Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Beaten down with bagle


  • Please log in to reply

#1
golfer_guy

golfer_guy

    Member

  • Member
  • PipPip
  • 18 posts
my house burned down and I was given a "great" computer from my church. The guy that had it said it had a "few small problems".

First of all, I can't get any antivirus-spyware-adware program to run except
Adaware free
FProtDOS
silentrunners
EMCO malware destroyer
stinger
rootkit revealer


The ones that won't run at all or even come up in taskmgr (even after uninstalling-reinstalling) are
smitfraudfix
smitrem
bughunter
combofix
deckards scanner
drcureit
avast
spybot
rogue remover
sygate personal
superantispyware

I have hurriedly turned on the win firewall for at least something between me and the badguys.
I have done the Panda online scan and
TrendMicro scans

everything that does run says my hldrr and wintems, Bagle, Mitshilder (sp?), are now gone.
Reboot (can't go into safemodes at all--BSOD) and there they are looking at me in the taskmgr.first thing.
I get a ton of the system32/down/references example 98715.exe

I have no hair left.

Will be back with a new hijack log. (SCRATCH THIS: won't run either)

Please (sob) help me fix this. I need to have a good running machine to continue my business and my life while I wait for the insur.co.to decide to pay me.

I have never been at this crossroad before and I appreciate SO much a place to come to.

:):) :)






update: today I ran cyberdefender.......reboot (still there)
windows defender ........reboot (still there)
a2squared..................reboot.....(still there)
***each of the three said they found and removed stuff but after the reboot, its still there.


downloaded a new Spybot issue in full, the second it opened, the bug shut it down.
it also automatically turned off the SPywareBlaster protection.
My win firewall keeps automatically shutting off within minutes of me re-turning it on.

downloaded a new Hijack prog and the second it started to open, it shuts down and

all these when they shut down, says "....is not a valid win32 application"



also in a frail feeble attempt, I clicked safeboot.reg several times today without resolve. Still BSOD trying to go to any safemode.

******Would VGA mode do the trick instead of safemode for really removing these things?

thank you very much.





I am back
I finally tried KAspersky Scanner.
attd is a picture of it saying hldrrr and wintems are ok.

PLEASE HELP.

Attached Thumbnails

  • finaltogether.JPG

Edited by golfer_guy, 14 February 2008 - 09:54 PM.

  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello golfer_guy

Welcome to G2Go. :)
===================
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINDOWS\system32\drivers\down /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a Silent Runners log.
==============================
Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#3
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
oh golllllleee gollllleeeee THANK YOU !
help has arrived! whew!!!!!!!!!




Volume in drive C is Local Disk
 Volume Serial Number is 70C6-2488

 Directory of C:\WINDOWS\system32\drivers\down

2008-02-14  18:58	<DIR>		  .
2008-02-14  18:58	<DIR>		  ..
2008-02-13  11:58			13,134 100671.exe
2008-02-13  14:59			   628 102921.exe
2008-02-14  17:34			33,907 103484.exe
2008-02-13  12:02			13,134 104531.exe
2008-02-13  11:56			54,660 106656.exe
2008-02-13  15:00			13,118 107984.exe
2008-02-13  11:25		   483,844 110109562.exe
2008-02-13  11:25			71,172 110128046.exe
2008-02-13  11:25			71,172 110135656.exe
2008-02-13  11:25			71,172 110139500.exe
2008-02-13  11:25			   628 110142703.exe
2008-02-13  11:25			13,134 110147890.exe
2008-02-13  11:26			54,421 110165156.exe
2008-02-13  11:26			   805 110170843.exe
2008-02-13  11:26			 1,125 110171171.exe
2008-02-13  11:26			 6,958 110183453.exe
2008-02-13  11:26			   546 110186312.exe
2008-02-13  11:26			   685 110190859.exe
2008-02-13  11:26			33,907 110191937.exe
2008-02-13  11:26			   648 110198328.exe
2008-02-13  11:26			12,966 110205968.exe
2008-02-13  11:26			48,866 110207390.exe
2008-02-13  11:26			40,790 110210625.exe
2008-02-13  11:26			   212 110213234.exe
2008-02-13  11:27			   212 110214203.exe
2008-02-13  11:27			 1,609 110216468.exe
2008-02-13  11:27			   212 110219078.exe
2008-02-13  11:27			   608 110224265.exe
2008-02-13  11:27			 1,621 110226421.exe
2008-02-13  11:28			   873 110255531.exe
2008-02-13  11:28			   632 110291875.exe
2008-02-13  11:28			49,409 110303390.exe
2008-02-13  11:28			49,699 110305296.exe
2008-02-13  11:56			   789 111031.exe
2008-02-13  11:56			 1,125 111343.exe
2008-02-13  17:38			71,172 113000.exe
2008-02-14  17:34			   648 113343.exe
2008-02-14  17:34			48,815 113593.exe
2008-02-14  17:34			40,526 113656.exe
2008-02-14  17:34			   212 113765.exe
2008-02-14  17:34			   212 113812.exe
2008-02-14  17:34			 1,609 113828.exe
2008-02-14  17:34			   212 113953.exe
2008-02-14  17:34			   608 114000.exe
2008-02-14  17:34			   873 114125.exe
2008-02-14  17:34			   632 114234.exe
2008-02-14  17:34			49,658 114343.exe
2008-02-14  17:34			49,558 114421.exe
2008-02-13  18:51			71,172 118812.exe
2008-02-13  17:38			71,172 118984.exe
2008-02-13  11:58			54,649 119843.exe
2008-02-13  12:02			54,795 120703.exe
2008-02-13  11:56			 6,958 122921.exe
2008-02-13  18:51			71,172 123218.exe
2008-02-13  11:58			   805 124937.exe
2008-02-13  11:51		   657,412 125031.exe
2008-02-13  18:51			   628 125203.exe
2008-02-13  11:58			 1,125 125250.exe
2008-02-13  12:02			   805 125500.exe
2008-02-13  07:30			71,172 125750.exe
2008-02-13  12:02			 1,125 125765.exe
2008-02-13  17:38			   628 126734.exe
2008-02-13  11:56			   546 127046.exe
2008-02-14  18:58			71,172 127531.exe
2008-02-14  18:58			45,262 128203.exe
2008-02-14  18:58			71,172 128796.exe
2008-02-13  11:50			54,816 128921.exe
2008-02-13  11:52			71,172 129484.exe
2008-02-13  07:30			   628 130000.exe
2008-02-14  18:58			   628 130218.exe
2008-02-13  18:52			13,118 130718.exe
2008-02-13  11:57			   685 130937.exe
2008-02-14  18:58			54,660 131281.exe
2008-02-13  11:52			71,172 132390.exe
2008-02-14  18:58			   789 133375.exe
2008-02-14  18:58			 1,125 133765.exe
2008-02-13  11:57			   648 133843.exe
2008-02-13  11:50			   805 134156.exe
2008-02-13  11:50			 1,125 134468.exe
2008-02-13  12:02			 6,958 134796.exe
2008-02-14  18:58			 6,958 134812.exe
2008-02-13  11:58			 6,958 135156.exe
2008-02-13  07:30			13,118 135234.exe
2008-02-13  11:52			   628 135250.exe
2008-02-14  18:58			   685 135750.exe
2008-02-14  18:58			33,907 136281.exe
2008-02-14  18:58			   648 136921.exe
2008-02-14  18:58			48,815 137406.exe
2008-02-13  11:58			   546 137921.exe
2008-02-14  18:58			40,526 137968.exe
2008-02-13  12:02			   546 138015.exe
2008-02-14  18:58			   212 138250.exe
2008-02-14  18:58			   212 138375.exe
2008-02-14  18:58			 1,609 138437.exe
2008-02-14  18:58			   212 138562.exe
2008-02-14  18:58			   608 138718.exe
2008-02-14  18:58			   873 138984.exe
2008-02-14  18:58			   632 139125.exe
2008-02-14  18:58			49,658 139562.exe
2008-02-14  18:58			49,558 140015.exe
2008-02-13  11:57			12,966 141312.exe
2008-02-13  11:58			   685 142156.exe
2008-02-13  11:52			13,134 142421.exe
2008-02-13  17:38			13,054 142546.exe
2008-02-13  11:57			48,815 142609.exe
2008-02-13  12:02			   685 142687.exe
2008-02-13  11:59			33,907 143375.exe
2008-02-13  12:03			33,907 143671.exe
2008-02-13  11:50			 6,958 144515.exe
2008-02-13  11:57			40,526 145000.exe
2008-02-13  11:57			   212 146734.exe
2008-02-14  15:59		   657,412 14677843.exe
2008-02-14  15:59			71,172 14687562.exe
2008-02-14  15:59			   628 14700218.exe
2008-02-14  15:59			54,660 14705625.exe
2008-02-14  15:59			   789 14706875.exe
2008-02-14  15:59			 1,125 14707234.exe
2008-02-14  15:59			 6,958 14708343.exe
2008-02-14  15:59			   685 14709031.exe
2008-02-14  15:59			33,907 14709187.exe
2008-02-14  15:59			   648 14710046.exe
2008-02-14  15:59			48,815 14711171.exe
2008-02-14  15:59			40,526 14711921.exe
2008-02-14  15:59			   212 14712343.exe
2008-02-14  15:59			   212 14712453.exe
2008-02-14  15:59			 1,609 14712546.exe
2008-02-14  15:59			   212 14712968.exe
2008-02-14  15:59			   608 14713437.exe
2008-02-14  15:59			   873 14713578.exe
2008-02-14  15:59			   632 14713906.exe
2008-02-14  15:59			49,658 14714203.exe
2008-02-14  15:59			49,558 14714468.exe
2008-02-13  11:51			   546 147718.exe
2008-02-13  12:44		   657,412 150125.exe
2008-02-13  15:00			54,714 150593.exe
2008-02-13  11:51			   685 151390.exe
2008-02-13  07:31			54,670 151421.exe
2008-02-13  11:57			   212 151515.exe
2008-02-13  18:52			54,514 151906.exe
2008-02-13  11:51			   648 153968.exe
2008-02-13  11:57			 1,609 154296.exe
2008-02-13  12:44			71,172 154375.exe
2008-02-13  07:31			   805 155671.exe
2008-02-13  07:31			 1,125 155953.exe
2008-02-13  12:03			   648 156500.exe
2008-02-13  18:52			   805 156906.exe
2008-02-13  18:52			 1,125 157484.exe
2008-02-13  15:00			   805 157750.exe
2008-02-13  15:00			 1,125 158046.exe
2008-02-13  12:44			71,172 158765.exe
2008-02-13  18:05			71,045 159125.exe
2008-02-13  11:57			   212 161593.exe
2008-02-13  12:44			   628 161750.exe
2008-02-13  18:05			71,172 162250.exe
2008-02-13  11:51			12,966 162562.exe
2008-02-13  11:52			54,673 163875.exe
2008-02-13  11:51			48,770 164218.exe
2008-02-13  12:03			12,966 164515.exe
2008-02-13  18:05			   628 165234.exe
2008-02-13  11:57			   608 165796.exe
2008-02-13  12:03			49,451 166125.exe
2008-02-13  11:51			40,490 166656.exe
2008-02-13  12:44			13,134 166671.exe
2008-02-13  07:31			 6,958 166750.exe
2008-02-13  11:51			   212 168406.exe
2008-02-13  15:01			 6,958 168546.exe
2008-02-13  11:57			 1,621 168640.exe
2008-02-13  11:52			 1,125 168937.exe
2008-02-13  12:03			40,706 169109.exe
2008-02-13  07:31			   546 169671.exe
2008-02-13  11:51			   212 169718.exe
2008-02-13  12:03			   212 171546.exe
2008-02-13  15:01			   546 171625.exe
2008-02-13  18:52			 6,958 172078.exe
2008-02-13  18:05			13,054 172484.exe
2008-02-13  12:03			   212 172671.exe
2008-02-13  07:31			   685 173390.exe
2008-02-13  11:51			 1,609 173734.exe
2008-02-13  15:01			   685 174968.exe
2008-02-13  11:51			   212 175140.exe
2008-02-13  17:39			54,810 175265.exe
2008-02-13  15:01			33,907 176546.exe
2008-02-13  07:31			   648 177031.exe
2008-02-13  18:52			   546 178437.exe
2008-02-13  11:51			   608 178734.exe
2008-02-13  12:03			 1,609 179796.exe
2008-02-13  11:52			 6,958 179828.exe
2008-02-13  17:39			   805 180468.exe
2008-02-13  11:51			 1,621 180687.exe
2008-02-13  12:03			   212 180843.exe
2008-02-13  11:59			   648 181093.exe
2008-02-13  17:39			 1,125 181328.exe
2008-02-13  18:52			   685 182468.exe
2008-02-13  11:52			   546 183031.exe
2008-02-13  07:31			12,949 185000.exe
2008-02-13  12:45			54,831 185437.exe
2008-02-13  07:31			48,528 186640.exe
2008-02-13  15:01			   648 186875.exe
2008-02-13  11:52			   685 187234.exe
2008-02-13  11:53			33,907 188593.exe
2008-02-13  11:45		   483,844 18874921.exe
2008-02-13  11:45		   657,412 18883593.exe
2008-02-13  11:45			70,660 18887609.exe
2008-02-13  11:45			45,260 18889421.exe
2008-02-13  11:45			71,172 18892343.exe
2008-02-13  11:45			   628 18894234.exe
2008-02-13  11:45			13,134 18902687.exe
2008-02-13  07:31			40,658 189171.exe
2008-02-13  11:46			54,504 18940218.exe
2008-02-13  11:46			   805 18944500.exe
2008-02-13  11:46			 1,125 18945062.exe
2008-02-13  11:46			 6,958 18953296.exe
2008-02-13  11:46			   546 18956562.exe
2008-02-13  11:46			   685 18960703.exe
2008-02-13  11:46			   648 18963562.exe
2008-02-13  18:52			   648 189703.exe
2008-02-13  11:46			12,966 18973859.exe
2008-02-13  11:46			48,707 18975875.exe
2008-02-13  11:46			40,442 18984125.exe
2008-02-13  11:46			   212 18986343.exe
2008-02-13  11:46			   212 18987281.exe
2008-02-13  11:46			 1,609 18988734.exe
2008-02-13  11:46			   212 18991406.exe
2008-02-13  11:47			   608 18996093.exe
2008-02-13  11:47			 1,621 18999093.exe
2008-02-13  11:47			   873 19028484.exe
2008-02-13  11:47			   632 19039359.exe
2008-02-13  12:45			   805 190421.exe
2008-02-13  12:45			 1,125 190890.exe
2008-02-13  07:31			   212 190984.exe
2008-02-13  17:39			 6,958 191828.exe
2008-02-13  07:31			   212 192000.exe
2008-02-13  11:59			12,966 192421.exe
2008-02-13  11:59			48,779 193812.exe
2008-02-13  17:39			   546 194468.exe
2008-02-13  15:01			12,949 195781.exe
2008-02-13  07:32			 1,609 195828.exe
2008-02-13  11:36			   628 196281.exe
2008-02-13  11:59			40,298 197140.exe
2008-02-13  17:39			   685 197906.exe
2008-02-13  17:39			33,907 199046.exe
2008-02-13  18:53			12,949 199312.exe
2008-02-13  11:59			   212 199906.exe
2008-02-13  11:58			   873 199937.exe
2008-02-13  11:36			13,134 200250.exe
2008-02-13  15:01			48,467 200562.exe
2008-02-13  11:59			   212 201531.exe
2008-02-13  18:53			48,465 201718.exe
2008-02-13  12:45			 6,958 201921.exe
2008-02-13  11:53			   648 202343.exe
2008-02-13  17:39			   648 202546.exe
2008-02-13  11:59			 1,609 202828.exe
2008-02-13  12:03			   608 203015.exe
2008-02-13  15:01			40,610 203312.exe
2008-02-13  12:00			   212 204078.exe
2008-02-13  12:04			 1,621 204859.exe
2008-02-13  18:53			40,346 204906.exe
2008-02-13  15:01			   212 205234.exe
2008-02-13  12:45			   546 205296.exe
2008-02-13  07:32			   212 206359.exe
2008-02-13  15:01			   212 206421.exe
2008-02-13  18:53			   212 207281.exe
2008-02-13  18:53			   212 208484.exe
2008-02-13  12:45			   685 208953.exe
2008-02-13  11:52			   873 209562.exe
2008-02-13  18:53			 1,609 209687.exe
2008-02-13  15:01			 1,609 210390.exe
2008-02-13  07:32			   608 210468.exe
2008-02-13  12:45			   648 211125.exe
2008-02-13  18:53			   212 211265.exe
2008-02-13  07:32			 1,621 212140.exe
2008-02-13  11:53			12,966 213125.exe
2008-02-13  15:01			   212 213328.exe
2008-02-13  17:39			12,949 214140.exe
2008-02-13  11:53			48,734 214875.exe
2008-02-13  17:39			48,695 215921.exe
2008-02-13  18:53			   608 216750.exe
2008-02-13  11:53			40,694 217500.exe
2008-02-13  11:58			   632 217625.exe
2008-02-13  17:39			40,598 218734.exe
2008-02-13  12:45			12,966 218921.exe
2008-02-13  18:53			 1,621 219109.exe
2008-02-13  11:53			   212 219421.exe
2008-02-13  11:52			   632 220406.exe
2008-02-13  17:44			   212 221312.exe
2008-02-13  12:45			49,307 221437.exe
2008-02-13  11:53			   212 221500.exe
2008-02-13  15:02			32,029 222328.exe
2008-02-13  11:53			 1,609 222453.exe
2008-02-13  12:45			40,370 225437.exe
2008-02-13  11:53			   212 227140.exe
2008-02-13  12:46			   212 228140.exe
2008-02-13  15:02			 1,621 230218.exe
2008-02-13  11:37			   805 230359.exe
2008-02-13  12:46			   212 230437.exe
2008-02-13  11:37			 1,125 230656.exe
2008-02-13  12:46			 1,609 231390.exe
2008-02-13  11:53			   608 231687.exe
2008-02-13  11:52			49,394 231937.exe
2008-02-13  12:04			   873 232546.exe
2008-02-13  11:52			49,931 233281.exe
2008-02-13  11:53			 1,621 233390.exe
2008-02-13  12:46			   212 233453.exe
2008-02-13  12:46			   608 237109.exe
2008-02-13  12:46			 1,621 239125.exe
2008-02-13  11:37			 6,958 239828.exe
2008-02-13  07:32			   873 241218.exe
2008-02-13  11:37			   546 242828.exe
2008-02-13  11:37			   685 247062.exe
2008-02-13  18:53			   873 248203.exe
2008-02-13  11:37			33,907 248609.exe
2008-02-13  07:32			   632 249328.exe
2008-02-13  18:54			   632 256437.exe
2008-02-13  11:37			   648 257578.exe
2008-02-13  12:04			   632 258046.exe
2008-02-13  07:32			49,206 259843.exe
2008-02-13  15:02			   873 260906.exe
2008-02-13  07:32			49,642 261250.exe
2008-02-13  11:59			49,658 261437.exe
2008-02-13  11:54			   873 262468.exe
2008-02-13  11:59			49,558 262812.exe
2008-02-13  12:05			49,776 268125.exe
2008-02-13  12:47			   873 268640.exe
2008-02-13  12:05			49,563 270062.exe
2008-02-13  18:54			49,314 272218.exe
2008-02-13  18:54			49,930 273718.exe
2008-02-13  11:54			   632 294812.exe
2008-02-13  11:38			12,966 294843.exe
2008-02-13  11:38			48,829 297093.exe
2008-02-13  06:07			54,581 299625.exe
2008-02-13  11:38			40,382 300343.exe
2008-02-13  11:38			   212 302781.exe
2008-02-13  11:54			49,966 306000.exe
2008-02-13  11:38			   212 306359.exe
2008-02-13  12:47			   632 307093.exe
2008-02-13  11:54			49,486 307500.exe
2008-02-13  11:38			 1,609 314656.exe
2008-02-13  12:47			49,341 318171.exe
2008-02-13  11:38			   212 319500.exe
2008-02-13  12:47			49,675 320093.exe
2008-02-13  06:07			   805 322875.exe
2008-02-13  06:07			 1,125 323218.exe
2008-02-13  11:38			   608 326765.exe
2008-02-13  11:39			 1,621 334625.exe
2008-02-13  06:08			 6,958 354453.exe
2008-02-13  06:08			   546 358578.exe
2008-02-13  06:08			   685 362609.exe
2008-02-13  06:08			   648 367609.exe
2008-02-13  06:08			12,949 376921.exe
2008-02-13  06:08			48,685 380031.exe
2008-02-13  06:08			40,346 382656.exe
2008-02-13  06:08			   212 385031.exe
2008-02-13  06:08			   212 387875.exe
2008-02-13  06:08			 1,609 390328.exe
2008-02-13  06:09			   212 397359.exe
2008-02-13  06:09			   608 402578.exe
2008-02-13  06:09			 1,621 404578.exe
