Malware has locked me out of Windows. Need help.

[Flaunt]

Hi,

 

This morning my PC got infected with the rather nasty 'Essential Security 2010' fake anti-virus trojan. Having had some experience of removing things like this I started to do what was needed. At the point when I had to make the registry changes, I discovered I wasn't able to open 'Regedit' as the virus was blocking it. Then for a number of reasons I had to re-boot the PC.

 

This was when I discovered that I am now no longer able to log into Windows. It just logs me out immediately, looping over and over. I'm aware that the virus can make changes to userinit.exe etc so I'm guessing it's something to do with that.

 

I've searched various forums and tried many, many different things but nothing has worked yet. Can anyone PLEASE help me get back into windows?? I run my business at home and I have to get this working again!

 

Just to be clear, these are things I've tried or can't do:

 

- I can't get in as another user.

- I can't get in in Safe Mode

- The c;\windows\system32 "copy userinit.exe to wsaupdater.exe" trick I've seen (using Recovery Console) did not work.

- copying a fresh copy of winlogon.exe from the updates folder did not work

- I don't have the original install disc or boot disc because my XP was a pre-installed copy already on the PC when bought from the store. (so I'm stuck with those boot disc options which allow you to remotely edit the registry)

- I don't have remote access to the PC either

 

There must be a way into Windows but everyting I've tried doesn't work!

 

Any help would be much aprreciated

 

Jay

[schrauber]

Hello, Flaunt

Welcome to the FreePcHelp Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

 

 

 

Please take note of some guidelines for this fix:

 

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  
• Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.
  

 

 

 

 

 

 

OK this file is big Print these instruction out so that you know what you are doing

 

Two programmes to download

 

First

 

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

 

Second

 

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  
• When downloaded double click and this will then open ISOBurner to burn the file to CD
  
• Reboot your system using the boot CD you just created.
   
  Note : If you do not know how to set your computer to boot from CD follow the steps here
   
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  
  • Change Drivers to Non-Microsoft
    

   

  [*]Press Run Scan to start the scan.

  [*]When finished, the file will be saved in drive C:\_OTL\MovedFiles

  [*]Copy this file to your USB drive if you do not have internet connection on this system

  [*]Please post the contents of the OTL.txt file in your reply.

[Flaunt]

Right, so I'm guessing this is the first step before you know what help to give? I'll try this in the morning and post the results. Thank you for now, Tom :)

[schrauber]

Ok :)

[Flaunt]

Hi, Tom

 

Right, I have done what you asked. I don't know if it is important but a couple of things in your instructions were different when I did it. These were:

 

 

• you wish to load the remote registry", select Yes
  

This option never came up. Just the one about 'load remote user profiles'

 

 

• OTL should now start. Change the following settings
  
  • Change Drivers to Non-Microsoft
    

   

There wasn't this option. Only one that said 'None' so I chose that.

 

Please let me know if I need to do a scan again differently. ;)

 

This is the text file I got after the scan:

 

OTL logfile created on: 5/22/2010 5:58:53 PM - Run

OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE

(Version = .) - Type =

Internet Explorer (Version = )

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1,023.00 Mb Total Physical Memory | 856.00 Mb Available Physical Memory | 84.00% Memory free

906.00 Mb Paging File | 850.00 Mb Available in Paging File | 94.00% Paging File free

Paging file location(s): C:\pagefile.sys 4096 4096 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 29.99 Gb Total Space | 6.88 Gb Free Space | 22.95% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 148.50 Gb Total Space | 24.25 Gb Free Space | 16.33% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

 

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

 

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet001

 

========== Win32 Services (SafeList) ==========

 

SRV - File not found [On_Demand] -- -- (WLSetupSvc)

SRV - File not found [On_Demand] -- -- (ServiceLayer)

SRV - File not found [Disabled] -- -- (LXCECustomerConnect)

SRV - File not found [Disabled] -- -- (KService)

SRV - [2009/12/27 06:15:49 | 000,030,192 | ---- | M] (Google) [On_Demand] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-110309-193829)

SRV - [2009/12/01 15:43:02 | 000,051,384 | ---- | M] (NOS Microsystems Ltd.) [On_Demand] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®

SRV - [2009/02/15 20:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon)

SRV - [2009/02/02 16:14:20 | 000,903,960 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)

SRV - [2009/02/02 16:14:15 | 000,298,264 | ---- | M] (AVG Technologies CZ, s.r.o.) [Disabled] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2007/10/18 07:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)

SRV - [2006/12/14 13:00:00 | 000,544,768 | ---- | M] (Magix AG) [On_Demand] -- C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- (UPnPService)

SRV - [2006/03/03 17:03:10 | 000,069,632 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

SRV - [2005/11/17 11:18:52 | 001,527,900 | ---- | M] (MAGIX®) [Disabled] -- C:\MAGIX\Common\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)

SRV - [2005/11/13 20:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2003/07/02 13:40:08 | 000,045,056 | ---- | M] ( ) [Auto] -- C:\Windows\System32\slserv.exe -- (SLService)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

 

 

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

 

 

[2010/05/19 13:37:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/26 04:03:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/04/26 04:03:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

[2010/03/13 20:08:56 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/03/13 20:08:56 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/03/13 20:08:56 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/03/13 20:08:56 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

 

O1 HOSTS File: ([2010/05/20 11:31:18 | 000,000,752 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 virustotal.com

O1 - Hosts: 127.0.0.1 VirusTotal - Free Online Virus and Malware Scan

O1 - Hosts: 127.0.0.1 virustotal

O1 - Hosts: 127.0.0.1 virscan.com

O1 - Hosts: 127.0.0.1 virscan.com

O1 - Hosts: 127.0.0.1 virscan

O1 - Hosts: 127.0.0.1 virscan.com

O1 - Hosts: 127.0.0.1 virustotal

O1 - Hosts: 127.0.0.1 virscan

O1 - Hosts: 127.0.0.1 Jotti's malware scan

O1 - Hosts: 127.0.0.1 virusscan.jotti.org/

O1 - Hosts: 127.0.0.1 Jotti's malware scan

O1 - Hosts: 127.0.0.1 scanner.novirusthanks.org/

O1 - Hosts: 127.0.0.1 Multi-Engine Antivirus Scanner - Services - NoVirusThanks.org

O1 - Hosts: 127.0.0.1 http://www.scanner.novirusthanks.org/

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\Windows\System32\narrator.exe (Microsoft Corporation)

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 91 00 00 00 [binary data]

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - ftp Prefix: missing

O13 - gopher Prefix: missing

O13 - home Prefix: missing

O13 - mosaic Prefix: missing

O13 - www Prefix: missing

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: Shell - ( ) - (Registry key not found)

O20 - HKLM Winlogon: UserInit - ( ) - (Registry key not found)

O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/06/10 11:23:45 | 000,000,156 | ---- | M] () - C:\Autorun.inf -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O37 - HKLM\...com [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

O37 - HKLM\...exe [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

 

========== Files/Folders - Created Within 30 Days ==========

 

[2010/05/20 09:25:43 | 000,000,000 | ---D | C] -- C:\!KillBox

[2010/05/20 07:55:48 | 000,169,472 | ---- | C] (Ryddcf) -- C:\Windows\System32\regedit.exe

[2010/04/27 06:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker

[2010/04/26 04:03:43 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll

[2010/04/26 04:03:43 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2010/04/26 04:03:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2010/04/26 04:03:43 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2006/02/18 23:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

[2005/11/26 00:37:17 | 000,014,976 | ---- | C] ( ) -- C:\Windows\System32\drivers\winddx.sys

[2003/08/20 13:34:50 | 000,548,952 | ---- | C] ( ) -- C:\Windows\System32\drivers\slntamr.sys

[2003/07/16 08:30:26 | 000,221,736 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlmnt5.sys

[2003/07/02 12:26:36 | 001,301,128 | ---- | C] ( ) -- C:\Windows\System32\drivers\mtlstrm.sys

[2003/07/02 12:24:36 | 000,086,128 | ---- | C] ( ) -- C:\Windows\System32\drivers\slnthal.sys

[2003/07/02 11:57:10 | 000,167,384 | ---- | C] ( ) -- C:\Windows\System32\drivers\ntmtlfax.sys

[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2010/05/20 16:04:42 | 000,823,808 | ---- | M] () -- C:\Windows\System32\drivers\sjaeilvj.sys

[2010/05/20 16:04:40 | 000,002,048 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/05/20 16:04:38 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/05/20 15:46:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/05/20 13:53:48 | 000,350,193 | ---- | M] () -- C:\Windows\System32\vsconfig.xml

[2010/05/20 13:53:09 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/05/20 13:52:40 | 1072,484,352 | -HS- | M] () -- C:\hiberfil.sys

[2010/05/20 11:32:07 | 001,087,356 | ---- | M] () -- C:\Windows\System32\tmp.reg

[2010/05/20 10:54:44 | 000,023,040 | ---- | M] () -- C:\lsass.exe

[2010/05/20 09:45:08 | 000,000,879 | ---- | M] () -- C:\Windows\win.ini

[2010/05/20 09:45:08 | 000,000,279 | -HS- | M] () -- C:\BOOT.INI

[2010/05/20 09:45:08 | 000,000,227 | ---- | M] () -- C:\Windows\system.ini

[2010/05/20 09:11:49 | 000,521,766 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI

[2010/05/20 09:09:42 | 000,216,132 | ---- | M] () -- C:\Windows\System32\nvapps.xml

[2010/05/20 07:59:35 | 000,002,544 | ---- | M] () -- C:\Windows\ozotequw.dll

[2010/05/20 07:57:46 | 000,057,344 | ---- | M] () -- C:\Windows\System32\****

[2010/05/20 07:57:37 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****4

[2010/05/20 07:57:18 | 000,081,408 | ---- | M] () -- C:\Windows\System32\drivers\zgrhurxf5.sys

[2010/05/20 07:56:45 | 000,006,789 | ---- | M] () -- C:\Windows\ppi2.exe

[2010/05/20 07:56:02 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****3

[2010/05/20 07:56:00 | 000,042,496 | ---- | M] () -- C:\Windows\System32\****2

[2010/05/20 07:55:59 | 000,006,771 | -HS- | M] () -- C:\Windows\E88D4.exe

[2010/05/20 07:55:55 | 000,210,816 | ---- | M] () -- C:\Windows\System32\drivers\ndis.sys

[2010/05/20 07:55:55 | 000,210,816 | ---- | M] () -- C:\Windows\System32\dllcache\ndis.sys

[2010/05/20 07:55:34 | 000,169,472 | ---- | M] (Ryddcf) -- C:\Windows\System32\regedit.exe

[2010/05/19 15:40:05 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini

[2010/05/19 13:16:36 | 002,688,120 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2010/05/19 13:15:32 | 000,001,158 | ---- | M] () -- C:\Windows\System32\wpa.dbl

[2010/05/15 12:29:16 | 000,000,284 | ---- | M] () -- C:\Windows\tasks\AppleSoftwareUpdate.job

[2010/04/26 04:03:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll

[2010/04/26 04:03:25 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe

[2010/04/26 04:03:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe

[2010/04/26 04:03:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe

[2010/04/26 04:03:25 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javacpl.cpl

[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2010/05/20 12:40:31 | 1072,484,352 | -HS- | C] () -- C:\hiberfil.sys

[2010/05/20 11:32:07 | 001,087,356 | ---- | C] () -- C:\Windows\System32\tmp.reg

[2010/05/20 09:08:36 | 000,023,040 | ---- | C] () -- C:\lsass.exe

[2010/05/20 07:59:35 | 000,002,544 | ---- | C] () -- C:\Windows\ozotequw.dll

[2010/05/20 07:57:45 | 000,057,344 | ---- | C] () -- C:\Windows\System32\****

[2010/05/20 07:57:37 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****4

[2010/05/20 07:56:18 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\sjaeilvj.sys

[2010/05/20 07:56:02 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****3

[2010/05/20 07:56:00 | 000,042,496 | ---- | C] () -- C:\Windows\System32\****2

[2010/05/20 07:55:55 | 000,210,816 | ---- | C] () -- C:\Windows\System32\dllcache\ndis.sys

[2010/05/20 07:55:53 | 000,081,408 | ---- | C] () -- C:\Windows\System32\drivers\zgrhurxf5.sys

[2010/05/20 07:55:45 | 000,006,789 | ---- | C] () -- C:\Windows\ppi2.exe

[2010/05/20 07:55:20 | 000,006,771 | -HS- | C] () -- C:\Windows\E88D4.exe

[2010/05/14 09:41:21 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/05/14 09:41:20 | 000,000,898 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/01/28 05:31:37 | 000,001,441 | ---- | C] () -- C:\Windows\cctcsq48.ini

[2010/01/18 18:28:12 | 000,000,168 | ---- | C] () -- C:\Windows\System32\xpysys.dll

[2009/11/05 18:59:49 | 000,000,066 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfl

[2009/11/05 18:15:55 | 000,000,021 | ---- | C] () -- C:\Windows\CMAURACK.INI

[2009/11/05 18:15:38 | 000,000,414 | ---- | C] () -- C:\Windows\CMMPLAY.INI

[2009/11/05 18:15:37 | 000,000,061 | ---- | C] () -- C:\Windows\CMCDPLAY.INI

[2009/11/05 17:42:12 | 000,004,333 | ---- | C] () -- C:\Windows\mixerdef.ini

[2009/11/05 17:41:53 | 000,000,051 | ---- | C] () -- C:\Windows\CMISETUP.INI

[2009/11/05 17:41:31 | 000,001,360 | ---- | C] () -- C:\Windows\_delis32.ini

[2009/11/05 16:16:20 | 000,001,480 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfg

[2009/11/05 16:15:10 | 000,002,532 | ---- | C] () -- C:\Windows\cmudax3.ini

[2009/09/21 10:44:50 | 000,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI

[2009/09/12 10:14:09 | 000,000,065 | ---- | C] () -- C:\Windows\GeneralEffect.INI

[2009/06/10 11:24:02 | 000,000,113 | ---- | C] () -- C:\Windows\mgfolder_reg.ini

[2009/03/27 04:03:00 | 001,724,416 | ---- | C] () -- C:\Windows\System32\nvwdmcpl.dll

[2009/03/27 04:03:00 | 001,503,232 | ---- | C] () -- C:\Windows\System32\nview.dll

[2009/03/27 04:03:00 | 001,101,824 | ---- | C] () -- C:\Windows\System32\nvwimg.dll

[2009/03/27 04:03:00 | 000,466,944 | ---- | C] () -- C:\Windows\System32\nvshell.dll

[2009/03/05 18:39:03 | 000,059,392 | R--- | C] () -- C:\Windows\System32\streamhlp.dll

[2009/02/16 18:45:00 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll

[2009/02/16 18:45:00 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll

[2009/02/16 18:45:00 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll

[2009/02/16 18:45:00 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll

[2009/02/15 08:38:21 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini

[2009/02/08 18:33:51 | 000,000,043 | ---- | C] () -- C:\Windows\ESReg.ini

[2009/01/14 09:40:43 | 000,001,295 | ---- | C] () -- C:\Windows\TVEpaDrv.ini

[2009/01/13 20:18:01 | 000,025,600 | ---- | C] () -- C:\Windows\System32\mss.dll.vir

[2008/12/31 20:22:24 | 000,139,264 | ---- | C] () -- C:\Windows\System32\IDEproperty.dll

[2008/12/14 16:22:20 | 000,000,335 | ---- | C] () -- C:\Windows\IfoEdit.INI

[2008/12/09 12:51:20 | 000,000,067 | ---- | C] () -- C:\Windows\321 Video Converter.INI

[2008/11/24 18:28:52 | 000,000,031 | ---- | C] () -- C:\Windows\System32\Days5.ini

[2008/09/08 14:59:06 | 000,000,602 | ---- | C] () -- C:\Windows\MusicEditor.INI

[2008/09/03 05:05:18 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini

[2008/07/30 17:15:06 | 000,000,045 | ---- | C] () -- C:\Windows\System32\RPVersion.ini

[2008/06/05 09:26:22 | 000,000,000 | ---- | C] () -- C:\Windows\CleaningLab.INI

[2008/06/05 09:24:17 | 000,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll

[2008/06/05 09:20:39 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll

[2008/05/14 09:36:04 | 000,000,454 | ---- | C] () -- C:\Windows\cdplayer.ini

[2008/05/02 07:43:50 | 000,000,000 | ---- | C] () -- C:\Windows\AoADVDRipper.INI

[2008/05/02 07:41:34 | 000,135,168 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll

[2008/05/02 04:57:01 | 000,408,576 | ---- | C] () -- C:\Windows\System32\Smab.dll

[2008/05/02 04:56:59 | 000,027,648 | ---- | C] () -- C:\Windows\System32\AVSredirect.dll

[2008/05/01 15:52:23 | 000,761,856 | ---- | C] () -- C:\Windows\System32\xvidcore.dll

[2008/05/01 15:52:22 | 000,383,238 | ---- | C] () -- C:\Windows\System32\libmp3lame-0.dll

[2008/04/28 17:24:27 | 000,147,456 | ---- | C] () -- C:\Windows\System32\VegaShEx.dll

[2008/04/28 17:24:16 | 000,091,136 | ---- | C] () -- C:\Windows\System32\Lfkodak.dll

[2008/04/28 17:24:14 | 000,308,224 | ---- | C] () -- C:\Windows\System32\Lffpx7.dll

[2008/04/12 13:34:41 | 000,066,048 | ---- | C] () -- C:\Windows\System32\cygz.dll

[2008/01/29 17:00:33 | 000,048,640 | ---- | C] () -- C:\Windows\grwprocs.dll

[2008/01/29 17:00:33 | 000,000,838 | ---- | C] () -- C:\Windows\Club_Spaced settings.ini

[2007/11/06 18:37:47 | 000,000,283 | ---- | C] () -- C:\Windows\MusicMaker.INI

[2007/11/06 18:25:29 | 000,049,152 | ---- | C] () -- C:\Windows\System32\mgxasio2.dll

[2007/11/05 16:55:39 | 000,000,050 | ---- | C] () -- C:\Windows\MegaManager.INI

[2007/11/04 05:35:53 | 000,000,067 | ---- | C] () -- C:\Windows\Easy Video to DVD.INI

[2007/10/17 18:09:47 | 000,040,960 | --S- | C] () -- C:\Windows\System32\ProcessKiller.dll

[2007/10/15 15:47:35 | 000,796,048 | ---- | C] () -- C:\Windows\System32\libeay32_0.9.6l.dll

[2007/08/24 14:46:47 | 000,000,659 | ---- | C] () -- C:\Windows\AudStu.INI

[2007/08/24 14:31:06 | 000,038,912 | ---- | C] () -- C:\Windows\System32\mgxasio.dll

[2007/06/12 18:53:58 | 001,277,952 | ---- | C] () -- C:\Windows\System32\libfishsound.dll

[2007/03/18 08:10:06 | 000,000,177 | ---- | C] () -- C:\Windows\disney.ini

[2007/01/31 14:43:07 | 000,030,688 | ---- | C] () -- C:\Windows\Irremote.ini

[2007/01/31 14:42:14 | 000,065,536 | ---- | C] () -- C:\Windows\System32\dmcrypto.dll

[2007/01/31 14:41:39 | 000,159,744 | ---- | C] () -- C:\Windows\System32\hcwChDB.dll

[2007/01/31 14:40:27 | 000,006,236 | ---- | C] () -- C:\Windows\HCWPNP.INI

[2007/01/09 12:03:54 | 000,000,247 | ---- | C] () -- C:\Windows\ODBC.INI

[2006/12/07 16:12:40 | 000,077,824 | R--- | C] () -- C:\Windows\System32\HPZIDS01.dll

[2006/11/18 19:26:28 | 000,000,029 | ---- | C] () -- C:\Windows\AlphaPlayer.INI

[2006/10/25 08:19:24 | 000,440,320 | ---- | C] () -- C:\Windows\System32\x264vfw.dll

[2006/10/15 13:00:44 | 000,000,067 | ---- | C] () -- C:\Windows\#1 DVD Ripper.INI

[2006/08/27 15:36:07 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini

[2006/05/31 17:58:15 | 000,000,279 | ---- | C] () -- C:\Windows\technomaker.INI

[2006/05/31 16:58:46 | 000,000,343 | ---- | C] () -- C:\Windows\BeatBox.INI

[2006/05/31 16:29:23 | 000,006,360 | ---- | C] () -- C:\Windows\mgxoschk.ini

[2006/05/25 16:20:02 | 000,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll

[2006/05/25 16:20:02 | 000,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll

[2006/05/20 13:20:52 | 000,286,720 | ---- | C] () -- C:\Windows\System32\WSBar.dll

[2006/05/14 08:04:17 | 000,000,169 | ---- | C] () -- C:\Windows\RtlRack.ini

[2006/05/13 15:29:13 | 000,000,082 | ---- | C] () -- C:\Windows\mafosav.INI

[2006/05/07 14:26:58 | 000,154,112 | ---- | C] () -- C:\Windows\System32\dxr.dll

[2006/05/07 14:24:54 | 000,099,840 | ---- | C] () -- C:\Windows\System32\mkx.dll

[2006/05/07 14:24:42 | 000,051,200 | ---- | C] () -- C:\Windows\System32\avi.dll

[2006/05/07 14:24:30 | 000,061,440 | ---- | C] () -- C:\Windows\System32\mmfinfo.dll

[2006/05/07 14:24:16 | 000,065,536 | ---- | C] () -- C:\Windows\System32\mp4.dll

[2006/05/07 14:24:04 | 000,057,856 | ---- | C] () -- C:\Windows\System32\ogm.dll

[2006/05/07 14:23:46 | 000,045,568 | ---- | C] () -- C:\Windows\System32\mkzlib.dll

[2006/05/07 14:23:42 | 000,023,552 | ---- | C] () -- C:\Windows\System32\mkunicode.dll

[2006/05/03 10:30:07 | 000,000,030 | ---- | C] () -- C:\Windows\Iedit.INI

[2006/04/24 14:32:41 | 000,000,026 | ---- | C] () -- C:\Windows\NeoSetup.INI

[2006/04/23 10:50:52 | 000,006,812 | R--- | C] () -- C:\Windows\System32\lvcoinst.ini

[2006/04/23 09:49:40 | 000,104,593 | ---- | C] () -- C:\Windows\System32\drivers\MPIXVID.SYS

[2006/04/23 08:35:35 | 000,065,536 | ---- | C] () -- C:\Windows\System32\YCRWin32.dll

[2006/04/11 09:26:38 | 000,077,696 | ---- | C] () -- C:\Windows\System32\drivers\WudfPf.sys

[2005/11/29 16:17:16 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll

[2005/11/29 16:14:42 | 002,255,360 | ---- | C] () -- C:\Windows\System32\libavcodec.dll

[2005/11/29 16:11:30 | 000,395,776 | ---- | C] () -- C:\Windows\System32\libmplayer.dll

[2005/11/29 16:10:46 | 000,217,088 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll

[2005/11/29 16:10:10 | 000,112,640 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll

[2005/11/29 16:10:06 | 000,512,000 | ---- | C] () -- C:\Windows\System32\ff_x264.dll

[2005/11/29 16:09:54 | 000,143,360 | ---- | C] () -- C:\Windows\System32\ff_realaac.dll

[2005/11/29 16:09:50 | 000,262,144 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll

[2005/11/29 16:09:30 | 000,036,864 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll

[2005/11/29 16:09:24 | 000,056,320 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll

[2005/11/29 16:09:14 | 000,200,704 | ---- | C] () -- C:\Windows\System32\ff_theora.dll

[2005/11/29 16:09:06 | 000,131,072 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll

[2005/11/29 16:09:04 | 000,155,648 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll

[2005/11/29 16:09:00 | 000,167,936 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll

[2005/11/29 16:09:00 | 000,053,248 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll

[2005/11/26 01:19:18 | 000,000,061 | ---- | C] () -- C:\Windows\smscfg.ini

[2005/11/26 01:02:11 | 000,000,514 | ---- | C] () -- C:\Windows\System32\SETUPPC.INI

[2005/11/26 00:56:10 | 000,007,584 | ---- | C] () -- C:\Windows\HDReg.ini

[2005/11/26 00:48:21 | 000,000,000 | ---- | C] () -- C:\Windows\System32\VGAunistlog.ini

[2005/11/26 00:47:59 | 000,147,456 | ---- | C] () -- C:\Windows\System32\RtlCPAPI.dll

[2005/11/26 00:44:52 | 000,003,072 | ---- | C] () -- C:\Windows\System32\34CoInstaller.dll

[2005/11/26 00:37:17 | 000,475,136 | ---- | C] () -- C:\Windows\System32\SLLights.dll

[2005/11/26 00:37:17 | 000,155,648 | ---- | C] () -- C:\Windows\System32\amr_cpl.dll

[2005/11/26 00:37:17 | 000,135,168 | ---- | C] () -- C:\Windows\System32\SLMOHServ.dll

[2005/11/05 09:31:14 | 000,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest

[2005/10/21 11:28:56 | 000,005,968 | ---- | C] () -- C:\Windows\System32\OEMINFO.INI

[2005/08/05 10:01:54 | 000,235,008 | ---- | C] () -- C:\Windows\System32\psisdecd.dll

[2005/02/02 21:50:28 | 000,004,224 | ---- | C] () -- C:\Windows\System32\StarOpen.sys

[2004/09/10 11:50:43 | 000,000,831 | ---- | C] () -- C:\Windows\orun32.ini

[2004/09/10 10:57:18 | 000,210,816 | ---- | C] () -- C:\Windows\System32\drivers\ndis.sys

[2004/08/04 05:30:08 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini

[2003/07/02 14:05:46 | 000,188,416 | ---- | C] () -- C:\Windows\System32\slextspk.dll

[2003/07/02 14:04:32 | 000,049,152 | ---- | C] () -- C:\Windows\System32\coinst.dll

[2003/07/02 13:35:48 | 000,159,744 | ---- | C] () -- C:\Windows\System32\SLGen.dll

[2003/01/25 07:52:14 | 000,131,072 | ---- | C] () -- C:\Windows\System32\libFLAC.dll

[2002/03/16 20:00:00 | 000,007,420 | ---- | C] () -- C:\Windows\UA000071.DLL

[2001/07/06 23:00:00 | 000,003,399 | ---- | C] () -- C:\Windows\System32\hptcpmon.ini

[1999/01/27 08:39:06 | 000,065,024 | ---- | C] () -- C:\Windows\System32\indounin.dll

[1997/06/13 02:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\Iyvu9_32.dll

[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

[1979/12/31 20:00:00 | 000,135,168 | ---- | C] () -- C:\Windows\System32\property.dll

 

========== LOP Check ==========

 

 

========== Purity Check ==========

 

 

 

========== Alternate Data Streams ==========

 

@Alternate Data Stream - 72 bytes -> C:\WINDOWS:400C42D50A6EA64F

< End of report >

 

By the way, those new files called 't w a t, t w a t2' (excuse the bad language but it may be important!) etc were part of the virus ones that I renamed when I was trying to remove them :rolleyes::p

 

 

Hope you can help from all this info. Many thanks

 

Jay

Edited May 23, 2010 by schrauber

[Flaunt]

^^^ Actually, those files I mentioned are the ones that are starred out (****)

 

Also, the 20th May was the day I got infected and locked out. Just so you know the date of the bad files etc ;)

[schrauber]

Hi,

 

Run OTLPE

• 
  
• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :OTL
  SRV - File not found [Disabled] -- -- (KService)
  O20 -  HKLM Winlogon: Shell - ( ) - (Registry key not found)
  O20 - HKLM  Winlogon: UserInit - ( ) - (Registry key not found)
  O34 - HKLM  BootExecute: (autocheck autochk *) - File not found
  O37 - HKLM\...com  [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found
  O37  - HKLM\...exe [@ = Reg Error: Key error.] -- Reg Error: Key error. File  not found
  [2010/05/20 07:55:48 | 000,169,472 | ---- | C] (Ryddcf) --  C:\Windows\System32\regedit.exe
  [2010/05/20 16:04:42 | 000,823,808 |  ---- | M] () -- C:\Windows\System32\drivers\sjaeilvj.sys
  [2010/05/20  10:54:44 | 000,023,040 | ---- | M] () -- C:\lsass.exe
  [2010/05/20  07:59:35 | 000,002,544 | ---- | M] () -- C:\Windows\ozotequw.dll
  [2010/05/20  07:57:46 | 000,057,344 | ---- | M] () -- C:\Windows\System32\****
  [2010/05/20  07:57:37 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****4
  [2010/05/20  07:57:18 | 000,081,408 | ---- | M] () --  C:\Windows\System32\drivers\zgrhurxf5.sys
  [2010/05/20 07:56:45 |  000,006,789 | ---- | M] () -- C:\Windows\ppi2.exe
  [2010/05/20  07:56:02 | 000,030,000 | ---- | M] () -- C:\Windows\System32\****3
  [2010/05/20  07:56:00 | 000,042,496 | ---- | M] () -- C:\Windows\System32\****2
  [2010/05/20  07:55:59 | 000,006,771 | -HS- | M] () -- C:\Windows\E88D4.exe
  [2010/05/20  09:08:36 | 000,023,040 | ---- | C] () -- C:\lsass.exe
  [2010/05/20  07:59:35 | 000,002,544 | ---- | C] () -- C:\Windows\ozotequw.dll
  [2010/05/20  07:57:45 | 000,057,344 | ---- | C] () -- C:\Windows\System32\****
  [2010/05/20  07:57:37 | 000,030,000 | ---- | C] () -- C:\Windows\System32\****4
  [2010/05/20  07:56:18 | 000,823,808 | ---- | C] () --  C:\Windows\System32\drivers\sjaeilvj.sys
  [2010/05/20 07:56:02 |  000,030,000 | ---- | C] () -- C:\Windows\System32\****3
  [2010/05/20  07:56:00 | 000,042,496 | ---- | C] () -- C:\Windows\System32\****2
  [2010/05/20  07:55:53 | 000,081,408 | ---- | C] () --  C:\Windows\System32\drivers\zgrhurxf5.sys
  [2010/05/20 07:55:45 |  000,006,789 | ---- | C] () -- C:\Windows\ppi2.exe
  [2010/05/20  07:55:20 | 000,006,771 | -HS- | C] () -- C:\Windows\E88D4.exe
  :Commands
  [emptytemp]
  [emptyflash]
  [resethosts]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  

 

 

 

 

Please open OTL again, set all boxes to use safe list. Under the custom scan box, paste in:

 

/md5start

explorer.exe

userinit.exe

winlogon.exe

ndis.sys

/md5stop

 

and hit the run scan button, post back with the logfiles.

[Flaunt]

OK, so here are the results of the 'Run Fix' log file:

 

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KService deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.com\shell\open\command\\|"%1" %* /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully!
C:\WINDOWS\system32\regedit.exe moved successfully.
C:\WINDOWS\system32\drivers\sjaeilvj.sys moved successfully.
C:\lsass.exe moved successfully.
C:\WINDOWS\ozotequw.dll moved successfully.
File C:\Windows\System32\**** not found.
File C:\Windows\System32\****4 not found.
C:\WINDOWS\system32\drivers\zgrhurxf5.sys moved successfully.
C:\WINDOWS\ppi2.exe moved successfully.
File C:\Windows\System32\****3 not found.
File C:\Windows\System32\****2 not found.
C:\WINDOWS\E88D4.exe moved successfully.
File C:\lsass.exe not found.
File C:\Windows\ozotequw.dll not found.
File C:\Windows\System32\**** not found.
File C:\Windows\System32\****4 not found.
File C:\Windows\System32\drivers\sjaeilvj.sys not found.
File C:\Windows\System32\****3 not found.
File C:\Windows\System32\****2 not found.
File C:\Windows\System32\drivers\zgrhurxf5.sys not found.
File C:\Windows\ppi2.exe not found.
File C:\Windows\E88D4.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 7125 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 657179 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 13499176 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1826194 bytes

Total Files Cleaned = 15.00 mb


[EMPTYFLASH]

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTLPE by OldTimer - Version 3.1.39.0 log created on 05232010_185517

The next set of log file results for the second scan, I have had to upload it separately to the post. The file was far too long and it wouldn't let me post the full text or attach it as it is too big (you'll see why).

 

I recall that 'flyfiudk.exe' (the one taking ALL the text in the log file!) was running loads of processes just before I got locked out of Windows and I couldn't stop it ;)

 

The log file is here >> lastscan.Txt

 

Thanks again.

[schrauber]

Please download the fix.txt from here

 

File-Upload.net - fix.txt

 

and save t to your USB stick. Boot with OTLPE cd, run OTLPE. Open the stick with the Explorer and drag and drop the fix.txt into the custom scan box from OTLPE.

 

Click the run fix button.

 

Please try to boot your system normally.

[Flaunt]

My God! I'm back into Windows! Logged in successfully :)

 

So, is that it? Or do we have more things to check first?

 

Regardless, you are now my new favourite person! lol. You can certainly expect a donation to the forum. Outstanding stuff

[Flaunt]

Update:

 

The virus is still lurking in parts. I have a couple of the 'fake' warnings on the toolbar right now. So I guess we need to get rid of the last traces of it now, right?

 

It's also still blocking me from running any .EXE files, so I can't run my anti-virus software right now :(

Edited May 24, 2010 by Flaunt

[Flaunt]

Also, I can't run 'Regedit, Command, Task Manager' etc etc or any .exe.

 

And 'Folder Options' under 'tools' at the top of any window has vanished.....:confused:

[schrauber]

Yea, still some work :)

 

 

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

 

 

 

 

 

Download SREng

 

• Extract it to Desktop and double click SREngLdr.EXE to run it
  
• Select System Repair from the left pane.
  
• Click on File Association
  
• Select all entries that has an Error status click [Repair]
  
• Refer to this image for an example:
   
  http://img.photobucket.com/albums/v666/sUBs/SystemRepair_FileAssocs.gif
   
  
• Close SREng now.
  

 

 

 

 

 

 

 

Please go here and have a look how you can disable your security software.

 

Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop.

 

Link 1

Link 2

 

 

 

--------------------------------------------------------------------

 

Double click on the renamed Combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://img.photobucket.com/albums/v706/ried7/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

 

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

 

If you need help, see this link:

A guide and tutorial on using ComboFix

[Flaunt]

I can't run 'exehelper.com' :(

 

I get a message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

 

:confused:

[Flaunt]

Right, update again:

 

I downloaded 'Rkill' again and just hammered it trying to get it to run. Amazingly,it finally did it and bought me enough time to run MBAM. That found 69 infections which it removed.

 

I then ran Combofix and that ran for a while and fixed and removed a load of stuff too.

 

As of now, my PC is running great (and a whole lot quicker too) and no sign of the Malware infection anywhere. Do you think we've done enough now? It certainly appears ok now. :rolleyes:

 

Well, I've attached the Combofix.txt file for you to review ;)

ComboFix.txt

[schrauber]

Nope, still some work :)

 

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

3. Open notepad and copy/paste the text in the quotebox below into it:

 

File::

c:\windows\Pfudev.bin

Folder::

d:\documents and settings\jason mcdonald\Local Settings\Application Data\{1350C321-BDDF-4E67-8416-40AFA3380114}

d:\documents and settings\jason mcdonald\Local Settings\Application Data\faaulraek

DDS::

uInternet Settings,ProxyServer = http=127.0.0.1:5555

RegNull::

[HKEY_USERS\S-1-5-21-3410226039-2906439684-1996399350-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{59015437-ACA7-8320-AB8E-32C828F05597}*]

[HKEY_USERS\S-1-5-21-3410226039-2906439684-1996399350-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F502183F-F0B7-4EA1-748B-3FE5C5972A1C}*]

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

 

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

 

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  
• Click on this link to see a list of programs that should be disabled.
  
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  
• Allow the driver to load if asked.
  
• You may be prompted to scan immediately if it detects rootkit activity.
  
• If you are prompted to scan your system click "No", save the log and post back the results.
  
• If not prompted, click the "Rootkit/Malware" tab.
  
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  
• Select all drives that are connected to your system to be scanned.
  
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
  
• When the scan is finished, click Save to save the scan results to your Desktop.
  
• Save the file as Results.log and copy/paste the contents in your next reply.
  
• Exit the program and re-enable all active protection when done.
  

 

 

 

 

 

 

 

 

1. Please download OTL from one of the following mirrors:
   
   • This is THE Mirror
     

 

[*]Save it to your desktop.

[*]Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png icon on your desktop.

[*]Under the Custom Scan box paste this in

netsvcs

%SYSTEMDRIVE%\*.exe

/md5start

eventlog.dll

scecli.dll

netlogon.dll

cngaudit.dll

sceclt.dll

ntelogon.dll

logevent.dll

iaStor.sys

nvstor.sys

atapi.sys

IdeChnDr.sys

viasraid.sys

AGP440.sys

vaxscsi.sys

nvatabus.sys

viamraid.sys

nvata.sys

nvgts.sys

iastorv.sys

ViPrt.sys

eNetHook.dll

ahcix86.sys

KR10N.sys

nvstor32.sys

ahcix86s.sys

nvrd32.sys

symmpi.sys

adp3132.sys

mv61xx.sys

/md5stop

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\System32\config\*.sav

%systemdrive%\*.sys /90 /md5

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTL.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

 

[schrauber]

Malware has locked me out of everything. Please help! - MajorGeeks Support Forums

 

As Kestrel mentioned, please choose one board and notify the other one to close the thread. 2 persons working at the same system is waste of time and can bring your system into nirvana.

[Flaunt]

Hi Schrauber. Yes, I posted there around the same time as here (wasn't aware you knew each other) but started to get advice real quick. My business has been suffering badly so time wasn't on my side, you see!

 

Other than getting back into Windows from your help, I have used Kestrel's instructions only as it all came before your latest response today. As I mentioned to him, I was due to say my thanks to you later today and mention I would finish it up with him.

 

Sorry for any confusion, it's been quite hectic these past few days!

 

I want to thank you HUGELY and sincerely for all your initial help because I wouldn't have even got this far without it. And, as I promised before, I will be still making a donation to the forum and recommending you and the team highly to others.

 

Thanks once again. I really appreciate it ;)

Edited May 26, 2010 by Flaunt

[schrauber]

Hi,

 

Thanks for letting me know, and you're welcome.

 

A little hint:

 

I would finish it up with him.

 

her :D

[Flaunt]

^^^ ooops, how presumptuous of me

 

Hahaha, take care and thanks again for everything. ;)