Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware that is preventing me to open Task manager

Started by Ronxxx , Jan 20 2012 09:11 PM

  • Please log in to reply

#1
Ronxxx
Posted 20 January 2012 - 09:11 PM

Ronxxx

    New Member

  • Member
  • Pip
  • 6 posts
i got a malware on my old laptop that is preventing me to run task manager and when i try to download a security software, it is not letting me
it would just download up to 95 percent and then it wont continue. i only have malwarebytes the free one and it discovers 8 infections ... im getting that trojan pramro
and ive seen on my c drive the uthh.exe that cannot be deleted. and as searching for a
cure i have seen this combofix and out of curiosity ive downloaded and run it but nothing happen'd. i hope you guys can help me out ... thanks in advance
this is my otl log file
note- this is my first time to do forums just tell me if i did something wrong .. thanks

OTL Extras logfile created on: 1/21/2012 10:51:10 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ron\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00003409 | Country: Republic of the Philippines | Language: ENP | Date Format: M/d/yyyy

1014.42 Mb Total Physical Memory | 529.20 Mb Available Physical Memory | 52.17% Memory free
2.38 Gb Paging File | 2.00 Gb Available in Paging File | 83.94% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 86.39 Gb Total Space | 61.11 Gb Free Space | 70.74% Space Free | Partition Type: NTFS
Drive E: | 5.75 Gb Total Space | 0.55 Gb Free Space | 9.59% Space Free | Partition Type: FAT32

Computer Name: RON-82C6EAEB99E | User Name: Ron | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1
"UacDisableNotify" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\orat.pif" = E:\orat.pif:*:Enabled:ipsec -- ()
"C:\WINDOWS\Explorer.EXE" = C:\WINDOWS\explorer.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winhivch.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winhivch.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winffpi.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winffpi.exe:*:Enabled:ipsec
"C:\uthh.exe" = C:\uthh.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Ron\LOCALS~1\Temp\xcmxf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\xcmxf.exe:*:Enabled:ipsec
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:ipsec -- (Mozilla Corporation)
"C:\DOCUME~1\Ron\LOCALS~1\Temp\bttf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\bttf.exe:*:Enabled:ipsec
"C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\qlbPres.exe" = C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\qlbPres.exe:*:Enabled:ipsec -- (Hewlett-Packard Company)
"C:\DOCUME~1\Ron\LOCALS~1\Temp\aqos.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\aqos.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\lkbglh.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\lkbglh.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\hlcf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\hlcf.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\hwdy.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\hwdy.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winurgwts.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winurgwts.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winhihpp.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winhihpp.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winxqvxf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winxqvxf.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\hfir.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\hfir.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\unlvcq.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\unlvcq.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\oroa.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\oroa.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\svgd.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\svgd.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\gmihx.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\gmihx.exe:*:Enabled:ipsec
"C:\WINDOWS\system32\userinit.exe" = C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec -- (Microsoft Corporation)
"C:\DOCUME~1\Ron\LOCALS~1\Temp\abfe.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\abfe.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\mmnla.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\mmnla.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\xwvivf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\xwvivf.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\lwdsc.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\lwdsc.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\cdss.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\cdss.exe:*:Enabled:ipsec
"C:\Program Files\Garena Plus\GarenaMessenger.exe" = C:\Program Files\Garena Plus\GarenaMessenger.exe:*:Enabled:ipsec -- ()
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winkdcykd.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winkdcykd.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\ttpsa.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\ttpsa.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winjmyrkg.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winjmyrkg.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\lcybvq.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\lcybvq.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winibjyx.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winibjyx.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winxwxwyj.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winxwxwyj.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winemovuk.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winemovuk.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\duwh.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\duwh.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winhhocmp.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winhhocmp.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\vrer.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\vrer.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winalrhif.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winalrhif.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winslgc.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winslgc.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\vrdk.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\vrdk.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\jliv.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\jliv.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\fquyx.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\fquyx.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winjjyqqx.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winjjyqqx.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winxnnrcd.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winxnnrcd.exe:*:Enabled:ipsec
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:ipsec -- (BitTorrent, Inc.)
"C:\DOCUME~1\Ron\LOCALS~1\Temp\wbhpjq.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\wbhpjq.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\kexwbw.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\kexwbw.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winysde.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winysde.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\winlyorke.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\winlyorke.exe:*:Enabled:ipsec
"C:\DOCUME~1\Ron\LOCALS~1\Temp\uvapf.exe" = C:\DOCUME~1\Ron\LOCALS~1\Temp\uvapf.exe:*:Enabled:ipsec -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 J1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 C1
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}" = TIPCI
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Free Download Manager_is1" = Free Download Manager 3.8
"im" = Garena Plus
"InstallShield_{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"KLiteCodecPack_is1" = K-Lite Codec Pack 8.1.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.11
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinRAR archiver" = WinRAR 4.10 beta 5 (32-bit)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/16/2012 2:26:12 AM | Computer Name = RON-82C6EAEB99E | Source = Application Error | ID = 1000
Description = Faulting application sp29885.exe, version 4.0.100.1189, faulting module
unknown, version 0.0.0.0, fault address 0x34312e36.

Error - 1/20/2012 7:20:36 PM | Computer Name = RON-82C6EAEB99E | Source = Application Hang | ID = 1002
Description = Hanging application HiJackThis.exe, version 2.0.0.4, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/20/2012 9:33:36 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 1/20/2012 9:33:36 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 1/20/2012 9:33:36 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Mozilla Firefox\components\browsercomps.dll.
Reference
error message: The operation completed successfully. .

Error - 1/20/2012 9:44:35 PM | Computer Name = RON-82C6EAEB99E | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 1/20/2012 10:05:23 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 1/20/2012 10:05:23 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 1/20/2012 10:05:23 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Mozilla Firefox\components\browsercomps.dll.
Reference
error message: The operation completed successfully. .

Error - 1/20/2012 10:41:15 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 1/20/2012 10:41:15 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 1/20/2012 10:41:15 PM | Computer Name = RON-82C6EAEB99E | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Mozilla Firefox\components\browsercomps.dll.
Reference
error message: The operation completed successfully. .


< End of report >
  • 0

Advertisements

#2
Jintan
Posted 23 January 2012 - 05:48 PM

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Welcome to GeeksToGo Ronxxx,

Pretty badly infected system. Let's do some changes, then get a more detailed look before starting some repairs.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.


Click here and download FixNCR.reg, then double-click that and allow it to Merge with your registry.

--------

Go here and download Dial-a-fix-v0.60.0.24.zip (scroll down to the "green" box"), then unzip that to the desktop. In the Dial-a-fix folder locate and click on Dial-a-fix.exe to open the tool display.

Once the display opens another Restrictive Policies display should open. Click the Remove button, then close Dial-a-Fix.

Note - Dial-a-Fix was never updated for the later versions of Internet Explorer (iexplore.exe). If it indicates it cannot identify that, just OK the warning. It will still run correctly. That should allow Task Manager access etc.

----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • {i}If avast! antivirus is already installed, just do the next step.{/i}
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

  • 0

#3
Ronxxx
Posted 27 January 2012 - 04:25 PM

Ronxxx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi sorry for the late reply

i tried safemode with networking its not working.. when it process to safe mode with networking im getting a blue screen then it restarts on its own
..
i forgot to tell to post this but when i ran malwarebytes
i got salty virus .. and disable.taskmanager, disableregedit

sorry if my post was incomplete .. and another info when i try to download any antivirus software it would just go to 96 percent of download then it freezes there
  • 0

#4
Jintan
Posted 27 January 2012 - 05:30 PM

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Just noticed Service Pack 2, which has been replaced by SP3 for years now. Why hasn't this system been upgraded? Unless you just uninstalled SP3 as part of your attempt at repairs, the security holes due to no SP3 would indicate the malware may have compromised many sensitive system functions, and truly have the upper hand there.


Dial-a-fix should allow things like Task Manager access. Did you run that?

Don't try to download/install any antivirus programs at this point. Even if allowed to install they will be corrupted by the active malware. But I still need to see the scan logs I requested, if you can.
  • 0

#5
Ronxxx
Posted 28 January 2012 - 07:19 PM

Ronxxx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ive downloaded dialafix taskmanager was able to run for like 5 sec then it was disabled again
fixNCR.reg not working saying cannot "registry editing is disabled by your administrator

ran gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-29 08:29:25
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 FUJITSU_MHV2100AT_PL rev.008300A1
Running: 1bqp1ogp.exe; Driver: C:\DOCUME~1\Ron\LOCALS~1\Temp\pwedakod.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6E6F900]
? C:\WINDOWS\system32\drivers\homljn.sys The system cannot find the file specified. !

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Ron\Cookies\ron@localhost[2].txt 93 bytes

---- EOF - GMER 1.0.15 ----


ran aswmbr

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-29 08:32:14
-----------------------------
08:32:14.296 OS Version: Windows 5.1.2600 Service Pack 2
08:32:14.296 Number of processors: 1 586 0xD08
08:32:14.296 ComputerName: RON-82C6EAEB99E UserName: Ron
08:32:16.937 Initialize success
08:49:37.453 AVAST engine defs: 12012801
08:49:45.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:49:45.968 Disk 0 Vendor: FUJITSU_MHV2100AT_PL 008300A1 Size: 95396MB BusType: 3
08:49:46.000 Disk 0 MBR read successfully
08:49:46.000 Disk 0 MBR scan
08:49:46.156 Disk 0 Windows XP default MBR code
08:49:46.156 Disk 0 Partition - 00 0F Extended LBA 88459 MB offset 16065
08:49:46.187 Disk 0 Partition 1 80 (A) 0C FAT32 LBA RECOVERY 5898 MB offset 181181070
08:49:46.187 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 1030 MB offset 193261950
08:49:46.203 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
08:49:46.234 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 88459 MB offset 16128
08:49:46.250 Disk 0 scanning sectors +195371552
08:49:46.375 Disk 0 scanning C:\WINDOWS\system32\drivers
08:50:16.218 Service scanning
08:50:19.781 Modules scanning
08:50:51.640 Disk 0 trace - called modules:
08:50:51.703 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
08:50:51.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8657cab8]
08:50:51.718 3 CLASSPNP.SYS[f761d05b] -> nt!IofCallDriver -> \Device\00000076[0x865889e8]
08:50:51.718 5 ACPI.sys[f7493620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86588d98]
08:50:55.421 AVAST engine scan C:\WINDOWS
08:51:11.140 AVAST engine scan C:\WINDOWS\system32
08:51:44.468 File: C:\WINDOWS\system32\CleanUp.exe **INFECTED** Win32:Kukacka
08:54:19.781 File: C:\WINDOWS\system32\DSndUp.exe **INFECTED** Win32:Kukacka
08:54:57.468 File: C:\WINDOWS\system32\hkcmd.exe **INFECTED** Win32:Kukacka
08:55:33.671 File: C:\WINDOWS\system32\igfxtray.exe **INFECTED** Win32:Kukacka
09:03:25.484 AVAST engine scan C:\WINDOWS\system32\drivers
09:04:32.203 AVAST engine scan C:\Documents and Settings\Ron
09:06:11.296 File: C:\Documents and Settings\Ron\Desktop\OTL.exe **INFECTED** Win32:Kukacka
09:06:43.609 File: C:\Documents and Settings\Ron\Local Settings\Temp\ICReinstall\cnet2_Palringo-Desktop_v2_6_5_exe.exe **INFECTED** Win32:Sality
09:06:50.906 File: C:\Documents and Settings\Ron\Local Settings\Temp\nsq7.tmp\ymsgr_suite_setup.exe **INFECTED** Win32:Kukacka
09:06:57.875 File: C:\Documents and Settings\Ron\Local Settings\Temp\nsr9.tmp\flash_inst.exe **INFECTED** Win32:Kukacka
09:07:10.562 File: C:\Documents and Settings\Ron\Local Settings\Temp\nsr9.tmp\ysp_inst.exe **INFECTED** Win32:Kukacka
09:07:16.828 File: C:\Documents and Settings\Ron\Local Settings\Temp\nsr9.tmp\ytb_inst.exe **INFECTED** Win32:Kukacka
09:07:20.984 File: C:\Documents and Settings\Ron\Local Settings\Temp\Rar$EXa0.997\Dial-a-fix-v0.60.0.24\Dial-a-fix.exe **INFECTED** Win32:Sality
09:07:45.296 File: C:\Documents and Settings\Ron\Local Settings\Temp\winyahddf.exe **INFECTED** Win32:Malware-gen
09:10:05.250 File: C:\Documents and Settings\Ron\My Documents\Downloads\cnet2_Palringo-Desktop_v2_6_5_exe.exe **INFECTED** Win32:Sality
09:10:09.421 File: C:\Documents and Settings\Ron\My Documents\Downloads\msgr11us.exe **INFECTED** Win32:Sality
09:10:18.281 File: C:\Documents and Settings\Ron\My Documents\Downloads\wrar41b5.exe **INFECTED** Win32:Kukacka
09:11:32.750 AVAST engine scan C:\Documents and Settings\All Users
09:11:39.906 File: C:\Documents and Settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe **INFECTED** Win32:Kukacka
09:11:55.078 Scan finished successfully
09:12:55.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ron\Desktop\MBR.dat"
09:12:55.750 The log file has been saved successfully to "C:\Documents and Settings\Ron\Desktop\aswMBR.txt"

i will wait for your reply..
thanks so much
btw my sister just gave this laptop to me
and my friend worked with it
and he only installed service pack 2 and i havent updated it yet
  • 0

#6
Jintan
Posted 29 January 2012 - 04:40 PM

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Kind of a double-whammy showing here. A bootkit infection, so well hidden, and can recreate it's malware activities (like disabling Task Manager), and a file infector, loading it's code into any processes that run there. That presents really the tougher part of the two, since it can elude deletion and interfere with removal functions. After a run of aswMBR, does it show the Fix button as hilighted?
  • 0

#7
Ronxxx
Posted 30 January 2012 - 03:16 AM

Ronxxx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
nope its not highlighted i waited for it but it just said scan finished..
the only higlighted button there is the fixmbr button
  • 0

#8
Jintan
Posted 30 January 2012 - 06:03 PM

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Go here and download and run the Bitdefender Bootkit Removal Tool. Follow all prompts, and allow it to clean anything it finds.

Then go here and download, install and run Kaspersky Virus Removal Tool. Again follow all prompts, and allow it to clean anything it finds.

As I just mentioned in a different thread, I haven't had a chance to run these on an infected system, so you will have to play it by ear there (or eyes, more realistically). If either indicates they have made changes, reboot after they are run.

---------

Then download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Run and post a new aswMBR scan log as well please.
  • 0

#9
Ronxxx
Posted 02 February 2012 - 02:06 AM

Ronxxx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
i run the bitdefender rootikit removal
it found 1 infection then asked for a reboot
then when i rebooted my laptop wont boot anymore
all i can do is hit f12 for the settings and then after that
i just have the blackscreen and a blinking cursor... f8 wont work and booting to harddisk not working
nowlaptop aint usable anymore ..
  • 0

#10
Ronxxx
Posted 02 February 2012 - 09:58 AM

Ronxxx

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hey i ended up reformatting my system and installed windows xp sp3 ..
well i really need to use the laptop .
but thanks for helping me.. i have another laptop but i'm thinking ill just get a fresh start with it as well
well if you guys are allowed to recommend any software for security for my laptop that would be great
but if now that's okay ^_^
  • 0

#11
Jintan
Posted 02 February 2012 - 04:45 PM

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Shoot - that surely wasn't part of any plan. So you know for future reference, even issues like what just occurred there are correctable, if you had chosen to save the install. But reformat/reinstall is one sure solution to removing whatever the malware corrupted.

These links provide plenty of good security tips, and some free security software suggestions as well:

http://www.geekstogo...he-first-place/

http://www.geekstogo...safe-computing/
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP