[jrdriv]

So, my son was on youtube, and he clicked on an ad for playing games. Then when he tried to play one, computer went blank to a error blue screen. Now, when I try to turn on the computer it goes straight to black screen. It says, "we apologize for the inconvenience windows did not start succesfully". On the black screen I have to option to choose, "Safe Mode", "Safe Mode with Networking", "Safe Mode with Command Prompt", "Start Windows Normally", or "Last Known Good Configuration". When I choose any of the safe modes, it sends me to a blue screen, "A problem has been detected and windows has been shut down to prevent damage. Check for virus on computer...Then im stuck there. If i pick "Last known Good Configuration" from the black screen it seems to work and i can use my computer. Desktop is hijacked "Your system is infected remove spyware..." I get a "Warning"- Applicant cant be executed. The file is infected please activate your antivirus software. And, "Warning"- Attention- System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files, your private information and pc safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to download official intrusion detection system (IDS software). And this is pretty much it. I can't access the internet, I click to go, but nothing happens. I have Mcafee antivirus and when i run it, it just shuts down. So i really need some help removing this trojan, but at the least I want to retrieve some Files from my computer such as Pics, songs, Resumes, etc...I have an external hard drive to transfer the files to. Thanks and please Help.

[Advertisements]

Hello, jrdriv, and welcome to GeeksToGo!

Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".

You may need download and transfer it from a clean computer, since you can't seem to get to the internet.

[handhfan]

Hello, jrdriv, and welcome to GeeksToGo!

Please download Win32kDiag.exe to your desktop. Double-click to run it. A log should appear when it is finished. Post that log here.

If it doesn't pop up, a log should be located on your desktop as "Win32kDiag.txt".

You may need download and transfer it from a clean computer, since you can't seem to get to the internet.

[jrdriv]

First of all thanks for the reply. I got the log and here it is...




Running from: C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\J-ROD\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\drivers\sbd20e6.sys

[1] 2009-08-11 22:27:20 45344 C:\WINDOWS\system32\drivers\sbd20e6.sys ()





Finished!

[handhfan]

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

[jrdriv]

Ok, I ran it once and it said error deleting one file, so i did it again, and it still says it on the file but heres both the logs...


exeHelper by Raktor - 09
Build 20090925
Run at 22:28:59 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\desot.exe
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\sonhelp.htm
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Deleting file C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor - 09
Build 20090925
Run at 22:31:28 on 09/27/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe
Deleting file C:\WINDOWS\system32\logon.exe
Error deleting C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[handhfan]

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[jrdriv]

I did everything that was explained, and combofix was running, then the computer restarted. It continued to run, and it was going through the different stages. But when it looked like it was about to finish the computer restarted. When it came back on it went to a blue error screen, and I couldn't do anything. So, i manually restarted the computer and now I'm not sure if I should run the Combofix again? Because there is no combofix log on my desktop.

[handhfan]

Take a look in the C:\Qoobox folder. There should be a log.txt or another log file in there.

[jrdriv]

There's not really a log file in that folder. I went to C:\Qoobox\Quarantine\Catchme and found...


-------- 2009-09-27 - 23:27:36 -------------

disk not found C:\WINDOWS\system32\sdra64.exe
File "C:\WINDOWS\system32\sdra64.exe" added successfully
driver loading error file "C:\WINDOWS\system32\sdra64.exe" deleted successfully


I dont know if this is it. But in C:\Qoobox that is the only text document I could find. There are other text documents on th C:\ . But again not sure if these are it.
The text documents on the C:\ are ...
CMLoader-nothing really in this.
dlcc
dlccscan
DTSHDSpOut-nothing in this.
inferno-nothing really in this.
TSCDebug-nothing really in this.

[handhfan]

Okay. We'll try something else.

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
  
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[jrdriv]

First off, I got avz and ran it, but in the begining when i was supposed to Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box...There was no "Healing/Quarantine and.....". But in that exact spot was, "Advanced System Analysis with Malware Removal mode enabled". I figured this was it, and ran it. In the end, I have the two zip files that are needed.


 virusinfo_syscheck.zip   36.02KB   207 downloads  virusinfo_syscure.zip   36.88KB   232 downloads

[handhfan]

• Close all windows then double click on AVZ.exe
  
• Click File > Custom scripts
  
• Copy & paste the contents of the following codebox in the box in the program
  
  

   DeleteService('1651030f.sys');
  
   DeleteFile('C _linenums:0'>beginSetAVZPMStatus(True);SetAVZGuardStatus(True);SearchRootkit(true, true); SetServiceStart('1651030f.sys', 4); DeleteService('1651030f.sys'); DeleteFile('C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\oixyujegyx.dll'); BC_DeleteFile('C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\oixyujegyx.dll'); DeleteFile('C:\WINDOWS\System32\drivers\1651030f.sys'); BC_DeleteFile('C:\WINDOWS\System32\drivers\1651030f.sys');BC_ImportDeletedList;ExecuteSysClean;BC_Activate;RebootWindows(true);end.

  
  
• Note: When you run the script, your PC will be restarted
  
• Click Run
  
• Restart your PC if it doesn't do it automatically, and post back with a new OTL log.

[jrdriv]

I ran the script successfully and the computer automatically restarts. But there is no log that I can find. Is there a specific location to look in?

[handhfan]

There is no log for it. Just scan with OTL again and post that log.

[jrdriv]

I wasn't quite sure on what to run so I searched OTL, and found OTL by OldTimer.
I ran it and got a log, but every time I try to post it on here internet explorer shuts down. I can paste it in the box but when I hit reply Internet Explorer shuts down.

Edited by jrdriv, 01 October 2009 - 10:02 PM.