[Rwtfnow]

These 2 programs keep on bugging me and i cannot get anything done. i cannot even access the internet. PLEASE HELP ME

[Advertisements]

Hi there lets try this little combo - do you have the ability to transfer programmes to the sick computer

Download RogueKiller to your desktop

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  %temp%\smtmp\*.* /s
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Essexboy]

Hi there lets try this little combo - do you have the ability to transfer programmes to the sick computer

Download RogueKiller to your desktop

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  %temp%\smtmp\*.* /s
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  %systemroot%\*. /mp /s
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  CREATERESTOREPOINT
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Rwtfnow]

I am not sure on how to transfer programs to the computer.

[Essexboy]

Do you have a USB drive ?

Or can you burn a CD

This is on the basis that you have no internet connection on the infected computer

[Rwtfnow]

yes i do i will try the usb drive

[Rwtfnow]

i get that thing to my sick computer but it will not run it

[Essexboy]

Could you run RogueKiller but rename it to winlogon

If not we could burn a cd and work outside of windows

[Rwtfnow]

yeah i tried both names and they didnt run. lets try the cd

[Essexboy]

OK this may give you internet access as well

Please print these instruction out so that you know what you are doing

Latest version: v3.1.46.0

OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB

• Download the attached scan.txt to a USB drive [attachment=50775:scan.txt]
• Download OTLPENet.exe to your desktop
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
  
  
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Double click the Custom scans and fixes box
• In the dialogue locate the scan.txt you have on the USB
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.

[Rwtfnow]

during what steps do i switch the cd over to the sick computer?

[Essexboy]

As soon as it is burnt then use the CD to boot the sick system to a PE environment

Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here

[Rwtfnow]

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Jeremy Gunther [Admin rights]
Mode: Scan -- Date : 06/12/2011 10:34:38

Bad processes: 2
[SUSP PATH] xgs.exe -- c:\documents and settings\localservice\local settings\application data\xgs.exe -> KILLED
[SUSP PATH] setui70vir.exe -- c:\documents and settings\jeremy gunther\application data\1bd90a06d9d7fec39db71ffa9a5a6aa4\setui70vir.exe -> KILLED

Registry Entries: 14
[SUSP PATH] HKCU\[...]\Run : setui70vir.exe (C:\Documents and Settings\Jeremy Gunther\Application Data\1BD90A06D9D7FEC39DB71FFA9A5A6AA4\setui70vir.exe) -> FOUND
[BLACKLIST DLL] HKLM\[...]\Run : USB2Check (RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2000478354-1677128483-854245398-1003[...]\Run : setui70vir.exe (C:\Documents and Settings\Jeremy Gunther\Application Data\1BD90A06D9D7FEC39DB71FFA9A5A6AA4\setui70vir.exe) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKLM\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKLM\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...]exefile\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\LocalService\Local Settings\Application Data\xgs.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File:
67.205.118.181 www.google.com
67.205.118.182 search.yahoo.com
67.205.118.182 www.bing.com


Finished : << RKreport[1].txt >>
RKreport[1].txt








Just got the roguekiller to work!!!!!!!!!!

[Essexboy]

OK re-run RogueKiller and select option 2

Once done this should enable you to run OTL

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.