[fenzodahl512]

Finally, I have not yet installed a firewall. I want to talk to the owner of the computer first, and he won't be available until next week. I will download one of the free ones where he can find it.

Frankly speaking, I will need you to run ComboFix at least once so that I can verify the computer fully free from Virut infection, since the real thing is, nothing can escape Virut without full re-format to date.. I've received some advices from several experts stating that you actually need to reformat the computer due to Virut, but I'd really like to see our progress for now..


If you still unable to run ComboFix after these step, then, I'd seriously have to suggest you (as per advised from the experts) to reformat the computer..


Please re-enable the System Restore.. Please create a fresh Restore Point before proceed with our fix. Please visit this webpage if you do not know how..



NEXT


Run ERUNT again to backup the Registry... Please disable the Rising Antivirus during this fixes.. Re-enable back Rising Antivirus after you finish the ComboFix step



Repeat the OTMoveIt3 step but this time with below script.. Post the log here after that..

:processes
explorer.exe

:services
NNServ
terms

:files
C:\Program Files\NewDotNet
C:\WINDOWS\system32\terminals.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\system32\dapavama.dll
C:\WINDOWS\TEMP\winlognn.exe

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox...aspx?tbid=80205
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80205
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKUS\S-1-5-19\..\Run: [nepifadisi] Rundll32.exe "C:\WINDOWS\system32\dapavama.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jsf8uiw3jnjgffght] C:\WINDOWS\TEMP\winlognn.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZSYYYYYYOHUS
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.




NEXT


Insert your Windows CD (SP2 or SP3) to the computer and do below..
* Click Start >> Run >> copy/paste sfc /scannow >> Enter.
o Note the space between the c and the /
* Allow the scan to run and when completed, reboot the system.



NEXT


Reboot your computer and delete your version of ComboFix from the computer.. Also delete C:\qoobox folder if any.. Then do below..

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..



Post me the OTMoveIt3 and ComboFix logs in your next reply..

Edited by fenzodahl512, 27 February 2009 - 10:30 PM.

[Advertisements]

Please take note that I just edited my previous post


Also, please take note of picture below..



Using GMER, please go to the Registry tab, >> locate below key and look closely at the picture..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Now, navigate at the AppInit_DLLs value and click on it.. A window as on the picture will appear.. At Value data:, please empty it.. And then click Ok..


Tell me more about it

Edited by fenzodahl512, 27 February 2009 - 10:51 PM.
edit instruction

[fenzodahl512]

Please take note that I just edited my previous post


Also, please take note of picture below..



Using GMER, please go to the Registry tab, >> locate below key and look closely at the picture..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Now, navigate at the AppInit_DLLs value and click on it.. A window as on the picture will appear.. At Value data:, please empty it.. And then click Ok..


Tell me more about it

Edited by fenzodahl512, 27 February 2009 - 10:51 PM.
edit instruction

[Neil Bradley]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service NNServ stopped successfully.
Service NNServ deleted successfully.
Service terms stopped successfully.
Service terms deleted successfully.
========== FILES ==========
File/Folder C:\Program Files\NewDotNet not found.
File/Folder C:\WINDOWS\system32\terminals.exe not found.
File/Folder C:\WINDOWS\privacy_danger not found.
File/Folder C:\WINDOWS\system32\dapavama.dll not found.
File/Folder C:\WINDOWS\TEMP\winlognn.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02282009_002025

[fenzodahl512]

Waiting for the ComboFix log

How's the sfc /scannow step is doing?

[Neil Bradley]

sfc /scannow did not find any errors.

Combofix is still giving the same message: Incompatible OS.

One of these virus' really trashed out the registry. I had to re-enable the 'system restore' tab to be able to turn it on.

I have also completed the GMER task you added.

I ran a chkdsk on the OS, 'found and repaired errors'.

Still get the incompatible OS from combofix.

I am now running a repair of the OS (booting from the XP CD and choosing the repair option).

If this doesn't work, the last thing I would like to try is to:
- Clone the HD again (onto another one, keeping the original still on the shelf).
- "Upgrade" the OS from XP Home to XP Pro
- Attempt to run combofix a final time.

Will Combofix run on a OS that is in the 3 - day period of not being activated? I don't see why not.

Neil

[fenzodahl512]

Will Combofix run on a OS that is in the 3 - day period of not being activated? I don't see why not.

Err.. What do you mean by 3-day period not activated?.. I'm sure the genuine Windows does not need to be activated at all.. Just key in the legitimate key and then it should be good to go..

[Neil Bradley]

Sorry, I wrote that at 2am my time last night.

Whenever you upgrade an OS onto a new motherboard, you have 3 days to activate it due to "signifigant hardware changes". I was working on another comptuer for a different friend during the day yesterday (we geeks are always working for 'friends' it seems!), and came across that issue. Not a big thing as you say, just key in the key and telephone Microsoft and tell them it's legit, and only on one computer (which is its) and you get re-activated. Anyway,

I ran the hijack-this and followed instructions. No success with combofix.

I am now upgrading the OS to XP Pro, and will post results later today on how it goes.

Neil

[fenzodahl512]

Ok.. waiting for the result

[Neil Bradley]

Upgrading the OS to XP Pro did not help.

I have talked to the owner of the computer. We are going to copy his music, and only his music, to an external enclosure.

Once the music has been copied, I will reformat the HD and reinstall Windows.

I will install virus protection (AVG most likely), and then Dr.Web. I will attach the external HD and scan it with Dr.Web.

<><><>

Does this sound like the thing to do now?

Neil

[fenzodahl512]

I will attach the external HD and scan it with Dr.Web.

Make sure the external hard disk is EMPTY when you attach it to the infected computer.. backup the music is fine.. any documents, pictures, movies also fine.. but NOT installer, applications, executables, screensaver, zipfiles, internet files (.htm/.html/.xml/.php)

Does this sound like the thing to do now?

That's the right things to do

[Neil Bradley]

The computer is back with it's owner now. They are copying music and pictures onto the external drive. I should have the comptuer back in a couple of days. Once that happens, I will do a destructive format (ones and zeros), then format again, and put the OS back on.

So, let's give it a couple of days, and I will update you as I finish.

Neil

[fenzodahl512]

Don't worry, I'll let this topic open until I hear the updates from you..

[Neil Bradley]

I have the computer back. I put a new hard drive in, installed XP Professional.

I have copied back all the music, pictures and documents that were on the external hard drive.

I installed AVG antivirus, scanned the computer, no threats found.

I ran combofix, nothing found, log attached.

I believe we have resolved the issue.

Neil

Attached Files

•  log.txt   5.59KB   188 downloads

[fenzodahl512]

Yup.. ComboFix log looks good to me.. Do you have anymore question?

[Neil Bradley]

Nope.. As I have said numerous times, I *really* appreciate all the time and effort you spent with me on this, and I coudln't have gotten through it without your help.

Thanks!!

Neil