2008-02-13  11:40			   632 413843.exe
2008-02-13  15:05			49,170 425187.exe
2008-02-13  15:05			49,638 426828.exe
2008-02-13  11:40			49,448 427312.exe
2008-02-13  11:40			49,843 429265.exe
2008-02-13  06:09			   873 435093.exe
2008-02-13  06:09			   632 442187.exe
2008-02-13  06:09			49,889 454390.exe
2008-02-13  06:09			50,041 455750.exe
2008-02-13  17:44			   212 487796.exe
2008-02-13  17:44			 1,609 489734.exe
2008-02-13  17:44			   212 493968.exe
2008-02-13  17:44			   608 498875.exe
2008-02-13  17:44			 1,621 500906.exe
2008-02-13  18:03		   483,844 52031.exe
2008-02-13  10:28		   483,844 52500.exe
2008-02-13  17:45			   873 533234.exe
2008-02-13  17:45			   632 537062.exe
2008-02-13  17:45			49,242 547843.exe
2008-02-13  17:45			49,870 549343.exe
2008-02-13  10:28		   657,412 55250.exe
2008-02-13  10:28			71,172 56453.exe
2008-02-13  10:28			71,172 57203.exe
2008-02-13  10:28			   628 58125.exe
2008-02-13  14:59		   483,844 58218.exe
2008-02-13  16:25		   483,844 59359.exe
2008-02-13  10:28			54,670 60078.exe
2008-02-13  10:28			   805 61625.exe
2008-02-13  10:28			 1,125 62078.exe
2008-02-13  16:25		   657,412 62515.exe
2008-02-13  10:28			 6,958 63000.exe
2008-02-13  16:25			71,172 63671.exe
2008-02-13  10:28			   685 63812.exe
2008-02-13  10:28			33,907 64046.exe
2008-02-13  16:25			71,172 64765.exe
2008-02-13  10:28			   648 64781.exe
2008-02-13  10:28			48,528 65187.exe
2008-02-13  10:28			40,658 65656.exe
2008-02-13  16:25			   628 65734.exe
2008-02-13  10:28			   212 66312.exe
2008-02-13  16:25			54,670 66343.exe
2008-02-13  10:28			   212 66453.exe
2008-02-13  10:28			 1,609 66687.exe
2008-02-13  10:28			   212 67015.exe
2008-02-13  10:28			   608 67593.exe
2008-02-13  16:25			   805 67906.exe
2008-02-13  16:25			 1,125 68125.exe
2008-02-13  10:28			   873 68156.exe
2008-02-13  10:28			   632 68531.exe
2008-02-13  11:51		   483,844 68718.exe
2008-02-13  10:28			49,206 69093.exe
2008-02-13  17:37		   483,844 69312.exe
2008-02-13  10:28			49,642 69593.exe
2008-02-13  16:25			 6,958 69906.exe
2008-02-14  17:34		   483,844 70312.exe
2008-02-13  16:25			   685 71000.exe
2008-02-13  11:49			 7,862 71093.exe
2008-02-13  16:25			33,907 71515.exe
2008-02-13  16:25			   648 71921.exe
2008-02-13  16:25			48,528 72140.exe
2008-02-13  16:25			40,658 72531.exe
2008-02-13  16:25			   212 72703.exe
2008-02-13  16:25			   212 72718.exe
2008-02-13  16:25			 1,609 72812.exe
2008-02-13  16:25			   212 73046.exe
2008-02-13  16:25			   608 73187.exe
2008-02-13  16:25			   873 73578.exe
2008-02-13  11:49			71,172 73703.exe
2008-02-13  16:25			   632 73781.exe
2008-02-13  16:25			49,206 74187.exe
2008-02-13  18:05		   657,412 74281.exe
2008-02-14  17:34		   657,412 74328.exe
2008-02-13  16:25			49,642 74390.exe
2008-02-13  11:56		   657,412 75843.exe
2008-02-13  11:49			45,141 76015.exe
2008-02-14  17:34			71,172 78156.exe
2008-02-14  17:34			45,262 79468.exe
2008-02-14  17:34			71,172 80156.exe
2008-02-13  10:47		   483,844 80281.exe
2008-02-13  11:56			45,262 80812.exe
2008-02-13  11:49			   628 81031.exe
2008-02-14  17:34			   628 82093.exe
2008-02-13  10:47		   657,412 82578.exe
2008-02-14  17:34			54,660 83562.exe
2008-02-13  10:47			71,172 84140.exe
2008-02-14  17:34			   789 84765.exe
2008-02-13  11:56			   628 85359.exe
2008-02-13  10:47			71,172 85375.exe
2008-02-14  17:34			 1,125 85578.exe
2008-02-13  10:47			   628 86062.exe
2008-02-13  18:51		   483,844 86859.exe
2008-02-13  10:47			54,670 87531.exe
2008-02-13  11:58			   628 87546.exe
2008-02-14  17:34			 6,958 87890.exe
2008-02-14  17:34			   685 88390.exe
2008-02-14  18:57		   483,844 88531.exe
2008-02-13  10:47			   805 88718.exe
2008-02-13  10:47			 1,125 89390.exe
2008-02-13  10:47			 6,958 90015.exe
2008-02-13  10:47			   685 90437.exe
2008-02-13  10:47			33,907 90546.exe
2008-02-13  11:56			13,134 90578.exe
2008-02-13  10:47			   648 90718.exe
2008-02-13  10:47			   628 90812.exe
2008-02-13  10:47			48,528 91031.exe
2008-02-13  10:47			40,658 91187.exe
2008-02-13  10:47			   212 91734.exe
2008-02-13  10:47			   212 91781.exe
2008-02-13  10:47			 1,609 91859.exe
2008-02-13  10:47			   212 91984.exe
2008-02-13  10:47			   608 92062.exe
2008-02-13  07:30		   483,844 92203.exe
2008-02-13  14:59		   657,412 92265.exe
2008-02-13  10:47			   873 92359.exe
2008-02-13  10:47			   632 92468.exe
2008-02-13  10:47			49,206 92906.exe
2008-02-13  10:47			49,642 93046.exe
2008-02-14  18:57		   657,412 93250.exe
2008-02-13  14:59			71,172 95234.exe
2008-02-13  11:50			13,134 96078.exe
2008-02-13  17:38		   657,412 98781.exe
2008-02-13  14:59			71,172 99625.exe
			 479 File(s)	 22,980,031 bytes

 Directory of C:\Documents and Settings\Owner\Desktop

yikes, I knew I had a lot!







MUCH THANKS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


oops got cut off, I'll post again!

Edited by golfer_guy, 14 February 2008 - 10:23 PM.

  • 0

#4
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
silentrunners again
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CursorXP" = "C:\Program Files\CursorXP\CursorXP.exe" [" "]
"SpybotSD TeaTimer" = "C:\Program Files\spdes\TeaTimer.exe" ["Safer Networking Limited"]
"CyberDefender Early Detection Center" = ""C:\Program Files\CyberDefender\AntiSpyware\cdas80b.exe" /minimize" ["CyberDefender Corp."]
"SkinClock" = "C:\Program Files\FreeDskClk\DesktopClock.exe" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"BDMCon" = ""C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]
"BDAgent" = ""C:\Program Files\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]
"COMODO Firewall Pro" = ""C:\Program Files\COMODO\Firewall\cfp.exe" -h" [file not found]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"AVP" = ""C:\Kaspersky Lab Tool\setup_7.0.0.180_14.02.2008_03-07.exe"" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0A87E45F-537A-40B4-B812-E2544C21A09F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SpywareBlock Class"
				   \InProcServer32\(Default) = "C:\Program Files\SpyCatcher\SCActiveBlock.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
				   \InProcServer32\(Default) = "C:\Program Files\spdes\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
				   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
				   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
				   \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
				   \InProcServer32\(Default) = "C:\Program Files\MWord_and_WrdperfViewer\OFFICE11\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "C:\Program Files\WinRAR3.50corporate\rarext.dll" [null data]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"
  -> {HKLM...CLSID} = "Web Anti-Virus"
				   \InProcServer32\(Default) = "C:\aaaa_MENOWHEREPROJECTS\ART\Kaspersky_Portable\scieplugin.dll" ["Kaspersky Lab"]
"{EF479680-EA35-4EA9-B093-7114F3E3E0DA}" = "Directory Lister"
  -> {HKLM...CLSID} = "ShlMenu Class"
				   \InProcServer32\(Default) = "C:\Program Files\Directory Lister\DirListerExt.dll" [empty string]
"{08267B21-223F-11d3-ACD4-004F4902B913}" = "Desktop Architect"
  -> {HKLM...CLSID} = "Desktop Architect"
				   \InProcServer32\(Default) = "C:\Program Files\Desktop Architect\dadesk.dll" [file not found]
"{FFC99EA8-29FB-4B60-AB60-CFD2FE06DA32}" = "Permissions Prop Page Shell Extension"
  -> {HKLM...CLSID} = "PermissionsPropPage Class"
				   \InProcServer32\(Default) = "C:\Program Files\Gyrus Solutions\XPHomeTools\XPhomePermsMgrExt.dll" [file not found]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
  -> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
				   \InProcServer32\(Default) = "c:\program files\a-squared free\a2freecontmenu.dll" ["Emsi Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
				   \InProcServer32\(Default) = "C:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
  -> {HKLM...CLSID} = "SABShellExecuteHook Class"
				   \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
  -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
				   \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
				   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "secuload.dll,sockspy.dll c:\windows\system32\guard32.dll" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]| [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
				   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
PicaView\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}"
  -> {HKLM...CLSID} = "PicaView Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."]
shell_rename\(Default) = "{259253CA-E11C-487A-8383-22C39E5E5DBA}"
  -> {HKLM...CLSID} = "CRenameShell Object"
				   \InProcServer32\(Default) = "C:\WINDOWS\sdshren.dll" ["Software Directions"]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
  -> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "C:\Program Files\WinRAR3.50corporate\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
  -> {HKLM...CLSID} = "CContextScan Object"
				   \InProcServer32\(Default) = "C:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
shell_rename\(Default) = "{259253CA-E11C-487A-8383-22C39E5E5DBA}"
  -> {HKLM...CLSID} = "CRenameShell Object"
				   \InProcServer32\(Default) = "C:\WINDOWS\sdshren.dll" ["Software Directions"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
  -> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "C:\Program Files\WinRAR3.50corporate\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
				   \InProcServer32\(Default) = "c:\program files\a-squared free\a2freecontmenu.dll" ["Emsi Software GmbH"]
DirLister\(Default) = "{EF479680-EA35-4EA9-B093-7114F3E3E0DA}"
  -> {HKLM...CLSID} = "ShlMenu Class"
				   \InProcServer32\(Default) = "C:\Program Files\Directory Lister\DirListerExt.dll" [empty string]
Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"
  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
  -> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
				   \InProcServer32\(Default) = "C:\Program Files\WinRAR3.50corporate\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
				   \InProcServer32\(Default) = "c:\program files\a-squared free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
				   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoMovingBands" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoCloseDragDropBands" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceClassicViewCntlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoChangeKeyboardNavigationIndicators" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoChangeAnimation" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoAddPrinter" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDeletePrinter" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RestrictCpl" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisallowCpl" = (REG_DWORD) dword:0x00000000
{Hide specified control panel applets / items}

"NoDrives" = (REG_BINARY) hex:80 E7 FF 03
{unrecognized setting}

"NoViewOnDrive" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RestrictRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DisallowRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRecycleFiles" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceRecycleBinSize" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) dword:0x00000000
{Remove Shared Documents from My Computer}

"NoPropertiesMyComputer" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoPropertiesMyDocuments" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoPropertiesRecycleBin" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoManageMyComputerVerb" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDesktop" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoControlPanel" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoCustomizeWebView" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoViewContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00
{unrecognized setting}

"NoWinKeys" = (REG_DWORD) dword:0x00000000
{Disable Windows+X hotkeys}

"NoFileAssociate" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDFSTab" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoHardwareTab" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSecurityTab" = (REG_DWORD) dword:0x00000000
{Remove Security tab}

"NoInstrumentation" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoCustomizeThisFolder" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DontShowSuperHidden" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoOnlinePrintsWizard" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoPublishingWizard" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSetTaskbar" = (REG_DWORD) dword:0x00000000
{Prevent changes to Taskbar and Start Menu Settings}

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuMyMusic" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSMMyDocs" = (REG_DWORD) dword:0x00000000
{Remove Documents menu from Start Menu}

"NoStartMenuNetworkPlaces" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFavoritesMenu" = (REG_DWORD) dword:0x00000000
{Remove Favorites menu from Start Menu}

"NoHelp" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoNetworkConnections" = (REG_DWORD) dword:0x00000000
{Remove Network Connections from Start Menu}

"NoCommonGroups" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) dword:0x00000000
{Remove links and access to Windows Update}

"NoChangeStartMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuMFUprogramsList" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuPinnedList" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoUserNameInStartMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuMorePrograms" = (REG_DWORD) dword:0x00000000
{Remove All Programs list from the Start menu}

"NoStartMenuEjectPC" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSimpleStartMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceStartMenuLogoff" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"StartMenuLogoff" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartMenuSubFolders" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDisconnect" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoNtSecurity" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSetFolders" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"GreyMSIAds" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceMaxRecentDocs" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSMBalloonTips" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTrayContextMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoTrayItemsDisplay" = (REG_DWORD) dword:0x00000000
{Hide the notification area}

"LockTaskbar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideClock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoStartBanner" = (REG_BINARY) hex:00 00 00 00
{Remove "Click here to begin" from Start button}

"NoTaskGrouping" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoWebServices" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoFileUrl" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoInternetIcon" = (REG_DWORD) dword:0x00000000
{Hide Internet Explorer icon on desktop}

"NoBandCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbars}

"NoToolbarCustomize" = (REG_DWORD) dword:0x00000000
{Disable customizing browser toolbar buttons}

"NoExpandedNewMenu" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SpecifyDefaultButtons" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoNetHood" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoNetConnectDisconnect" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoComputersNearMe" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRecentDocsNetHood" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"EnforceShellExtensionSecurity" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRunasInstallPrompt" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"PromptRunasInstallNetPath" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDevMgrUpdate" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoThumbnailCache" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceCopyAclwithFile" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"StartRunNoHOMEPATH" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_BINARY) hex:00 00 00 00
{Prohibit changes}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoComputersNearMe" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSMMyDocs" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoWelcomeScreen" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Lock Taskbar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoVisualStyleChoice" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoColorChoice" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSizeChoice" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Accessibility" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Cache" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Settings" = (REG_DWORD) dword:0x00000000
{Prevent the deletion of temporary Internet files and cookies}

"Colors" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Links" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Fonts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Languages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"History" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HomePage" = (REG_DWORD) dword:0x00000000
{Disable changing home page settings}

"GeneralTab" = (REG_DWORD) dword:0x00000000
{Disable the General page}

"SecAddSites" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecChangeSettings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"SecurityTab" = (REG_DWORD) dword:0x00000000
{Disable the Security page}

"Certificates" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CertifPers" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CertifPub" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CertifSite" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Ratings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ContentTab" = (REG_DWORD) dword:0x00000000
{Disable the Content page}

"AutoConfig" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Proxy" = (REG_DWORD) dword:0x00000000
{Disable changing proxy settings}

"Connection Settings" = (REG_DWORD) dword:0x00000000
{Disable changing connection settings}

"Connection Wizard" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Connwiz Admin Lock" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ConnectionsTab" = (REG_DWORD) dword:0x00000000
{Disable the Connections page}

"Messaging" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"CalendarContact" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Check_If_Default" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ResetWebSettings" = (REG_DWORD) dword:0x00000000
{Disable the Reset Web Settings feature}

"ProgramsTab" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Advanced" = (REG_DWORD) dword:0x00000000
{Disable changing Advanced page settings}

"AdvancedTab" = (REG_DWORD) dword:0x00000000
{Disable the Advanced page}

"IEAKContext" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Wallet" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"PrivacyTab" = (REG_DWORD) dword:0x00000000
{Disable the Privacy page}

"Privacy Settings" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"FormSuggest Passwords" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\

"NoSplash" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoSearchCustomization" = (REG_DWORD) dword:0x00000000
{Search: Disable Search Customization}

"NoBrowserSaveWebComplete" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

"Task Creation" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Task Deletion" = (REG_DWORD) dword:0x00000000
{Prohibit Task deletion}

"Allow Browse" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Execution" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"DragAndDrop" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Disable Advanced" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"Property Pages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"ShutdownWithoutLogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"HideShutdownScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{User Account Control: Run All Administrators In Admin Approval Mode}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
  -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
  -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
  -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\recovery\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
  -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

D:\updgoi\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
  -> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]

  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop.
@Echo off
sc stop "Megadrv3"
sc delete "Megadrv3"
sc stop "srosa"
sc delete "srosa"
quit
Then please double click on fixthis.bat a window will open and close quickly.This is normal.
=================================================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\drivers\down
    C:\WINDOWS\system32\drivers\hldrrr.exe 
    C:\WINDOWS\system32\wintems.exe 
    C:\WINDOWS\system32\mdelk.exe 
    C:\WINDOWS\system32\drivers\srosa.sys
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==================================
Run the OT MOve it 2 with the same instructions after reboot if asked and post both reports from both runs please the logs will be in the C:\_OT Move it folder.
Let me know how it goes.
  • 0

#6
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
thank you for helping!


fixthis:
each command said
is not an internal or external command
(see attd)

pls see the task mgr.after reboot, the down stuff etc. is still there.
I added the ending command thinking maybe I screwed up but both ways, got the internal-external command error.
do I need to point it to a diff.directory on this xphome machine?
=============================================================


OTMover would not let me see contents of after reboot so had to capture winexp for you to show basic files.
attd also
C:\WINDOWS\system32\drivers\down moved successfully.
File move failed. C:\WINDOWS\system32\drivers\hldrrr.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\wintems.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\mdelk.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\drivers\srosa.sys scheduled to be moved on reboot.

did a couple searches after reboot (show hidden files) and these references are not coming up anymore with the same search progs as they did prior. :)








:):):):) (see what you have done to me!)

Attached Thumbnails

  • fixthis_errors.jpg
  • still_taskmgr.jpg
  • ot_results.jpg

Edited by golfer_guy, 15 February 2008 - 12:16 AM.

  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok the directory is right and if it is still there then do the following:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#8
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
please see first post, still can't run HJ or combofix at all, even from cmd prompt.

After our reboot last night problems still have so far
are
so many things are "is not valid win32 application"
no safemode still

firewall,progs,etc. do not open

thanks for helping!
  • 0

#9
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
just ran the rootkitrevealer again and thought maybe we can figure out what to take out, 'cause the lil buggers are listed in there!
Please let me know!
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do not run anything unless instructed.
No more Rootkit revealer as this is not a rootkit.
I do not need you to run the Combofix you already have as it is corrupted.Please delete it as it will not run.
Go ahead and remove\uninstall the security programs you have that are giving you the error already as they are all useless now and will have to be removed as this infection kills anything almost dealing with security programs.

Please follow these instructions as I am asking you to rename Combofix so it will trick the infection.
Please note that there with be a dash like this - in between the Combo and Fix this is necaessary to make it run.
Please read All of the instructions thouroughly to get this to work.
-----------------------------------------------------------------------------------------------
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image


  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

Advertisements


#11
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
thanks again kahdah!

combo-fix : new download to USB, renamed, and.................
"is not a valid win32 application"

note--what you mentioned:"
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"."



everything is not running and can't open still......all not valid win32.
BUT just all the antivir-trojan-malware progs.



I checked my exe association and all references are good in the registry.

Edited by golfer_guy, 15 February 2008 - 04:05 PM.

  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay let's try this route:

Just as with Combofix when you save this file save it to your flash drive then extract it to your flash drive.
Open the avenger folder then rename Avenger as the word Nothing.exe before it even hits your desktop.
Then transfer it to the infected computer.
Then follow through with these next instructions.
Let me know how it goes.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
Megadrv3
srosa

Files to delete:
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys

Folders to delete:
C:\WINDOWS\system32\drivers\down


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
  • 0

#13
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
you are wonderful and so appreciated trying to help me.

I did it without flaw, downloaded to usb and then desktop of bad box.
the second it opened, I saw a quick flash and then "is not a valid win32 appl"
sheeeeeeesh!
dang bug!
  • 0

#14
golfer_guy

golfer_guy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
yipppeee! I got into safemode.!

I have been clicking the safeboot.vbs or safeboot.reg off and on, and then when I reboot I got the BSOD.
Was monitoring the registry and found:

It takes three minutes once I have clicked the vbs or reg above for it to disappear in my registry.

So I clicked it, added it to the registry, restart quick, and got into safemode!
It's a lil brighter at the moment *LOL*

It doesn't stay but at least I know now how to get into it, albeit crippled at the moment :)
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay we will have to do this manually.
Please make sure to not alter or miss any steps during the following fix as it will hinder in the removal of the malware.
===============================================================================
There should be a fixthis.baton your desktop still that I had you create in an earlier post.
We will need it in a bit.
If you no longer have it then do this.
Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as fixthis2.bat on your Desktop.
@Echo off
sc stop "Megadrv3"
sc delete "Megadrv3"
sc stop "srosa"
sc delete "srosa"
quit
Don't do anything with this yet.
======================
Please go to Start>Run type in Notepad.
Copy what is in the code box below into the open Notepad window.
Change the "Save As Type" to "All Files". Save it as Delete.bat on your Desktop.
@Echo off
attrib -s -r -h "C:\WINDOWS\system32\wintems.exe"
del /q "C:\WINDOWS\system32\wintems.exe"
attrib -s -r -h "C:\Windows\System32\mdelk.exe"
del /q "C:\Windows\System32\mdelk.exe" 
attrib -s -r -h "C:\WINDOWS\system32\drivers\srosa.sys"
del /q "C:\WINDOWS\system32\drivers\srosa.sys"
attrib -s -r -h "C:\WINDOWS\system32\drivers\hldrrr.exe"
del /q "C:\WINDOWS\system32\drivers\hldrrr.exe"
attrib -s -r -h "C:\WINDOWS\system32\drivers\down*.*"
rd /q /s "C:\WINDOWS\system32\drivers\down"
quit
Don't do anything with this yet.
===========================
After that please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as service.reg on your Desktop.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Megadrv3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]
Don't do anything with this yet.
===============================
After that boot into safe mode however you can.

Then double click on the Fixthis.bat I had you create in an earlier post.
a window will open and close quickly.This is normal.

After that Now double-click service.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.


Then finally double-click on Delete.bat a window will open and close quickly.This is normal.
===================================================================
Reboot into normal mode and then go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP