Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't run MBAM or anything else! HELP [Solved]

Started by mkb_78 , Jan 24 2010 11:57 AM

  • This topic is locked This topic is locked

#1
mkb_78
Posted 24 January 2010 - 11:57 AM

mkb_78

    Member

  • Member
  • PipPip
  • 11 posts
I was able to run ERUNT and TFC (the first steps on the geekstogo.com how-to). However, when I got to the MBAM step, nothing works. I've tried saving it as something different and all the steps listed on the Malwarebytes forum for when MBAM won't run. I cannot get anything else to work/download on that computer, so I'm saving files via flash drive from one computer to the other.

I'd appreciate any help with this! THANKS!!!

Here is my Hijack this log:
________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:09, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Clean\Howdy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [lekarutay] Rundll32.exe "c:\windows\system32\rudajeki.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [extrac64_cab.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\extrac64_cab.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gc.peachnet.edu
O15 - Trusted Zone: http://gil.gsc.edu
O15 - Trusted Zone: http://mail.gsc.edu
O15 - Trusted Zone: http://webmail.gsc.edu
O15 - Trusted Zone: http://www.gsc.edu
O15 - Trusted Zone: http://data.gc.peachnet.edu
O15 - Trusted Zone: http://mail.gc.peachnet.edu
O15 - Trusted Zone: http://titan.gc.peachnet.edu
O15 - Trusted Zone: http://troy.gc.peachnet.edu
O15 - Trusted Zone: http://webmail.gc.peachnet.edu
O15 - Trusted Zone: http://www.gc.peachnet.edu
O15 - Trusted Zone: http://vista.uga.edu
O15 - Trusted Zone: http://*.view.usg.edu
O15 - Trusted Zone: http://webct.usg.edu
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1189700275796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1189700230250
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh...aploader_v6.cab
O20 - AppInit_DLLs: zarorero.dll c:\windows\system32\rudajeki.dll
O21 - SSODL: vukuvumiy - {b77ff2dd-e48d-441b-b911-f4dda1820c22} - c:\windows\system32\rudajeki.dll
O22 - SharedTaskScheduler: kupuhivus - {b77ff2dd-e48d-441b-b911-f4dda1820c22} - c:\windows\system32\rudajeki.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10368 bytes
  • 0

Advertisements

#2
Essexboy
Posted 24 January 2010 - 12:01 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi we no longer use Hijackthis as it does not give us enough information to securely repair your computer or see where the main problems are

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
mkb_78
Posted 24 January 2010 - 01:12 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Attached is the OTS log. Thanks for your continued help!

Attached Files

  • Attached File  OTS.Txt   140.79KB   120 downloads

  • 0

#4
Essexboy
Posted 24 January 2010 - 02:58 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK on completion of this run I would like you to try and run MBAM again please

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Modules - Safe List]
YY -> jasoreje.dll -> C:\WINDOWS\system32\jasoreje.dll
YY -> mopifobi.dll -> C:\WINDOWS\system32\mopifobi.dll
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2008882232-3535489979-3949681337-500\] > -> HKEY_USERS\S-1-5-21-2008882232-3535489979-3949681337-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "lekarutay" -> C:\WINDOWS\System32\jasoreje.DLL [Rundll32.exe "c:\windows\system32\jasoreje.dll",a]
< Run [HKEY_USERS\S-1-5-21-2008882232-3535489979-3949681337-500\] > -> HKEY_USERS\S-1-5-21-2008882232-3535489979-3949681337-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NY -> "extrac64_cab.exe" -> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\extrac64_cab.exe [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\extrac64_cab.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\jasoreje.dll -> C:\WINDOWS\system32\jasoreje.dll
YY -> mopifobi.dll -> C:\WINDOWS\System32\mopifobi.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{3d75b586-1b16-4f1f-997e-6a8c92ae0d3d}" [HKLM] -> C:\WINDOWS\system32\jasoreje.dll [liworusod]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{3d75b586-1b16-4f1f-997e-6a8c92ae0d3d}" [HKLM] -> C:\WINDOWS\system32\jasoreje.dll [gahurihor]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7ab8ed40-06f8-11df-9b13-001cbfb401f3}\Shell\Open(&0)\command -> 
YN -> \{7ab8ed40-06f8-11df-9b13-001cbfb401f3}\Shell\Open(&0)\command\\"" -> [Recycled\ctfmon.exe]
[Files/Folders - Modified Within 30 Days]
NY ->  jasoreje.dll -> C:\WINDOWS\System32\jasoreje.dll
NY ->  muguvora.dll -> C:\WINDOWS\System32\muguvora.dll
NY ->  yuniyuzi.dll -> C:\WINDOWS\System32\yuniyuzi.dll
NY ->  sawikali.dll -> C:\WINDOWS\System32\sawikali.dll
NY ->  pamuyomi.dll -> C:\WINDOWS\System32\pamuyomi.dll
NY ->  mopifobi.dll -> C:\WINDOWS\System32\mopifobi.dll
NY ->  vipuliji.dll -> C:\WINDOWS\System32\vipuliji.dll
NY ->  horarugo.dll -> C:\WINDOWS\System32\horarugo.dll
NY ->  kiraduyi -> C:\WINDOWS\System32\kiraduyi
NY ->  emakwzdb.job -> C:\WINDOWS\tasks\emakwzdb.job
[Files - No Company Name]
NY ->  jasoreje.dll -> C:\WINDOWS\System32\jasoreje.dll
NY ->  muguvora.dll -> C:\WINDOWS\System32\muguvora.dll
NY ->  yuniyuzi.dll -> C:\WINDOWS\System32\yuniyuzi.dll
NY ->  sawikali.dll -> C:\WINDOWS\System32\sawikali.dll
NY ->  pamuyomi.dll -> C:\WINDOWS\System32\pamuyomi.dll
NY ->  mopifobi.dll -> C:\WINDOWS\System32\mopifobi.dll
NY ->  vipuliji.dll -> C:\WINDOWS\System32\vipuliji.dll
NY ->  horarugo.dll -> C:\WINDOWS\System32\horarugo.dll
NY ->  kiraduyi -> C:\WINDOWS\System32\kiraduyi
NY ->  emakwzdb.job -> C:\WINDOWS\tasks\emakwzdb.job
[File - Lop Check]
NY ->  emakwzdb.job -> C:\WINDOWS\Tasks\emakwzdb.job
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
mkb_78
Posted 24 January 2010 - 06:28 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I still cannot run MBAM. Attached are the new OTS log, the RunFix results, and a screen shot of the error message I get during the very last step of the MBAM set up.

Attached Thumbnails

  • ScreenShot_NoMBAM.JPG

Attached Files


  • 0

#6
Essexboy
Posted 25 January 2010 - 01:28 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I am deleteing all of the MBAM elements, also a few files have refused to go so I will use a bigger hammer :)

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "lekarutay" -> C:\WINDOWS\System32\jasoreje.DLL [Rundll32.exe "c:\windows\system32\jasoreje.dll",a]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> c:\windows\system32\jasoreje.dll -> C:\WINDOWS\System32\jasoreje.dll
YN -> mopifobi.dll -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{3d75b586-1b16-4f1f-997e-6a8c92ae0d3d}" [HKLM] -> C:\WINDOWS\System32\jasoreje.dll [liworusod]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{3d75b586-1b16-4f1f-997e-6a8c92ae0d3d}" [HKLM] -> C:\WINDOWS\System32\jasoreje.dll [gahurihor]
[Files/Folders - Created Within 30 Days]
NY ->  mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys
NY ->  mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys
NY ->  Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware
[Files/Folders - Modified Within 30 Days]
NY ->  tanokoge.dll -> C:\WINDOWS\System32\tanokoge.dll
NY ->  zuwokuwu.dll -> C:\WINDOWS\System32\zuwokuwu.dll
NY ->  wiyoyova.dll -> C:\WINDOWS\System32\wiyoyova.dll
NY ->  Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
NY ->  seicgmiw.job -> C:\WINDOWS\tasks\seicgmiw.job
NY ->  kiraduyi -> C:\WINDOWS\System32\kiraduyi
NY ->  mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys
NY ->  mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys
[Files - No Company Name]
NY ->  tanokoge.dll -> C:\WINDOWS\System32\tanokoge.dll
NY ->  zuwokuwu.dll -> C:\WINDOWS\System32\zuwokuwu.dll
NY ->  wiyoyova.dll -> C:\WINDOWS\System32\wiyoyova.dll
NY ->  kiraduyi -> C:\WINDOWS\System32\kiraduyi
NY ->  seicgmiw.job -> C:\WINDOWS\tasks\seicgmiw.job
[File - Lop Check]
NY ->  seicgmiw.job -> C:\WINDOWS\Tasks\seicgmiw.job

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2


==================================
Posted Image

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.



Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#7
mkb_78
Posted 25 January 2010 - 05:47 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I cannot run ComboFix on the infected computer and I'm still having to download files on this (OK) computer and transfer them via flash drive to the infected computer. I remaned ComboFix and when I tried to run it, I only got as far as the loading green bars. Maybe you still need a BIGGER hammer!

Here's the new FIX text:

Attached Files


  • 0

#8
Essexboy
Posted 26 January 2010 - 12:22 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
One bigger hammer coming up :)

This programme can be run in safe mode if needed

Please download this file to your desktop. It is in screensaver format

  • Double click on Kill.scr to run it.

  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#9
mkb_78
Posted 26 January 2010 - 07:48 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:) Got it, boss. What's next?

~Melissa♪

Attached Files


  • 0

#10
Essexboy
Posted 27 January 2010 - 03:06 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK the big hammer sees it - now to smash :)

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
    begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 BC_DeleteFile('c:\windows\system32\tanokoge.dll');
 DeleteFile('c:\windows\system32\tanokoge.dll');
 BC_DeleteFile('\\?\globalroot\systemroot\system32\H8SRTovbttbuthx.dll');
 DeleteFile('\\?\globalroot\systemroot\system32\H8SRTovbttbuthx.dll');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lekarutay');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{f0f0215d-e0a7-4241-a953-9c1adedf2989}');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','varefuweb');
 BC_DeleteFile('pamuyomi.dll');
 DeleteFile('pamuyomi.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

ON COMPLETION

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post


Immediately this has run retry MBAM
  • 0

Advertisements

#11
mkb_78
Posted 28 January 2010 - 06:51 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Go Hammer Go! I ran the scripts, but the same pop up popped up while running the scan afterward and I also got a message on the notification era that my antivirus had been disabled! Good Grief! Attached is the zip file.

I'm trying to run MBAM, but it's staying frozen at the end of the installation. I will post a response to this tonight if it ever finishes running or attempts to.

~Melissa

Attached Files


  • 0

#12
Essexboy
Posted 29 January 2010 - 11:48 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets use the bigger brother and see if that can kill it

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
H8SRT
H8SRTpdqvssrngx
H8SRTpdqvssrngx.sys

Files to delete:
C:\windows\system32\drivers\H8SRTpdqvssrngx.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply [/b].
  • 0

#13
mkb_78
Posted 29 January 2010 - 04:08 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the text. I'm FINALLY able to run MBAM! :) The hammer :) is working! MBAM is scanning now. Let me know the next step from there!



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "H8SRTd.sys" found!
ImagePath: \systemroot\system32\drivers\H8SRTpdqvssrngx.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\H8SRT" not found!
Deletion of driver "H8SRT" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\H8SRTpdqvssrngx" not found!
Deletion of driver "H8SRTpdqvssrngx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\H8SRTpdqvssrngx.sys" not found!
Deletion of driver "H8SRTpdqvssrngx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\windows\system32\drivers\H8SRTpdqvssrngx.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#14
Essexboy
Posted 29 January 2010 - 04:19 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets kill the driver - my guess at the correct name was not quite right :)

Run this on completion of the MBAM run and post both logs please

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
H8SRTd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
  • 0

#15
mkb_78
Posted 29 January 2010 - 04:58 PM

mkb_78

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\H8SRTd.sys" not found!
Deletion of driver "H8SRTd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



_____________________________________________________________________________________

Malwarebytes' Anti-Malware 1.44
Database version: 3659
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/29/2010 5:43:15 PM
mbam-log-2010-01-29 (17-43-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246819
Time elapsed: 32 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\32788R22FWJFW.0.tmp\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\32788R22FWJFW.0.tmp\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\32788R22FWJFW.1.tmp\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\32788R22FWJFW.1.tmp\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\32788R22FWJFW.2.tmp\pv.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\32788R22FWJFW.2.tmp\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\H8SRT8f22.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTovbttbuthx.bak (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTweqcfykmrq.dll (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTevxtukpuha.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTfxyymbnrcw.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTpxmkfqxdqw.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\H8SRT7d2a.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Quarantined and deleted successfully.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP