Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

mysterious bugger [RESOLVED]


  • This topic is locked This topic is locked

#1
techie_wannabe

techie_wannabe

    New Member

  • Member
  • Pip
  • 5 posts
it happened with my uncle's computer i personally built, it was previously infected by ccollgatee but had that succesfully removed thanks to this forum, but recently i noticed strange behaviour once again from the comuter.

first when i run msconfig, in a few seconds it will close itself, that's when i suspect its infected again, so i tried running hijack this but it now says im missing a file required to run it, fearing for the worst, i clicked on a scanner (ewido) but it closed itself just like msconfig, it also happened when i tried to install a newer anti-virus.

i tried the whole thing in safe mode but unfortunately it seems the hijackers is also active in even in safe mode, i ran out of options any suggestions?
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi techie_wannabe

Welcome to GTG! :whistling:

Click on the following link to download a program to restore the mscomctl.ocx file.

http://www.javacools...ngfilesetup.exe

See if Hijack This will run then and post the log please.

Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.
  • 0

#3
techie_wannabe

techie_wannabe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
hi sorry kinda late to reply

did what you said, nothing happened. so i did some searching inside the explorer, turns out the virus/worm/bug keeps renaming the file msvbvm60.dll making hijackthis useless, i also noticed a new executable file named c_52392k that keeps re-writing itself on the system32 folder whenever i delete it, same with the file o4523927.exe forgot where its in.

it really sucks not to be able to control the situation on my uncle's computer
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

* Click here for info on how to boot to safe mode if you don't already know how.


Reboot into Safe Mode


Doubleclick WinPFind.exe
  • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.

  • 0

#5
techie_wannabe

techie_wannabe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
argh! still wouldn't work!

the [bleep] thing turned off the program while scanning the computer in safe mode

can you recommend something that can evade the detection capabilities of the virus/worm?
  • 0

#6
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
What won't work? Winpfind? Did you try running winpfind and posting that log as requested?
  • 0

#7
techie_wannabe

techie_wannabe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
yes but i found a software that disable some program from startup without having to boot up msconfig, well anyway i was able to run winpfind and here are i think are the important ones...


Logfile created on: 10/10/2006 12:51:29 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\ViNZ®\Desktop\WinPFind\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 1/15/2001 3:07:00 AM 311824 C:\WINDOWS\eFaxview.exe (eFax.com)

Checking %System% folder...
PEC2 11/25/2002 5:44:26 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
Umonitor 4/11/2001 9:13:46 PM 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll (Hewlett-Packard Company)
WSUD 11/25/2002 5:45:00 AM 1135616 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 11/25/2002 5:45:02 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 11/25/2002 5:45:28 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
PEC2 7/2/2004 5:51:00 PM 78796 C:\WINDOWS\SYSTEM32\drivers\VcommMgr.sys (IVT Corporation)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/10/2006 12:47:16 PM S 2048 C:\WINDOWS\bootstat.dat ()
10/10/2006 12:47:56 PM RHS 43072 C:\WINDOWS\j6523922.exe ()
10/10/2006 12:47:56 PM RHS 43072 C:\WINDOWS\o4523927.exe ()
10/10/2006 12:47:56 PM RHS 43072 C:\WINDOWS\_default52392.pif ()
10/10/2006 12:48:08 PM H 1024 C:\WINDOWS\system32\config\DEFAULT.LOG ()
10/10/2006 12:47:48 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
10/10/2006 12:48:08 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG ()
10/10/2006 12:51:06 PM H 1024 C:\WINDOWS\system32\config\SOFTWARE.LOG ()
10/10/2006 12:50:26 PM H 1024 C:\WINDOWS\system32\config\SYSTEM.LOG ()
9/19/2006 3:18:04 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\0b6b1a35-2107-4f86-a2ef-cbdb3ad67a7e ()
9/19/2006 3:18:04 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
10/10/2006 11:03:06 AM RHS 43072 C:\WINDOWS\system32\n8127\smss.exe ()
10/10/2006 11:03:04 AM RHS 43072 C:\WINDOWS\system32\n8127\sv711917030r.exe ()
10/10/2006 12:47:54 PM RHS 43072 C:\WINDOWS\system32\s-4413\smss.exe ()
10/10/2006 12:47:56 PM RHS 43072 C:\WINDOWS\system32\s-4413\zh59-1845084y.exe ()
10/10/2006 8:53:08 AM RHS 43072 C:\WINDOWS\system32\s5091\smss.exe ()
10/10/2006 8:53:08 AM RHS 43072 C:\WINDOWS\system32\s5091\zh591006284y.exe ()
10/9/2006 3:03:12 PM RHS 43072 C:\WINDOWS\system32\s8787\smss.exe ()
10/9/2006 3:03:12 PM RHS 43072 C:\WINDOWS\system32\s8787\zh592115084y.exe ()
10/7/2006 7:55:46 PM H 39579 C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbzma.GID ()
10/10/2006 12:47:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
11/25/2002 5:44:20 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
10/23/2002 8:22:00 AM 225339 C:\WINDOWS\SYSTEM32\btcpl.cpl ()
8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
11/25/2002 5:44:40 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
11/25/2002 5:44:46 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
11/25/2002 5:44:50 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
11/25/2002 5:44:58 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
11/25/2002 5:45:02 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
7/15/2004 11:42:00 AM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl (NVIDIA Corporation)
11/25/2002 5:45:02 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
11/25/2002 5:45:02 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
11/25/2002 5:45:08 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
11/25/2002 5:45:22 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
11/25/2002 5:45:24 AM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
11/25/2002 5:44:20 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
11/25/2002 5:44:40 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
11/25/2002 5:44:46 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
11/25/2002 5:44:50 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
11/25/2002 5:44:58 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
11/25/2002 5:45:02 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
11/25/2002 5:45:02 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
11/25/2002 5:45:02 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
11/25/2002 5:45:08 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
11/25/2002 5:45:22 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
11/25/2002 5:45:24 AM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)
8/4/2003 7:05:14 AM R 73728 C:\WINDOWS\SYSTEM32\drivers\SCBaud.cpl (Socket Communications Inc.)

Checking for Downloaded Program Files...
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/10/2006 12:46:10 PM 890 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk ()
10/10/2006 12:46:10 PM 589 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk ()
9/23/2005 12:39:16 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
10/10/2006 12:46:10 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/23/2005 5:28:52 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
9/23/2005 12:39:16 PM H 84 C:\Documents and Settings\ViNZ®\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
9/23/2005 5:28:52 AM HS 62 C:\Documents and Settings\ViNZ®\Application Data\desktop.ini ()
6/6/2006 12:32:32 PM 17144 C:\Documents and Settings\ViNZ®\Application Data\GDIPFONTCACHEV1.DAT ()
>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} - Set Program Access and Defaults = ()
\\{596AB062-B4D2-4215-9F74-E9109B0A8153} - Previous Versions Property Page = C:\WINDOWS\System32\twext.dll ()
\\{9DB7A13C-F208-4981-8353-73CC61AE2783} - Previous Versions = C:\WINDOWS\System32\twext.dll ()
\\{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\System32\nvcpl.dll (NVIDIA Corporation)
\\{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\System32\nvcpl.dll (NVIDIA Corporation)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\System32\nvshell.dll (NVIDIA Corporation)
\\ - = ()
\\{6af09ec9-b429-11d4-a1fb-0090960218cb} - My Bluetooth Places = C:\WINDOWS\System32\btneighborhood.dll ()
\\{A5110426-177D-4e08-AB3F-785F10B4439C} - Sony Ericsson File Manager = C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll (Sony Ericsson Mobile Communications AB)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = ()
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CursorXP - C:\Program Files\CursorXP\CursorXP.exe ( )
f-3156ViN - C:\WINDOWS\System32\s-4413\zh59-1845084y.exe ()

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk - C:\Program Files\Bluetooth Software\BTTray.exe ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\ViNZ®\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\A8493r
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item j6523922
hkey HKLM
command "C:\WINDOWS\j6523922.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\f1596Joi
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item zh591006284y
hkey HKCU
command "C:\WINDOWS\System32\s5091\zh591006284y.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\j6523922.exe
\\Shell = Explorer.exe "C:\WINDOWS\o4523927.exe"
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)
\WRNotifier - WRLogonNTF.dll = (Webroot Software, Inc.)


tried fixing it again but regedit is no longer working
  • 0

#8
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop to post here later..

* Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log and the BitDefender results.

  • 0

#9
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Any progress here?
  • 0

#10
techie_wannabe

techie_wannabe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
so sorry for the very late reply, got too busy with work

well anyway, im giving up on trying to clean the computer, bitdefender wont run because the virus detected it scanning so it shut down explorer - even on safe mode, and then i even tried running dr web on command prompt in safe mode but still no can do...

but thanks for the effort, ill just scold my uncle for being careless on his comuter..
  • 0

#11
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP