[Zachmo]

I hope someone can help me...
I'm having numerous issues with this PC:
For starters, it opens Internet Explorer up when it boots, and also opens system32 file folder. It's very slow, and I keep finding Trojan Vundo.H
I have ran Malwarebytes, Panda, and now since it's saying it's clean, I decided to run a HJT log to see if anyone here can possibly help.

Here is the initial Malwarebytes log taken last night. I deleted the infected files, and I ran it again.
The second time it came up clean.




Malwarebytes' Anti-Malware 1.31
Database version: 1565
Windows 5.1.2600 Service Pack 3

12/30/2008 11:45:33 PM
mbam-log-2008-12-30 (23-45-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 126936
Time elapsed: 4 hour(s), 32 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514b41c1-5216-8dfb-93e3-6034f855e674} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{514b41c1-5216-8dfb-93e3-6034f855e674} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{aaf6bd55-8ae9-15d5-7597-d5feccfdf542} (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8d878be1-0905-01f2-0036-dc98a483aeba} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aaf6bd55-8ae9-15d5-7597-d5feccfdf542} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplore.exe (Spyware.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\iexplore.exe (Spyware.Agent) -> No action taken.


Here is the HijackThis log from just a moment ago.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:18 PM, on 12/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Firewall\PSHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\nosign.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavJobs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mountain.net/hsh/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MountainNet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll (file missing)
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - C:\WINDOWS\system32:jyaa.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Nosign_Dual] C:\WINDOWS\nosign.EXE "Dual Mode Camera"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Inicio.exe"
O4 - HKLM\..\RunOnce: [MMUpdate] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\UpdtStub.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [WinMX] C:\Progra~1\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,20/mcgdmgr.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9924 bytes



A few things also stick out to me. MountainNet was our old ISP, and has since gone out of business, though our internet explorer bar is still labled Posting a new Topic - Geeks to Go! - MountainNet Internet Explorer?

I'd just like to get this thing caught up...somethings got it bogged down.


Thank you very much for any way you can assist.

[Advertisements]

Hi I can see a few elements that need removal, but I would like to do a deep scan and kill as much as possible in one go

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All Users
• Check the Radio button for Rootkit check YES
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Essexboy]

Hi I can see a few elements that need removal, but I would like to do a deep scan and kill as much as possible in one go

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All Users
• Check the Radio button for Rootkit check YES
• Under Additional Scans check the following:
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EventViewer Errors/Warnings (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Zachmo]

Here it is...
Thanks again.

Attached Files

•  OTScanIt.Txt   179.51KB   316 downloads

[Essexboy]

I thought so you have a few ADS there

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> nosign.exe -> %SystemRoot%\nosign.exe
[Driver Services - Safe List]
YY -> (ASFWHide) ASFWHide [Kernel | On_Demand | Stopped] -> %UserProfile%\Local Settings\Temp\ASFWHide
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {daa873d4-958c-453c-81ca-3fe6f3676a87} [HKLM] -> %SystemRoot%\system32 [Reg Error: Value  does not exist or could not be read.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Nosign_Dual" -> %SystemRoot%\nosign.exe [C:\WINDOWS\nosign.EXE "Dual Mode Camera"]
[Files/Folders - Modified Within 30 Days]
NY -> uoilqowfT.dll -> %UserProfile%\Local Settings\Temp\uoilqowfT.dll
[Alternate Data Streams]
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\dahotfix.log:ygjzbg
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\KB873339.log:mvsvvk
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\ocmsn.log:hngpuk
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\Palace.reg:tgixpb
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\Q810833.log:msbxmi
NY -> @Alternate Data Stream - 11736 bytes -> %SystemRoot%\Santa Fe Stucco.bmp:djspiy
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\Gone Fishing.bmp:jhusyb
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\ocmsn.log:ipotuh
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\Q329048.log:sprarw
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\Q329441.log:ehtqlo
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\Q817606.log:xuehiv
NY -> @Alternate Data Stream - 3567 bytes -> %SystemRoot%\setup.log:odviet
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\DtcInstall.log:qgcner
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\Palace.reg:zozvom
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\Q329115.log:mhbljm
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\Q814033.log:etucot
NY -> @Alternate Data Stream - 9237 bytes -> %SystemRoot%\sessmgr.setup.log:vkkcki
[CatchMe Rootkit Scan by GMER]
NY -> C:\WINDOWS\ocmsn.log:hngpuk 11736 bytes -> 
NY -> C:\WINDOWS\ocmsn.log:ipotuh 3567 bytes -> 
NY -> C:\WINDOWS\Gone Fishing.bmp:jhusyb 3567 bytes -> 
NY -> C:\WINDOWS\Santa Fe Stucco.bmp:djspiy 11736 bytes -> 
NY -> C:\WINDOWS\sessmgr.setup.log:vkkcki 9237 bytes -> 
NY -> C:\WINDOWS\setup.log:odviet 3567 bytes -> 
NY -> C:\WINDOWS\dahotfix.log:ygjzbg 11736 bytes -> 
NY -> C:\WINDOWS\DtcInstall.log:qgcner 9237 bytes -> 
NY -> C:\WINDOWS\Q329048.log:sprarw 3567 bytes -> 
NY -> C:\WINDOWS\Q329115.log:mhbljm 9237 bytes -> 
NY -> C:\WINDOWS\Q329441.log:ehtqlo 3567 bytes -> 
NY -> C:\WINDOWS\Q810833.log:msbxmi 11736 bytes -> 
NY -> C:\WINDOWS\Q814033.log:etucot 9237 bytes -> 
NY -> C:\WINDOWS\Q817606.log:xuehiv 3567 bytes -> 
NY -> C:\WINDOWS\KB873339.log:mvsvvk 11736 bytes -> 
NY -> C:\WINDOWS\Palace.reg:tgixpb 11736 bytes -> 
NY -> C:\WINDOWS\Palace.reg:zozvom 9237 bytes -> 
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[Zachmo]

Hi

I pasted the fix into OTscanit, and after a short while recieved an error stating something to the effect of:
"cannot delete system32 file. It is a folder required for windows to run"

After I clicked "ok" the fix continued, and stated it was emptying the temporary folders.

Aftrer that OTScanIt froze. In the OTScanIt2 folder, there is a new log file, but I cannot access it, it is saying I may not have the appropriate permissions to access the item. I believe it's because the program is still running.



I've left OTScanIt2 running should something change, or a log pop up...but it's been that way for about 30 minutes and I am unable to close the program.
I will let it be, in hopes that when I wake up tomorrow, I will have a nice log to post.

Thanks
Zachmo

[Zachmo]

Well, this morning I rebooted, and got the blue screen of death stating:
Beginning of physical memory dump


I can't start windows. (I am on another notebook now)


HELP!

[Essexboy]

OK that should not have happened
Can you access safe mode or last known good

[Zachmo]

No. I can't.
I get the "loading windows" screen with the progress bar, then it goes black, then a blue screen comes up saying what I've stated.
I tried restarting in safe mode, and after it asks what I wish to start in safe mode, I select and it goes black, and then blue again...

[Essexboy]

Do you have your cd to try a repair install ?

[Zachmo]

No I don't...This is a Dell from 2003, and has mostly resided at my parents house. There is no rescue disk to be found.

[Essexboy]

Are you able to borrow a cd as it appears that this virus has affected the way the system runs either by changing the file deletion parameters or making itself essential to the start process .

[Zachmo]

Well, my father has contacted a friend of his who is a PC tech, and within the past hour he has been trying various methods to see if anything is salvageable. He has left, but will be returning with a windows 2000 startup disk, as well as an additional hard drive. He says that it might be possible to save the photos etc on the PC, but he's not sure. I truthfully have no idea what he has in store, but he does all of the technical work for the city's administrative computers, so he certainly has the credentials...He tried explaining to me what he was going to do, but of course, it's all over my head.
What makes all of this even better, is that it's all my fault.

Edited by Zachmo, 01 January 2009 - 02:02 PM.

[Essexboy]

Could you keep me informed of progress please as we may be able to recover something if he just does a repair install

[Zachmo]

The only person who's going to be able to do anything to this PC now is the technician. If my father saw me sit down to try something else, I'm pretty sure he'd blow a gasket. He's getting older, and pretty much uses the PC to surf the web, and feels an assurance in someone near his own age that he knows does this for a living - that can sit (in the same room) and talk him through what's happening, or what has happened...

His view is: What went from a working computer (to him), went to something that doesn't work at all over night because his Son had explained he was going to "fix" it and took the advice from "someone on the internet".
The next morning he wakes up and finds that everything is fubar'd and he's going to have to pay someone to fix it.
I don't mean to come off the wrong way, but this is how it is on my end of the spectrum. I do appreciate you taking the time to try and help me, and I will keep you updated as to what happens. I just doubt I will be able to sit down at the "home" pc for a while...or unless he leaves the house.

Can you explain what may've happened?

[Essexboy]

Some viruses attach themselves as Additional data streams to folders, when I delete the Ads in normal cases the system is OK. But in very rare cases the virus will change the deletion code and attempt to fool the removal programmes into deleting the system32 folder. All of our programmes have safety features to prevent that happening as stated by OTScanit

"cannot delete system32 file. It is a folder required for windows to run"

However, it appears to have circumvented that. In the normal course of things a system repair would have cured the problem and I could have approached it from a different direction, but as you had no disc that became a non-starter