 

shame there was no restore points to work with, might have saved us a bit of work.

I'll go back to the drawing board and see if i can uncover anything.

[borojamie]

Cheers Starbuck,

 

Thanks for your help, yea bit of a nightmare no resotre points thought that woulda been a winner :-(

[Starbuck]

Hi Jamie,

 

If there were restore points, it could have been our 'saving grace'.... but sadly :(

 

The big problem we have is that all the programs we could use to uncover the problems here, are all programs designed to run on 'Windows OS'.

When it comes to a PE environment .... we are stuck.

After looking at everything again, i think we're going to have to go with the recovery method.

At least this will get you up and running again.

Don't forget you will have to get all your Windows updates again!

But as soon as you have done that, i recommend you follow the previous instructions on how to convert to NTFS.

It is a one way convert.... you can't go back to Fat32 afterwards.

But it's a lot more secure and all new systems run NTFS now any way.

Sorry it's come to this, i don't like giving up..... but the fact we can't get in to the Windows OS is hampering our progress.

Let me know how things go and if you encounter any problems... i'll be here.

 

I've been asked in the past what programs i recommend if a reinstall has to be done, this is what i normally say:

 

what antivirus programs do you recommend that i should install after i reformat.

and what programs do you recommend that i should have to keep this from happening again.

 

A good Anti-Virus protector:

Here's a few good 'free' programs.

• Avira AntiVir
  
• Avast free
  
• AVG Free
  
• Bitdefender Free
  
• MS Security Essentials ... see note*
  

Only install one of these.

 

Note*:

Upon installation MS Security Essentials will check that your OS is a legal copy.

 

A 3rd party Firewall:

Some free firewalls are:

• Online Armor Free
  
• Outpost Firewall Free
  
• Sunbelt Personal Firewall
  

Only install one of these Firewalls.

 

A resident Anti-Malware scanner:

Installing Windows Defender and activating it's 'Realtime Protection' will help to keep the nasties away.

 

Scan regularly with a 'Stand Alone' Anti-Malware scanner:

Installing another scanner that you can run once or twice a week is always beneficial.

Something like:

Malwarebytes Anti-Malware

SUPERAntiSypware

Remember to update these programs each time before running.

You can install more than one of these if you only run them as stand alone programs.

 

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

 

A tutorial on installing & using this product can be found here:

Using and installing SpywareBlaster

 

Keep your system clean of temp files etc, using a 'Cleaner':

Cleaners are programs that will help to clean out your:

Windows temp files

Current user temp files

Cookies

Temporary Internet flies

Browser history

Recycle bin

Etc.......

In other words.... all the crap that you accumalate over the course of your browsing and day to day usage of your pc.

Programs like:

TFC by OldTimer

CCleaner

ATF Cleaner

 

Obviously this is not a complete list of programs available, plus i've stuck to 'Free' programs.

If you want 'Paid for' programs... you will have a greater choice.

Hope this gives you some idea.

 

Pete

[borojamie]

Hi Starbuck,

 

Thanks for your help I've now copied all the personal files from my laptop to another, scanned them in etc and recovered my laptop to its factory settings. IS it worth downloading hijack this and malware to check prior to reformatting into NTFS?

 

Thanks again for all your time mate, sorry there was a delay in responding im now on guard commander nights and its been hectic few days

 

Jamie

[Starbuck]

Hi Jamie,

 

sorry there was a delay in responding im now on guard commander nights and its been hectic few days

It's no problem, we're always here.

 

IS it worth downloading hijack this and malware to check prior to reformatting into NTFS?

I'd be inclined to download and run MBAM (but everything should be ok).

Then i'd convert to NTSF before adding many more programs.

Here's instructions for MBAM:

 

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

[borojamie]

Hi Starbuck,

 

I have run mbam and it it totally fine :-) thanks

 

I am just trying to convert to NTFS and the ms dos prompt askes me to enter current volume label for drive c:

 

iPlease could you advise what it needs

 

Thanks for your help mate

 

we are playin newcastle today and im stuck up here :-( grrr lol

[borojamie]

doh! im a biff lol worked it out now mate it has converted the c: fine. but wont let me do if for the d: assuming because this is not a system drive.

 

ive re-run mal ware in nfts and no problems happy days :-)

[Starbuck]

I am just trying to convert to NTFS and the ms dos prompt askes me to enter current volume label for drive c:

If the drive doesn't actually have a label.... just click on the 'return/enter' key.

 

Just finished watching the rugby.... what a disaster for Wales.