Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

please help [CLOSED]

Started by evilpacker , Jul 04 2008 02:39 PM

This topic is locked

#1
evilpacker

Posted 04 July 2008 - 02:39 PM

New Member

Member
6 posts

I am running windows xp,and have a nasty virus.
i was told to run hijackthis but hjt wont run. i believe the virus is causing this,because my adaware stopped running also.
my webpages are being hijacked half of the time. and my pc is running SLOW.
please could someone advise me what to do?
my virus scan also stopped working,and before it did,i was told that i was 'sending out emails' that i wasnt aware of,so..im confused and fed up, please could someone advise me what to do? or where to start ?

Edited by evilpacker, 04 July 2008 - 02:46 PM.

#2
Essexboy

Posted 04 July 2008 - 02:54 PM

GeekU Moderator

Retired Staff
69,964 posts

OK lets try this for starters

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#3
evilpacker

Posted 04 July 2008 - 03:33 PM

New Member

Topic Starter
Member
6 posts

i downloaded the fix but it is asking me what program i wish to run it with.

#4
Essexboy

Posted 04 July 2008 - 04:22 PM

GeekU Moderator

Retired Staff
69,964 posts

Could you do the following and then try again

go to C:\Windows\inf\shell.inf and right click on the inf file,
then Click Install. This resets all associations to their default

#5
evilpacker

Posted 05 July 2008 - 12:27 PM

New Member

Topic Starter
Member
6 posts

i tried this and it is asking me which program i wish to use!

#6
Essexboy

Posted 05 July 2008 - 12:39 PM

GeekU Moderator

Retired Staff
69,964 posts

Does this happen with all programmes you try to run, or just security ones ?

I would like you to download the next programme but I would like you to run it from safe mode if it fails to work in normal mode

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - BotCheck
- File - Additional Folder Scans
- File - Purity Scan
- Evnt - EventViewer Errors/Warnings (last 7 days)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#7
Essexboy

Posted 05 July 2008 - 12:41 PM

GeekU Moderator

Retired Staff
69,964 posts

If it asks for the programm to use again browse to C:\windows\system32\command.com

#8
evilpacker

Posted 05 July 2008 - 12:52 PM

New Member

Topic Starter
Member
6 posts

i am running into the same problem with this program. i dont understand how i can get any help if i cant get a scanner working. it continues to ask me which program i want to use.

#9
Essexboy

Posted 05 July 2008 - 01:07 PM

GeekU Moderator

Retired Staff
69,964 posts

OK lets try a visual basic programme

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
- Do you want to skip supplementary searches?
  click NO
If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Do you have a recovery console installed and can you get into safe mode ?

#10
Essexboy

Posted 05 July 2008 - 01:11 PM

GeekU Moderator

Retired Staff
69,964 posts

Also check out and follow the instructions on this web page to ensure that it is correct http://www.adamsdvds...not_working.php

#11
evilpacker

Posted 05 July 2008 - 01:53 PM

New Member

Topic Starter
Member
6 posts

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Jnskdfmf9eldfd" = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe" [file not found]
"[system]" = "C:\WINDOWS\system32\drivers\services.exe" [file not found]
"winlogon" = "C:\Documents and Settings\Administrator\svchost.exe" [file not found]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"[system]" = "C:\WINDOWS\system32\drivers\services.exe" [file not found]
"winlogon" = "C:\Documents and Settings\Peggy\svchost.exe" [file not found]
"service.exe" = "C:\WINDOWS\system32\service.exe" [file not found]
"C:\WINDOWS\system32\kdhqf.exe" = "C:\WINDOWS\system32\kdhqf.exe" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"K7SystemTray" = ""C:\Program Files\K7 Computing\Common\K7SysTry.exe"" ["K7 Computing Pvt Ltd"]
"K7TSStart" = ""C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSecurity.exe"" ["K7 Computing Pvt Ltd"]
"007ca80e" = "rundll32.exe "C:\WINDOWS\system32\owcsbrya.dll",b" [MS]
"BM034f9b92" = "Rundll32.exe "C:\WINDOWS\system32\wdmpcfbe.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\(Default) = "Browser Customizations"
\StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Address Book 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -BaseSettings" [MS]
{89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5F0D1F1B-7161-4FC0-9C72-213C146788C1}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnnLfGY.dll" [null data]
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\khfEVmlk.dll" [null data]
{C5AF49A2-94F3-42BD-F434-2604812C897D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]
{d717b292-951d-4dfc-ad84-e4d3fcce9690}\(Default) = "{0969eccf-3d4e-48da-cfd4-d159292b717d}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fcsmpu.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NVCPL.DLL" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{C5AF49A2-94F3-42BD-F434-2604812C897D}" = "jhsf8d984jief8dsfus98jkefn"
-> {HKLM...CLSID} = "C:\WINDOWS\system32\jfiehayd.dll"
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfiehayd.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}" = "*b" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\khfEVmlk.dll" [null data]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "kdhqf.exe" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\nnnnLfGY"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> khfevmlk\DLLName = "khfEVmlk.dll" [null data]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
k7computing.k7avscanner\(Default) = "{FD23B962-BADB-11D7-B0FE-00C026A19B93}"
-> {HKLM...CLSID} = "K7AVPEExplorerExtn Class"
\InProcServer32\(Default) = "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7AVSExt.dll" ["K7 Computing Pvt Ltd"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
k7computing.k7avscanner\(Default) = "{FD23B962-BADB-11D7-B0FE-00C026A19B93}"
-> {HKLM...CLSID} = "K7AVPEExplorerExtn Class"
\InProcServer32\(Default) = "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7AVSExt.dll" ["K7 Computing Pvt Ltd"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = "C:\WINDOWS\system32\drivers\services.exe "%1" %*" [file not found]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoFolderOptions" = (REG_DWORD) dword:0x00000001
{Removes the Folder Options menu item from the Tools menu}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000001
{Prevent access to registry editing tools}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(None)"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "%SystemRoot%\System32\logon.scr" [MS]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CTPlayAudioOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

TVPPlayDVDMovieOnArrival\
"Provider" = "Total Video Player"
"InvokeProgID" = "totalplayer.dvd"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\totalplayer.dvd\shell\open\command\(Default) = "C:\Program Files\Total Video Converter\tvp.exe -dvd %1" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\K7WSLsp.dll ["K7 Computing Pvt. Ltd."], 01 - 19, 39
%SystemRoot%\system32\mswsock.dll [MS], 20 - 22, 25 - 38
%SystemRoot%\system32\rsvpsp.dll [MS], 23 - 24

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{D49E9D35-254C-4C6A-9D17-95018D228FF5}" = "Starware"
-> {HKLM...CLSID} = "Starware"
\InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2D51D869-C36B-42BD-AE68-0A81BC771FA5}\(Default) = "Starware"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]

HKLM\SOFTWARE\Classes\CLSID\{7BED0340-176B-44BC-915E-C21C1DD6F617}\(Default) = "Starware"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Starware\bin\Starware.dll" ["Starware"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
Application Management, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" [file not found]
K7Computng - EMail Proxy Server, k7emlpxy, "C:\Program Files\K7 Computing\Common\K7EmlPxy.exe" ["K7 Computing Pvt Ltd"]
K7Firewall Services, k7fwsrvc, "C:\Program Files\K7 Computing\K7TSecurity\K7FireWall\K7FWSrvc.exe" ["K7 Computing Pvt Ltd"]
K7Privacy Services, k7pssrvc, "C:\Program Files\K7 Computing\K7TSecurity\K7Privacy\K7PSSrvc.exe" ["K7 Computing Pvt Ltd"]
K7RealTime AntiVirus Services, k7rtscan, "C:\Program Files\K7 Computing\K7TSecurity\K7AntiVirus\K7RTScan.exe" ["K7 Computing Pvt Ltd"]
K7SpmSrc, k7spmsrc, "C:\Program Files\K7 Computing\K7TSecurity\K7AntiSpam\K7SpmSrc.exe" ["K7 Computing Pvt Ltd"]
K7TotalSecurity Manager, k7tsmngr, "C:\Program Files\K7 Computing\K7TSecurity\Common\K7TSMngr.exe" ["K7 Computing Pvt Ltd"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [file not found]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\system32\drivers\services.exe" [file not found]
Windows Media Connect (WMC), WmcCds, "c:\program files\windows media connect\mswmccds.exe" [MS]
Windows Media Connect (WMC) Helper, WmcCdsLs, "C:\Program Files\Windows Media Connect\mswmcls.exe" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

---------- (launch time: 2008-07-05 15:15:15)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 94 seconds.
---------- (total run time: 177 seconds)

#12
Essexboy

Posted 05 July 2008 - 04:00 PM

GeekU Moderator

Retired Staff
69,964 posts

OK that let me see the problem now we will try to fix it

This fix is in two parts :

First download this zip file and extract the VBS script to your desktop
Then double click the script file
Do not reboot

[attachment=21879:regtmcmdrestore.zip]

THEN

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-
"[system]"=-
"winlogon"=-

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
"winlogon"=-
"service.exe"=-
"C:\WINDOWS\system32\kdhqf.exe"=-
"007ca80e"=-
"BM034f9b92"=-

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F0D1F1B-7161-4FC0-9C72-213C146788C1}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5F0D1F1B-7161-4FC0-9C72-213C146788C1}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d717b292-951d-4dfc-ad84-e4d3fcce9690}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{C5AF49A2-94F3-42BD-F434-2604812C897D}]

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-

[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iifefCSL]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

NOW TO RESTORE THE exe files

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

FOLLOWED BY

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\owcsbrya.dll
C:\WINDOWS\system32\wdmpcfbe.dll
C:\WINDOWS\system32\drivers\services.exe
C:\Documents and Settings\Peggy\svchost.exe
C:\WINDOWS\system32\service.exe
C:\Documents and Settings\Administrator\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\nnnnLfGY.dll
C:\WINDOWS\system32\khfEVmlk.dll
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\fcsmpu.dll
C:\WINDOWS\system32\jfiehayd.dll
C:\WINDOWS\system32\khfEVmlk.dll
Purity

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

#13
Essexboy

Posted 05 July 2008 - 04:42 PM

GeekU Moderator

Retired Staff
69,964 posts

PS if regedit does not run then do the following

Press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter.

#14
evilpacker

Posted 05 July 2008 - 05:08 PM

New Member

Topic Starter
Member
6 posts

LoadLibrary failed for C:\WINDOWS\system32\owcsbrya.dll
C:\WINDOWS\system32\owcsbrya.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\owcsbrya.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32\wdmpcfbe.dll
C:\WINDOWS\system32\wdmpcfbe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\wdmpcfbe.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\drivers\services.exe not found.
File/Folder C:\Documents and Settings\Peggy\svchost.exe not found.
File/Folder C:\WINDOWS\system32\service.exe not found.
File/Folder C:\Documents and Settings\Administrator\svchost.exe not found.
File/Folder C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnnLfGY.dll
C:\WINDOWS\system32\nnnnLfGY.dll NOT unregistered.
C:\WINDOWS\system32\nnnnLfGY.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\khfEVmlk.dll
C:\WINDOWS\system32\khfEVmlk.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\khfEVmlk.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\jfiehayd.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\fcsmpu.dll
C:\WINDOWS\system32\fcsmpu.dll NOT unregistered.
C:\WINDOWS\system32\fcsmpu.dll moved successfully.
File/Folder C:\WINDOWS\system32\jfiehayd.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\khfEVmlk.dll
C:\WINDOWS\system32\khfEVmlk.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\khfEVmlk.dll scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07052008_190620

#15
Essexboy

Posted 06 July 2008 - 03:02 AM

GeekU Moderator

Retired Staff
69,964 posts

Excellent now run Combofix and we may see some light at the end of the tunnel

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet. It is imperative that you install this as it will enable a system recovery in the event of problems

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.