This topic is locked
No Desktop Icons, Disabled Task Mgr & Regedit [Solved]
Started by
Neil Bradley
, Feb 11 2009 09:15 PM
#46
Posted 24 February 2009 - 09:16 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
#47
Posted 25 February 2009 - 12:09 AM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
I was unable to get at the three files to send them.
During my attempt to find them, I discovered that the "Folder Options" was missing from tools. I fixed the registry entry for that -- and enabled view system/hidden for all folders on HD. The thee files were not visible.
I opened a CMD prompt and attempted to manually change the attributes by attrib -s -h (filename). however I received the error: Attrib is not recognized as an internal or external command.
I then booted the computer with XP CD into recovery console.
I was able to see the files with the dir using a wildcard, and all three were visible with the "a" showing as the only attribute.
I attempted to copy the files to another place on the HD, but I kept getting "file not found".
I gave up after several attempts and ran the Avenger script. Here is the log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "47aaaf6d92c8ebd89214fdb63e98a321" found!
DisplayName: 47aaaf6d92c8ebd89214fdb63e98a321
ImagePath: system32\47aaaf6d92c8ebd89214fdb63e98a321.sys
Start Type: 4 (Disabled)
Rootkit scan completed.
Driver "47aaaf6d92c8ebd89214fdb63e98a321" disabled successfully.
Driver "47aaaf6d92c8ebd89214fdb63e98a321" deleted successfully.
File "C:\47aaaf6d92c8ebd89214fdb63e98a321.zip" deleted successfully.
File "C:\WINDOWS\system32\47aaaf6d92c8ebd89214fdb63e98a321.sys" deleted successfully.
Error: file "C:\WINDOWS\system32\nezogeju.dll" not found!
Deletion of file "C:\WINDOWS\system32\nezogeju.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\dataclen32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dataclen32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\sqkmlx.dll" not found!
Deletion of file "C:\WINDOWS\System32\sqkmlx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\owekvkop.dll" not found!
Deletion of file "C:\WINDOWS\System32\owekvkop.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
<><><><>><>
Question on the UBCD: when I boot from the UBCD, there are a lot of menus. I have chosen the "boot from first HD" option, and am now scanning the Dr.Web program. I will post results in the morning my time.
Neil
During my attempt to find them, I discovered that the "Folder Options" was missing from tools. I fixed the registry entry for that -- and enabled view system/hidden for all folders on HD. The thee files were not visible.
I opened a CMD prompt and attempted to manually change the attributes by attrib -s -h (filename). however I received the error: Attrib is not recognized as an internal or external command.
I then booted the computer with XP CD into recovery console.
I was able to see the files with the dir using a wildcard, and all three were visible with the "a" showing as the only attribute.
I attempted to copy the files to another place on the HD, but I kept getting "file not found".
I gave up after several attempts and ran the Avenger script. Here is the log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
Hidden driver "47aaaf6d92c8ebd89214fdb63e98a321" found!
DisplayName: 47aaaf6d92c8ebd89214fdb63e98a321
ImagePath: system32\47aaaf6d92c8ebd89214fdb63e98a321.sys
Start Type: 4 (Disabled)
Rootkit scan completed.
Driver "47aaaf6d92c8ebd89214fdb63e98a321" disabled successfully.
Driver "47aaaf6d92c8ebd89214fdb63e98a321" deleted successfully.
File "C:\47aaaf6d92c8ebd89214fdb63e98a321.zip" deleted successfully.
File "C:\WINDOWS\system32\47aaaf6d92c8ebd89214fdb63e98a321.sys" deleted successfully.
Error: file "C:\WINDOWS\system32\nezogeju.dll" not found!
Deletion of file "C:\WINDOWS\system32\nezogeju.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\dataclen32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dataclen32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\sqkmlx.dll" not found!
Deletion of file "C:\WINDOWS\System32\sqkmlx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\System32\owekvkop.dll" not found!
Deletion of file "C:\WINDOWS\System32\owekvkop.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
<><><><>><>
Question on the UBCD: when I boot from the UBCD, there are a lot of menus. I have chosen the "boot from first HD" option, and am now scanning the Dr.Web program. I will post results in the morning my time.
Neil
#48
Posted 25 February 2009 - 05:06 AM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
It's an 80GB hard drive, w/about 5GB free. Most of the drive is filled with music files. Only the one partition.
Dr. Web is still scanning as of 5:05am on Wed. I think it will be done in about 2 hours.
Neil
Dr. Web is still scanning as of 5:05am on Wed. I think it will be done in about 2 hours.
Neil
Edited by Neil Bradley, 25 February 2009 - 05:08 AM.
#49
Posted 25 February 2009 - 05:09 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
During my attempt to find them, I discovered that the "Folder Options" was missing from tools. I fixed the registry entry for that -- and enabled view system/hidden for all folders on HD. The thee files were not visible.
I opened a CMD prompt and attempted to manually change the attributes by attrib -s -h (filename). however I received the error: Attrib is not recognized as an internal or external command.
I then booted the computer with XP CD into recovery console.
I was able to see the files with the dir using a wildcard, and all three were visible with the "a" showing as the only attribute.
I attempted to copy the files to another place on the HD, but I kept getting "file not found".
I'm impressed with your depth of knowledge
The reason you cannot find those files normally is because they are rootkit.. I'm not sure why cmd doesn't recognize "attrib" function.. Maybe we will need another "repair install:
Oh, this Virut thingy is very-very nasty one.. While I was doing some research on this Virut thingy, I found some of the interesting article and posts about it.. Feel free to have a view
http://www.malwareby...p...ost&p=58063
http://miekiemoes.bl...s-throwing.html
http://securitylabs....Blogs/3300.aspx
#50
Posted 25 February 2009 - 09:53 AM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
Here is the Dr. Web scan from UBCD mode. Starting the scan in normal boot. Let's see what we got.
Thanks for the info and the compliment. I should say the same for you -- a very impressive depth of knowledge on this virus stuff
Neil
c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop;Container contains infected objects;Moved.;
Thanks for the info and the compliment. I should say the same for you -- a very impressive depth of knowledge on this virus stuff
Neil
c.bat;C:\32788R22FWJFW;Probably BATCH.Virus;Incurable.Moved.;
psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;Incurable.Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Frank.HAPPYGOLUCKY\Desktop;Container contains infected objects;Moved.;
#51
Posted 25 February 2009 - 04:24 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Looks good..waiting the next scan result
#52
Posted 25 February 2009 - 05:21 PM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
Scan finished.
Note that drive D: is the CD-R.
Combo-Fix.exe/data002\32788R22FWJFW\c.bat;D:\Combo-Fix.exe/data002;Probably BATCH.Virus;;
Combo-Fix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\Combo-Fix.exe/data002;Program.PsExec.171;;
data002;D:\;Archive contains infected objects;;
Combo-Fix.exe;D:\;Container contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;D:\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\ComboFix.exe/data002;Program.PsExec.171;;
data002;D:\;Archive contains infected objects;;
ComboFix.exe;D:\;Container contains infected objects;Moved.;
Computer has not yet been rebooted after this scan.
Neil
Note that drive D: is the CD-R.
Combo-Fix.exe/data002\32788R22FWJFW\c.bat;D:\Combo-Fix.exe/data002;Probably BATCH.Virus;;
Combo-Fix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\Combo-Fix.exe/data002;Program.PsExec.171;;
data002;D:\;Archive contains infected objects;;
Combo-Fix.exe;D:\;Container contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;D:\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\ComboFix.exe/data002;Program.PsExec.171;;
data002;D:\;Archive contains infected objects;;
ComboFix.exe;D:\;Container contains infected objects;Moved.;
Computer has not yet been rebooted after this scan.
Neil
#53
Posted 25 February 2009 - 06:25 PM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Looks awesome.. Now, reboot the computer and use it for a couple of days.. Then tell me, how its going..
But first of all, tell me, what antivirus and firewall that you use in the computer?
But first of all, tell me, what antivirus and firewall that you use in the computer?
#54
Posted 25 February 2009 - 07:41 PM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
We still have some work to do 
When trying to surf the web, whenever I navigate from the home page, all subsequent pages go completely white uner the toolbars for about 20 seconds. There is a 'beep' from the PC speaker, and the webpage trys to reload.
I have installed and ran a hijack this scan. Log is below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:44 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox...aspx?tbid=80205
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80205
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O2 - BHO: (no name) - {D44F5994-A1A9-47F1-BE84-C6A38F36FFB0} - C:\WINDOWS\system32\yayyXNGW.dll (file missing)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The retnsrp - {CC304A4D-FC79-4CD3-9A67-46E3AF59319D} - C:\WINDOWS\retnsrp.dll (file missing)
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [wclock] "C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe" 2
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - HKCU\..\Run: [TrustIn Popups] "C:\Program Files\TrustIn Popups\TrustInPopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.36.0\Weather.exe" -auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [nepifadisi] Rundll32.exe "C:\WINDOWS\system32\dapavama.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZSYYYYYYOHUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188662825063
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188662933189
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip....er/igloader.CAB
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O20 - Winlogon Notify: 682e3af4509 - C:\WINDOWS\System32\dataclen32.dll (file missing)
O20 - Winlogon Notify: awtsQIBt - awtsQIBt.dll (file missing)
O20 - Winlogon Notify: awtsRijh - awtsRijh.dll (file missing)
O20 - Winlogon Notify: cbXNEWpP - cbXNEWpP.dll (file missing)
O20 - Winlogon Notify: cedbeafcbffddcfebcfc - C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll (file missing)
O20 - Winlogon Notify: khfGyvtQ - khfGyvtQ.dll (file missing)
O20 - Winlogon Notify: nnnljkHy - nnnljkHy.dll (file missing)
O20 - Winlogon Notify: urqOIabY - urqOIabY.dll (file missing)
O20 - Winlogon Notify: wvUmjJyX - wvUmjJyX.dll (file missing)
O21 - SSODL: nopzet - {DBD86DC8-4284-4A3B-9096-FE97039831E2} - C:\WINDOWS\nopzet.dll (file missing)
O21 - SSODL: leorop - {31332C2A-02A4-4E4E-9B79-2A33E9BAFBE5} - C:\WINDOWS\leorop.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 9654 bytes
When trying to surf the web, whenever I navigate from the home page, all subsequent pages go completely white uner the toolbars for about 20 seconds. There is a 'beep' from the PC speaker, and the webpage trys to reload.
I have installed and ran a hijack this scan. Log is below.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:44 PM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox...aspx?tbid=80205
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80205
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O2 - BHO: (no name) - {D44F5994-A1A9-47F1-BE84-C6A38F36FFB0} - C:\WINDOWS\system32\yayyXNGW.dll (file missing)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The retnsrp - {CC304A4D-FC79-4CD3-9A67-46E3AF59319D} - C:\WINDOWS\retnsrp.dll (file missing)
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [wclock] "C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe" 2
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - HKCU\..\Run: [TrustIn Popups] "C:\Program Files\TrustIn Popups\TrustInPopups.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.3.36.0\Weather.exe" -auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [nepifadisi] Rundll32.exe "C:\WINDOWS\system32\dapavama.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZSYYYYYYOHUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://zone.msn.com/...h2.1.0.0.68.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1188662825063
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1188662933189
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace...ronGameHost.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip....er/igloader.CAB
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://zone.msn.com/...ia.1.0.0.46.cab
O20 - Winlogon Notify: 682e3af4509 - C:\WINDOWS\System32\dataclen32.dll (file missing)
O20 - Winlogon Notify: awtsQIBt - awtsQIBt.dll (file missing)
O20 - Winlogon Notify: awtsRijh - awtsRijh.dll (file missing)
O20 - Winlogon Notify: cbXNEWpP - cbXNEWpP.dll (file missing)
O20 - Winlogon Notify: cedbeafcbffddcfebcfc - C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll (file missing)
O20 - Winlogon Notify: khfGyvtQ - khfGyvtQ.dll (file missing)
O20 - Winlogon Notify: nnnljkHy - nnnljkHy.dll (file missing)
O20 - Winlogon Notify: urqOIabY - urqOIabY.dll (file missing)
O20 - Winlogon Notify: wvUmjJyX - wvUmjJyX.dll (file missing)
O21 - SSODL: nopzet - {DBD86DC8-4284-4A3B-9096-FE97039831E2} - C:\WINDOWS\nopzet.dll (file missing)
O21 - SSODL: leorop - {31332C2A-02A4-4E4E-9B79-2A33E9BAFBE5} - C:\WINDOWS\leorop.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: Terminal Connections (terms) - Unknown owner - C:\WINDOWS\system32\terminals.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 9654 bytes
#55
Posted 26 February 2009 - 06:23 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Ok.. First of all, do this....
Please download OTCleanIt and save it to Desktop.
NEXT
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
Please download OTCleanIt and save it to Desktop.
- Make sure you have internet connection..
- Double-click OTCleanIt.exe
- Click the CleanUp! button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes
NEXT
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..
Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..
Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
#56
Posted 26 February 2009 - 08:46 AM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
OTCleanup: Done
Combofix: Program downloads fine. When running, receive an error box: "Incompatible OS. Works only 2000 and XP".
I tried downloading from all three locations, same thing on each download.
As this is XP Home, there must be something still running that is blocking combofix.
Neil
Combofix: Program downloads fine. When running, receive an error box: "Incompatible OS. Works only 2000 and XP".
I tried downloading from all three locations, same thing on each download.
As this is XP Home, there must be something still running that is blocking combofix.
Neil
Edited by Neil Bradley, 26 February 2009 - 08:47 AM.
#57
Posted 26 February 2009 - 08:53 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
Ok.. Lets do this then....
Please download RSIT by random/random and save it to your Desktop.
NEXT
Run GMER again as you you did before...
Post these logs in your next reply..
1. RSIT log.txt
2. Info.txt
3. GMER result
Please download RSIT by random/random and save it to your Desktop.
- Double click on RSIT.exe to run RSIT
- Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.
NEXT
Run GMER again as you you did before...
Post these logs in your next reply..
1. RSIT log.txt
2. Info.txt
3. GMER result
#59
Posted 27 February 2009 - 09:00 AM
fenzodahl512
-
- Malware Removal
-
- 9,863 posts
IMPORTANT!! Uninstall these programs first (if present..) so that they won't interfere with our fixes..
1. Ask Toolbar
2. Lavasoft Ad-Aware
3. Spybot - Search & Destroy
4. Viewpoint (all of them..)
Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
Then, please download and install the latest Java from HERE
NEXT
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.
Backing Up Your Registry
For detailed instruction on how to back-up registry via ERUNT, please visit HERE
NEXT
Please download FileAssassin and unzip it to your Desktop.
NEXT
Please download The Avenger by Swandog46 and unzip it to your Desktop
Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
The Avenger will automatically do the following:
NEXT
Please download the OTMoveIt3 by OldTimer
NEXT
I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:
I also haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.
Run RSIT again... Post these logs in your next reply..
1. The Avenger
2. OTMoveIt3
3. RSIT log.txt
1. Ask Toolbar
2. Lavasoft Ad-Aware
3. Spybot - Search & Destroy
4. Viewpoint (all of them..)
Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
- Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
- Accept any prompts.
Then, please download and install the latest Java from HERE
NEXT
The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.
Backing Up Your Registry
- Go HERE and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.) - Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later) - Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup) - Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable). - Make sure that at least the first two check boxes are ticked
- Press OK
- Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE
NEXT
Please download FileAssassin and unzip it to your Desktop.
- Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
- Make sure ALL four options are selected (including "Delete file")
- Copy/paste below file to the box
- C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll
- Press Execute button..
NEXT
Please download The Avenger by Swandog46 and unzip it to your Desktop
Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..
Begin copying here: Drivers to disable: Avg7Core Avg7RsW Avg7RsXP AvgClean seneka dwshd Drivers to delete: Avg7Core Avg7RsW Avg7RsXP AvgClean seneka dwshd Files to delete: C:\WINDOWS\System32\drivers\dwshd.sys C:\WINDOWS\system32\drivers\senekajlnnqvns.sys C:\WINDOWS\System32\Drivers\avg7core.sys C:\WINDOWS\System32\Drivers\avg7rsw.sys C:\WINDOWS\System32\Drivers\avg7rsxp.sys C:\WINDOWS\System32\Drivers\avgclean.sys C:\WINDOWS\system32\hsfd83jfdg.dll C:\WINDOWS\system32\yayyXNGW.dll C:\WINDOWS\retnsrp.dll C:\Program Files\Spyware Guard 2008 C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe C:\WINDOWS\TEMP\winlognn.exe C:\WINDOWS\System32\dataclen32.dll C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll C:\WINDOWS\nopzet.dll C:\WINDOWS\leorop.dll C:\WINDOWS\system32\nezogeju.dll C:\WINDOWS\system32\rn.tmp C:\WINDOWS\system32\mhenfheq.ini C:\WINDOWS\system32\cmiwqofs.ini C:\WINDOWS\system32\vdumwpag.ini C:\WINDOWS\system32\kssdhawd.ini C:\WINDOWS\system32\aoolacrw.ini C:\WINDOWS\system32\xowasfhf.ini C:\WINDOWS\system32\fgidncyd.ini C:\WINDOWS\system32\lqbbwjok.ini C:\WINDOWS\system32\xqdkjvnl.ini C:\WINDOWS\system32\oklwylmr.ini C:\WINDOWS\system32\vfylamnh.ini C:\WINDOWS\system32\forvldcx.ini C:\WINDOWS\system32\dswptfoy.ini C:\WINDOWS\system32\utajirab.ini C:\WINDOWS\system32\ehbesegq.ini C:\WINDOWS\system32\agpbhyfk.ini C:\WINDOWS\system32\tbolsjag.ini C:\WINDOWS\system32\noupvbvu.ini C:\WINDOWS\system32\tishryjm.ini C:\WINDOWS\system32\xejkxend.ini C:\WINDOWS\system32\utejageb.ini C:\WINDOWS\system32\ctoiuene.ini C:\WINDOWS\system32\bscibmdf.ini C:\WINDOWS\system32\tybrcawm.ini C:\WINDOWS\system32\klpsosab.ini C:\WINDOWS\system32\svecntdk.ini C:\WINDOWS\system32\xxsunfhd.ini C:\WINDOWS\system32\mwwncllb.ini C:\WINDOWS\system32\rpumxdfj.ini C:\WINDOWS\system32\drlawqsu.ini C:\WINDOWS\system32\igmcyfgo.ini C:\WINDOWS\system32\nlhkealm.ini C:\WINDOWS\system32\uspaffac.ini C:\WINDOWS\system32\lyjvhagk.ini C:\WINDOWS\system32\beqdvdnw.ini C:\WINDOWS\system32\yonkhojn.ini C:\WINDOWS\system32\hljciebm.ini C:\WINDOWS\system32\camclygk.ini C:\WINDOWS\system32\ciwgfmss.ini C:\WINDOWS\system32\cxamclin.ini C:\WINDOWS\system32\tBLRuBeg.ini2 2C:\WINDOWS\system32\tBLRuBeg.ini C:\WINDOWS\system32\kqvncwnk.ini C:\WINDOWS\system32\ycirvduw.ini C:\WINDOWS\system32\dwahxqhc.ini C:\WINDOWS\system32\hbytknao.ini C:\WINDOWS\system32\uvrrlmnw.ini C:\WINDOWS\system32\cepuecui.ini C:\WINDOWS\system32\hbxteicu.ini C:\WINDOWS\system32\oqtlvwfh.ini C:\WINDOWS\system32\otcrbytw.ini C:\WINDOWS\system32\lkdvnxyi.ini C:\WINDOWS\system32\efxijxll.ini C:\WINDOWS\system32\nlhunenu.ini C:\WINDOWS\system32\630dfe25-.txt
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
NEXT
Please download the OTMoveIt3 by OldTimer
- Save it to your Desktop.
- Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
- Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
- Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)
:processes explorer.exe :services Avg7Core Avg7RsW Avg7RsXP AvgClean seneka dwshd :files C:\WINDOWS\System32\drivers\dwshd.sys C:\WINDOWS\system32\drivers\senekajlnnqvns.sys C:\WINDOWS\System32\Drivers\avg7core.sys C:\WINDOWS\System32\Drivers\avg7rsw.sys C:\WINDOWS\System32\Drivers\avg7rsxp.sys C:\WINDOWS\System32\Drivers\avgclean.sys C:\WINDOWS\system32\hsfd83jfdg.dll C:\WINDOWS\system32\yayyXNGW.dll C:\WINDOWS\retnsrp.dll C:\Program Files\Spyware Guard 2008 C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe C:\WINDOWS\TEMP\winlognn.exe C:\Program Files\XP Antivirus C:\Program Files\Trust Cleaner C:\Program Files\TrustIn Popups C:\WINDOWS\System32\dataclen32.dll C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll C:\WINDOWS\nopzet.dll C:\WINDOWS\leorop.dll C:\WINDOWS\system32\nezogeju.dll C:\WINDOWS\system32\rn.tmp C:\WINDOWS\system32\mhenfheq.ini C:\WINDOWS\system32\cmiwqofs.ini C:\WINDOWS\system32\vdumwpag.ini C:\WINDOWS\system32\kssdhawd.ini C:\WINDOWS\system32\aoolacrw.ini C:\WINDOWS\system32\xowasfhf.ini C:\WINDOWS\system32\fgidncyd.ini C:\WINDOWS\system32\lqbbwjok.ini C:\WINDOWS\system32\xqdkjvnl.ini C:\WINDOWS\system32\oklwylmr.ini C:\WINDOWS\system32\vfylamnh.ini C:\WINDOWS\system32\forvldcx.ini C:\WINDOWS\system32\dswptfoy.ini C:\WINDOWS\system32\utajirab.ini C:\WINDOWS\system32\ehbesegq.ini C:\WINDOWS\system32\agpbhyfk.ini C:\WINDOWS\system32\tbolsjag.ini C:\WINDOWS\system32\noupvbvu.ini C:\WINDOWS\system32\tishryjm.ini C:\WINDOWS\system32\xejkxend.ini C:\WINDOWS\system32\utejageb.ini C:\WINDOWS\system32\ctoiuene.ini C:\WINDOWS\system32\bscibmdf.ini C:\WINDOWS\system32\tybrcawm.ini C:\WINDOWS\system32\klpsosab.ini C:\WINDOWS\system32\svecntdk.ini C:\WINDOWS\system32\xxsunfhd.ini C:\WINDOWS\system32\mwwncllb.ini C:\WINDOWS\system32\rpumxdfj.ini C:\WINDOWS\system32\drlawqsu.ini C:\WINDOWS\system32\igmcyfgo.ini C:\WINDOWS\system32\nlhkealm.ini C:\WINDOWS\system32\uspaffac.ini C:\WINDOWS\system32\lyjvhagk.ini C:\WINDOWS\system32\beqdvdnw.ini C:\WINDOWS\system32\yonkhojn.ini C:\WINDOWS\system32\hljciebm.ini C:\WINDOWS\system32\camclygk.ini C:\WINDOWS\system32\ciwgfmss.ini C:\WINDOWS\system32\cxamclin.ini C:\WINDOWS\system32\tBLRuBeg.ini2 2C:\WINDOWS\system32\tBLRuBeg.ini C:\WINDOWS\system32\kqvncwnk.ini C:\WINDOWS\system32\ycirvduw.ini C:\WINDOWS\system32\dwahxqhc.ini C:\WINDOWS\system32\hbytknao.ini C:\WINDOWS\system32\uvrrlmnw.ini C:\WINDOWS\system32\cepuecui.ini C:\WINDOWS\system32\hbxteicu.ini C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} C:\WINDOWS\system32\oqtlvwfh.ini C:\WINDOWS\system32\otcrbytw.ini C:\WINDOWS\system32\lkdvnxyi.ini C:\WINDOWS\system32\efxijxll.ini C:\WINDOWS\system32\nlhunenu.ini C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 C:\WINDOWS\system32\630dfe25-.txt :reg [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D44F5994-A1A9-47F1-BE84-C6A38F36FFB0}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CC304A4D-FC79-4CD3-9A67-46E3AF59319D}"=- "{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "spywareguard"=- "wclock"=- "jsf8uiw3jnjgffght"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "XP Antivirus"=- "Trust Cleaner"=- "TrustIn Popups"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\682e3af4509] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsQIBt] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsRijh] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXNEWpP] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cedbeafcbffddcfebcfc] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGyvtQ] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnljkHy] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqOIabY] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUmjJyX] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "nopzet"=- "leorop"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler] "{C5BF49A2-94F3-42BD-F434-3604812C8955}"=- [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DBD86DC8-4284-4A3B-9096-FE97039831E2}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{31332C2A-02A4-4E4E-9B79-2A33E9BAFBE5}] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 :commands [purity] [emptytemp] [start explorer] [reboot] - Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt3
NEXT
I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:
- Avira AntiVir Personal
- Avast! 4 Home Edition
- PC Tools Antivirus
- AVG Anti-Virus Free Edition 8.0
- Rising Antivirus Free
I also haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.
Run RSIT again... Post these logs in your next reply..
1. The Avenger
2. OTMoveIt3
3. RSIT log.txt
Edited by fenzodahl512, 27 February 2009 - 09:26 AM.
edited instruction
#60
Posted 27 February 2009 - 07:15 PM
Neil Bradley
- Topic Starter
-
- Member
-
- 39 posts
Member
Things went very well. I think we are about done!
AVG will not install, I get an error message saying it can't modify the registry. I installed Rising Antivirus instead. I ran a quick scan, and it found nothing.
Windows Firewall was disabled due to "Group Policy". I downloaded a registry fix, and now Windows Firewall is working.
Task manager was disabled again. I have re-enabled that as well.
File Assassin did not find the file you specified.
notepad.exe is "not found" when trying to run it from the start menu, but the logs are opening up in notepad.
Question, do you think we will need to do another windows repair? The system really is running pretty stable right now.
Finally, I have not yet installed a firewall. I want to talk to the owner of the computer first, and he won't be available until next week. I will download one of the free ones where he can find it.
Logs are attached.
Neil
OtMovit result below.
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service Avg7Core .
Unable to stop service Avg7RsW .
Unable to stop service Avg7RsXP .
Unable to stop service AvgClean .
Unable to stop service seneka .
Unable to stop service dwshd .
========== FILES ==========
File/Folder C:\WINDOWS\System32\drivers\dwshd.sys not found.
File/Folder C:\WINDOWS\system32\drivers\senekajlnnqvns.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7core.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7rsw.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7rsxp.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avgclean.sys not found.
File/Folder C:\WINDOWS\system32\hsfd83jfdg.dll not found.
File/Folder C:\WINDOWS\system32\yayyXNGW.dll not found.
File/Folder C:\WINDOWS\retnsrp.dll not found.
File/Folder C:\Program Files\Spyware Guard 2008 not found.
File/Folder C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe not found.
File/Folder C:\WINDOWS\TEMP\winlognn.exe not found.
File/Folder C:\Program Files\XP Antivirus not found.
File/Folder C:\Program Files\Trust Cleaner not found.
File/Folder C:\Program Files\TrustIn Popups not found.
File/Folder C:\WINDOWS\System32\dataclen32.dll not found.
File/Folder C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll not found.
File/Folder C:\WINDOWS\nopzet.dll not found.
File/Folder C:\WINDOWS\leorop.dll not found.
File/Folder C:\WINDOWS\system32\nezogeju.dll not found.
File/Folder C:\WINDOWS\system32\rn.tmp not found.
File/Folder C:\WINDOWS\system32\mhenfheq.ini not found.
File/Folder C:\WINDOWS\system32\cmiwqofs.ini not found.
File/Folder C:\WINDOWS\system32\vdumwpag.ini not found.
File/Folder C:\WINDOWS\system32\kssdhawd.ini not found.
File/Folder C:\WINDOWS\system32\aoolacrw.ini not found.
File/Folder C:\WINDOWS\system32\xowasfhf.ini not found.
File/Folder C:\WINDOWS\system32\fgidncyd.ini not found.
File/Folder C:\WINDOWS\system32\lqbbwjok.ini not found.
File/Folder C:\WINDOWS\system32\xqdkjvnl.ini not found.
File/Folder C:\WINDOWS\system32\oklwylmr.ini not found.
File/Folder C:\WINDOWS\system32\vfylamnh.ini not found.
File/Folder C:\WINDOWS\system32\forvldcx.ini not found.
File/Folder C:\WINDOWS\system32\dswptfoy.ini not found.
File/Folder C:\WINDOWS\system32\utajirab.ini not found.
File/Folder C:\WINDOWS\system32\ehbesegq.ini not found.
File/Folder C:\WINDOWS\system32\agpbhyfk.ini not found.
File/Folder C:\WINDOWS\system32\tbolsjag.ini not found.
File/Folder C:\WINDOWS\system32\noupvbvu.ini not found.
File/Folder C:\WINDOWS\system32\tishryjm.ini not found.
File/Folder C:\WINDOWS\system32\xejkxend.ini not found.
File/Folder C:\WINDOWS\system32\utejageb.ini not found.
File/Folder C:\WINDOWS\system32\ctoiuene.ini not found.
File/Folder C:\WINDOWS\system32\bscibmdf.ini not found.
File/Folder C:\WINDOWS\system32\tybrcawm.ini not found.
File/Folder C:\WINDOWS\system32\klpsosab.ini not found.
File/Folder C:\WINDOWS\system32\svecntdk.ini not found.
File/Folder C:\WINDOWS\system32\xxsunfhd.ini not found.
File/Folder C:\WINDOWS\system32\mwwncllb.ini not found.
File/Folder C:\WINDOWS\system32\rpumxdfj.ini not found.
File/Folder C:\WINDOWS\system32\drlawqsu.ini not found.
File/Folder C:\WINDOWS\system32\igmcyfgo.ini not found.
File/Folder C:\WINDOWS\system32\nlhkealm.ini not found.
File/Folder C:\WINDOWS\system32\uspaffac.ini not found.
File/Folder C:\WINDOWS\system32\lyjvhagk.ini not found.
File/Folder C:\WINDOWS\system32\beqdvdnw.ini not found.
File/Folder C:\WINDOWS\system32\yonkhojn.ini not found.
File/Folder C:\WINDOWS\system32\hljciebm.ini not found.
File/Folder C:\WINDOWS\system32\camclygk.ini not found.
File/Folder C:\WINDOWS\system32\ciwgfmss.ini not found.
File/Folder C:\WINDOWS\system32\cxamclin.ini not found.
File/Folder C:\WINDOWS\system32\tBLRuBeg.ini2 not found.
File/Folder 2C:\WINDOWS\system32\tBLRuBeg.ini not found.
File/Folder C:\WINDOWS\system32\kqvncwnk.ini not found.
File/Folder C:\WINDOWS\system32\ycirvduw.ini not found.
File/Folder C:\WINDOWS\system32\dwahxqhc.ini not found.
File/Folder C:\WINDOWS\system32\hbytknao.ini not found.
File/Folder C:\WINDOWS\system32\uvrrlmnw.ini not found.
File/Folder C:\WINDOWS\system32\cepuecui.ini not found.
File/Folder C:\WINDOWS\system32\hbxteicu.ini not found.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86 moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86 moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} moved successfully.
File/Folder C:\WINDOWS\system32\oqtlvwfh.ini not found.
File/Folder C:\WINDOWS\system32\otcrbytw.ini not found.
File/Folder C:\WINDOWS\system32\lkdvnxyi.ini not found.
File/Folder C:\WINDOWS\system32\efxijxll.ini not found.
File/Folder C:\WINDOWS\system32\nlhunenu.ini not found.
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 moved successfully.
File/Folder C:\WINDOWS\system32\630dfe25-.txt not found.
========== REGISTRY ==========
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D44F5994-A1A9-47F1-BE84-C6A38F36FFB0}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC304A4D-FC79-4CD3-9A67-46E3AF59319D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC304A4D-FC79-4CD3-9A67-46E3AF59319D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\spywareguard deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wclock deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jsf8uiw3jnjgffght deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\XP Antivirus deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Trust Cleaner deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\TrustIn Popups deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\682e3af4509\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsQIBt\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsRijh\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXNEWpP\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cedbeafcbffddcfebcfc\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGyvtQ\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnljkHy\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqOIabY\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUmjJyX\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nopzet deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\leorop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\{C5BF49A2-94F3-42BD-F434-3604812C8955} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DBD86DC8-4284-4A3B-9096-FE97039831E2}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{31332C2A-02A4-4E4E-9B79-2A33E9BAFBE5}\\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\Fоnts moved successfully.
C:\WINDOWS\Mіcrosoft.NET moved successfully.
C:\WINDOWS\Μіcrosoft.NET\Μіcrosoft.NET moved successfully.
C:\WINDOWS\Μіcrosoft.NET moved successfully.
C:\WINDOWS\ѕecurity moved successfully.
C:\WINDOWS\ѕеcurity moved successfully.
C:\WINDOWS\Sуmantec moved successfully.
C:\WINDOWS\Ѕуmantec moved successfully.
C:\WINDOWS\sуstem32 moved successfully.
C:\WINDOWS\WіnSxS moved successfully.
C:\WINDOWS\system32\АppPatch moved successfully.
C:\WINDOWS\system32\АрpPatch moved successfully.
C:\WINDOWS\system32\ΑppPatch moved successfully.
C:\WINDOWS\system32\аѕsembly moved successfully.
C:\WINDOWS\system32\Fοnts moved successfully.
C:\WINDOWS\system32\Fоnts moved successfully.
C:\WINDOWS\system32\Μicrosoft.NET moved successfully.
C:\WINDOWS\system32\Міcrosoft.NET moved successfully.
C:\WINDOWS\system32\Οracle moved successfully.
C:\WINDOWS\system32\Оracle moved successfully.
C:\WINDOWS\system32\ѕecurity moved successfully.
C:\WINDOWS\system32\ѕеcurity moved successfully.
C:\WINDOWS\system32\Ѕymantec moved successfully.
C:\WINDOWS\system32\ѕуmbols moved successfully.
C:\WINDOWS\system32\ѕуstem moved successfully.
C:\WINDOWS\system32\ѕystem moved successfully.
C:\WINDOWS\system32\ѕуstem32 moved successfully.
C:\WINDOWS\system32\Таsks moved successfully.
C:\WINDOWS\system32\WіnSxS\WNSXS~1 moved successfully.
C:\WINDOWS\system32\WіnSxS moved successfully.
C:\Program Files\Αdobe moved successfully.
C:\Program Files\Fоnts moved successfully.
C:\Program Files\Мicrosoft.NET moved successfully.
C:\Program Files\sеcurity moved successfully.
C:\Program Files\Ѕуmantec moved successfully.
C:\Program Files\ѕymbols moved successfully.
C:\Program Files\ѕуstem moved successfully.
C:\Program Files\Τasks\ASKS~1 moved successfully.
C:\Program Files\Τasks moved successfully.
C:\Program Files\WіnSxS moved successfully.
C:\Program Files\Common Files\Fоnts moved successfully.
C:\Program Files\Common Files\Mіcrosoft.NET moved successfully.
C:\Program Files\Common Files\Мicrosoft.NET moved successfully.
C:\Program Files\Common Files\Mіcrosoft moved successfully.
C:\Program Files\Common Files\sеcurity moved successfully.
C:\Program Files\Common Files\ѕystem32 moved successfully.
C:\Program Files\Common Files\Τаsks moved successfully.
C:\Program Files\Common Files\Таsks\SKS~1 moved successfully.
C:\Program Files\Common Files\Таsks moved successfully.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02272009_174833
AVG will not install, I get an error message saying it can't modify the registry. I installed Rising Antivirus instead. I ran a quick scan, and it found nothing.
Windows Firewall was disabled due to "Group Policy". I downloaded a registry fix, and now Windows Firewall is working.
Task manager was disabled again. I have re-enabled that as well.
File Assassin did not find the file you specified.
notepad.exe is "not found" when trying to run it from the start menu, but the logs are opening up in notepad.
Question, do you think we will need to do another windows repair? The system really is running pretty stable right now.
Finally, I have not yet installed a firewall. I want to talk to the owner of the computer first, and he won't be available until next week. I will download one of the free ones where he can find it.
Logs are attached.
Neil
OtMovit result below.
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service Avg7Core .
Unable to stop service Avg7RsW .
Unable to stop service Avg7RsXP .
Unable to stop service AvgClean .
Unable to stop service seneka .
Unable to stop service dwshd .
========== FILES ==========
File/Folder C:\WINDOWS\System32\drivers\dwshd.sys not found.
File/Folder C:\WINDOWS\system32\drivers\senekajlnnqvns.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7core.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7rsw.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avg7rsxp.sys not found.
File/Folder C:\WINDOWS\System32\Drivers\avgclean.sys not found.
File/Folder C:\WINDOWS\system32\hsfd83jfdg.dll not found.
File/Folder C:\WINDOWS\system32\yayyXNGW.dll not found.
File/Folder C:\WINDOWS\retnsrp.dll not found.
File/Folder C:\Program Files\Spyware Guard 2008 not found.
File/Folder C:\Documents and Settings\TEMP.FAMILY_COMPUTER.004\Application Data\Google\yfijv17721328.exe not found.
File/Folder C:\WINDOWS\TEMP\winlognn.exe not found.
File/Folder C:\Program Files\XP Antivirus not found.
File/Folder C:\Program Files\Trust Cleaner not found.
File/Folder C:\Program Files\TrustIn Popups not found.
File/Folder C:\WINDOWS\System32\dataclen32.dll not found.
File/Folder C:\WINDOWS\system32\cedbeafcbffddcfebcfc.dll not found.
File/Folder C:\WINDOWS\nopzet.dll not found.
File/Folder C:\WINDOWS\leorop.dll not found.
File/Folder C:\WINDOWS\system32\nezogeju.dll not found.
File/Folder C:\WINDOWS\system32\rn.tmp not found.
File/Folder C:\WINDOWS\system32\mhenfheq.ini not found.
File/Folder C:\WINDOWS\system32\cmiwqofs.ini not found.
File/Folder C:\WINDOWS\system32\vdumwpag.ini not found.
File/Folder C:\WINDOWS\system32\kssdhawd.ini not found.
File/Folder C:\WINDOWS\system32\aoolacrw.ini not found.
File/Folder C:\WINDOWS\system32\xowasfhf.ini not found.
File/Folder C:\WINDOWS\system32\fgidncyd.ini not found.
File/Folder C:\WINDOWS\system32\lqbbwjok.ini not found.
File/Folder C:\WINDOWS\system32\xqdkjvnl.ini not found.
File/Folder C:\WINDOWS\system32\oklwylmr.ini not found.
File/Folder C:\WINDOWS\system32\vfylamnh.ini not found.
File/Folder C:\WINDOWS\system32\forvldcx.ini not found.
File/Folder C:\WINDOWS\system32\dswptfoy.ini not found.
File/Folder C:\WINDOWS\system32\utajirab.ini not found.
File/Folder C:\WINDOWS\system32\ehbesegq.ini not found.
File/Folder C:\WINDOWS\system32\agpbhyfk.ini not found.
File/Folder C:\WINDOWS\system32\tbolsjag.ini not found.
File/Folder C:\WINDOWS\system32\noupvbvu.ini not found.
File/Folder C:\WINDOWS\system32\tishryjm.ini not found.
File/Folder C:\WINDOWS\system32\xejkxend.ini not found.
File/Folder C:\WINDOWS\system32\utejageb.ini not found.
File/Folder C:\WINDOWS\system32\ctoiuene.ini not found.
File/Folder C:\WINDOWS\system32\bscibmdf.ini not found.
File/Folder C:\WINDOWS\system32\tybrcawm.ini not found.
File/Folder C:\WINDOWS\system32\klpsosab.ini not found.
File/Folder C:\WINDOWS\system32\svecntdk.ini not found.
File/Folder C:\WINDOWS\system32\xxsunfhd.ini not found.
File/Folder C:\WINDOWS\system32\mwwncllb.ini not found.
File/Folder C:\WINDOWS\system32\rpumxdfj.ini not found.
File/Folder C:\WINDOWS\system32\drlawqsu.ini not found.
File/Folder C:\WINDOWS\system32\igmcyfgo.ini not found.
File/Folder C:\WINDOWS\system32\nlhkealm.ini not found.
File/Folder C:\WINDOWS\system32\uspaffac.ini not found.
File/Folder C:\WINDOWS\system32\lyjvhagk.ini not found.
File/Folder C:\WINDOWS\system32\beqdvdnw.ini not found.
File/Folder C:\WINDOWS\system32\yonkhojn.ini not found.
File/Folder C:\WINDOWS\system32\hljciebm.ini not found.
File/Folder C:\WINDOWS\system32\camclygk.ini not found.
File/Folder C:\WINDOWS\system32\ciwgfmss.ini not found.
File/Folder C:\WINDOWS\system32\cxamclin.ini not found.
File/Folder C:\WINDOWS\system32\tBLRuBeg.ini2 not found.
File/Folder 2C:\WINDOWS\system32\tBLRuBeg.ini not found.
File/Folder C:\WINDOWS\system32\kqvncwnk.ini not found.
File/Folder C:\WINDOWS\system32\ycirvduw.ini not found.
File/Folder C:\WINDOWS\system32\dwahxqhc.ini not found.
File/Folder C:\WINDOWS\system32\hbytknao.ini not found.
File/Folder C:\WINDOWS\system32\uvrrlmnw.ini not found.
File/Folder C:\WINDOWS\system32\cepuecui.ini not found.
File/Folder C:\WINDOWS\system32\hbxteicu.ini not found.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86\x86 moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}\x86 moved successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} moved successfully.
File/Folder C:\WINDOWS\system32\oqtlvwfh.ini not found.
File/Folder C:\WINDOWS\system32\otcrbytw.ini not found.
File/Folder C:\WINDOWS\system32\lkdvnxyi.ini not found.
File/Folder C:\WINDOWS\system32\efxijxll.ini not found.
File/Folder C:\WINDOWS\system32\nlhunenu.ini not found.
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7 moved successfully.
File/Folder C:\WINDOWS\system32\630dfe25-.txt not found.
========== REGISTRY ==========
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C8955}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D44F5994-A1A9-47F1-BE84-C6A38F36FFB0}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC304A4D-FC79-4CD3-9A67-46E3AF59319D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC304A4D-FC79-4CD3-9A67-46E3AF59319D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\spywareguard deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wclock deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\jsf8uiw3jnjgffght deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\XP Antivirus deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Trust Cleaner deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\TrustIn Popups deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\682e3af4509\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsQIBt\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtsRijh\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbXNEWpP\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cedbeafcbffddcfebcfc\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfGyvtQ\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnljkHy\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqOIabY\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUmjJyX\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\nopzet deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\leorop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\{C5BF49A2-94F3-42BD-F434-3604812C8955} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5BF49A2-94F3-42BD-F434-3604812C8955}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{DBD86DC8-4284-4A3B-9096-FE97039831E2}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{31332C2A-02A4-4E4E-9B79-2A33E9BAFBE5}\\ deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Notification Packages"|hex(7):73,63,65,63,6c,69,00,00 /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\Fоnts moved successfully.
C:\WINDOWS\Mіcrosoft.NET moved successfully.
C:\WINDOWS\Μіcrosoft.NET\Μіcrosoft.NET moved successfully.
C:\WINDOWS\Μіcrosoft.NET moved successfully.
C:\WINDOWS\ѕecurity moved successfully.
C:\WINDOWS\ѕеcurity moved successfully.
C:\WINDOWS\Sуmantec moved successfully.
C:\WINDOWS\Ѕуmantec moved successfully.
C:\WINDOWS\sуstem32 moved successfully.
C:\WINDOWS\WіnSxS moved successfully.
C:\WINDOWS\system32\АppPatch moved successfully.
C:\WINDOWS\system32\АрpPatch moved successfully.
C:\WINDOWS\system32\ΑppPatch moved successfully.
C:\WINDOWS\system32\аѕsembly moved successfully.
C:\WINDOWS\system32\Fοnts moved successfully.
C:\WINDOWS\system32\Fоnts moved successfully.
C:\WINDOWS\system32\Μicrosoft.NET moved successfully.
C:\WINDOWS\system32\Міcrosoft.NET moved successfully.
C:\WINDOWS\system32\Οracle moved successfully.
C:\WINDOWS\system32\Оracle moved successfully.
C:\WINDOWS\system32\ѕecurity moved successfully.
C:\WINDOWS\system32\ѕеcurity moved successfully.
C:\WINDOWS\system32\Ѕymantec moved successfully.
C:\WINDOWS\system32\ѕуmbols moved successfully.
C:\WINDOWS\system32\ѕуstem moved successfully.
C:\WINDOWS\system32\ѕystem moved successfully.
C:\WINDOWS\system32\ѕуstem32 moved successfully.
C:\WINDOWS\system32\Таsks moved successfully.
C:\WINDOWS\system32\WіnSxS\WNSXS~1 moved successfully.
C:\WINDOWS\system32\WіnSxS moved successfully.
C:\Program Files\Αdobe moved successfully.
C:\Program Files\Fоnts moved successfully.
C:\Program Files\Мicrosoft.NET moved successfully.
C:\Program Files\sеcurity moved successfully.
C:\Program Files\Ѕуmantec moved successfully.
C:\Program Files\ѕymbols moved successfully.
C:\Program Files\ѕуstem moved successfully.
C:\Program Files\Τasks\ASKS~1 moved successfully.
C:\Program Files\Τasks moved successfully.
C:\Program Files\WіnSxS moved successfully.
C:\Program Files\Common Files\Fоnts moved successfully.
C:\Program Files\Common Files\Mіcrosoft.NET moved successfully.
C:\Program Files\Common Files\Мicrosoft.NET moved successfully.
C:\Program Files\Common Files\Mіcrosoft moved successfully.
C:\Program Files\Common Files\sеcurity moved successfully.
C:\Program Files\Common Files\ѕystem32 moved successfully.
C:\Program Files\Common Files\Τаsks moved successfully.
C:\Program Files\Common Files\Таsks\SKS~1 moved successfully.
C:\Program Files\Common Files\Таsks moved successfully.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02272009_174833
Attached Files
-
info.txt 16.03KB
171 downloads
-
log.txt 42.48KB
151 downloads
-
avenger.txt 14.91KB
167 downloads
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
