Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dell Windows XP; Computer 000Slow, neither MWBAW nor SBSND work proper


  • This topic is locked This topic is locked

#1
Aerostalgia

Aerostalgia

    Member

  • Member
  • PipPip
  • 13 posts

My brother came to my house a while ago asking me to fix his slow, old computer, which I didn't mind doing, but as the title says neither of the programs i usually use dont work.

 

After running MWB , it'll hit scan, then it'll close, and wont run again unless i reinstall; and with spybot, running it then hitting system scan says "The file you're trying to start has not been signed as authentic by Safer-Networking.ltd, are you sure you want to run it?", the download was directly from their main site. 

I also attempted to run in safemode, but launching into safemode just causes a BSOD.

Help would be greatly appreciated


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try this programme

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.

  • 0

#3
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Attached File  FRST.txt   31KB   84 downloadsThanks EssexBoy for the quick response.
The program only ran for a few seconds before it closed (like what happened with all the other apps i tried), it did make a .txt file though.

If its important, running it again causes it to say "Windows cannot access the specified device path or file, you may not have the appropriate permissions to access this file.", and trying to move it gives me a access denied error.
 


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK looking at this we will need to approach it a different way, the system is severely infected and I will need to work outside of windows initially as I cannot see the drivers I need to delete.

Create the USB stick on a different computer



Download Peazip to the desktop
Run and install the programme

Download the following files to the desktop .. Right click the links and select save as...then select desktop

Rufus

OTLPE_standard

Right click OTLPE on your desktop and select ..Open as archive

Unzup%20archive.png


Select OTLPE standard

select%20archive.PNG

Click Extract, ensure that desktop is selected

extract%20archive.PNG

Insert the USB stick Then run Rufus
rufus.JPG
Select the ISO file on the desktop via the ISO icon.

Press Start Burn
RufusISO.JPG

Once the USB has burnt then
  • Download Farbar Recovery Scan Tool and save it to the flash drive.
    • Reboot your system using the boot USB you just created.
      Note : If you do not know how to set your computer to boot from USB follow the steps here
    • As the Programme needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
    • Your system should now display a Reatogo desktop.
    • Locate the flash drive and run FSRT
    • The tool will start to run.
      FRST2.gif
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

#5
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

The Peazip link leads to a 404 file or directory not found, is it fine to get the 6.0 version ?


 
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Yes, thanks for the heads up I will replace the link


  • 0

#7
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

After the Reatogo finishes loading, it shows the Windows XP logo, a few seconds after though the screen shows a BSOD  "0x000007b"


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try this way .. You may get a lot of errors when you boot after this but ignore them

Reboot to normal windows


CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
() C:\WINDOWS\svcho.exe
() C:\DOCUME~1\User\LOCALS~1\Temp\e.exe
() C:\DOCUME~1\User\LOCALS~1\Temp\_A00F1E6FF.exe
HKLM\...\Run: [Nrejidefayoq] => rundll32.exe "C:\WINDOWS\iwowuvubomure.dll",e
HKLM\...\Run: [qoqavedsucue] => C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\jlmjvkexubwmndts.dll"
HKLM\...\Run: [lsdefrag] => C:\DOCUME~1\User\LOCALS~1\Temp\statx.tmp <===== ATTENTION
HKLM\...\Run: [61208421] => C:\DOCUME~1\ALLUSE~1\APPLIC~1\61208421\61208421.exe
HKLM\...\Run: [net] => C:\WINDOWS\system32\net.net [37376 2009-10-24] (Privat)
HKLM\...\Run: [dutuzisab] => Rundll32.exe "c:\windows\system32\wazuhope.dll",a
Winlogon\Notify\20190562517: C:\WINDOWS\System32\dssenh32.dll [2009-02-01] ()
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
Winlogon\Notify\__c00EDA4F: C:\WINDOWS\system32\__c00EDA4F.dat [X]
Winlogon\Notify\__c00F4C32: C:\WINDOWS\system32\__c00F4C32.dat [2009-10-24] ()
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F1E6FF.exe] => C:\Documents and Settings\User\Local Settings\Temp\_A00F1E6FF.exe [45568 2009-02-05] () <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F529D8D2.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F529D8D2.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F29CC3.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F29CC3.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F3678243.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F3678243.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F611876E.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F611876E.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00FF21B530.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00FF21B530.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F20CC7.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F20CC7.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F21BDB.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F21BDB.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F5EA584D.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F5EA584D.exe <===== ATTENTION
HKU\S--5-21-500823600-1963862842-10735164-1005\...\Run: [A00F6B3E048.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6B3E048.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00FFE794A5.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00FFE794A5.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F33058.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F33058.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00FAD166C.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00FAD166C.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F30EBC10.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F30EBC10.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00FCF615B0.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00FCF615B0.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F467DE.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F467DE.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F59C30DB.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F59C30DB.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F267815.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F267815.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F70A664E.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F70A664E.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F6546C.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F6546C.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F62A9D7D.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F62A9D7D.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [system tool] => C:\WINDOWS\sysguard.exe [364560 2009-03-05] ()
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F3BFC7.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F3BFC7.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [A00F28D80.exe] => C:\DOCUME~1\User\LOCALS~1\Temp\_A00F28D80.exe <===== ATTENTION
HKU\S-1-5-21-500823600-1963862842-10735164-1005\...\Run: [PopRock] => C:\Documents and Settings\User\Local Settings\Temp\e.exe [152576 2009-10-24] () <===== ATTENTION
HKU\S-1-5-18\...\Run: [wow64main.exe] => C:\WINDOWS\TEMP\wow64main.exe <===== ATTENTION
AppInit_DLLs: C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: C:\WINDOWS\System32\dx8vb32.dll => C:\WINDOWS\System32\dx8vb32.dll [135168 2009-02-01] ()
AppInit_DLLs: C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: c:\windows\system32\wazuhope.dll => c:\windows\system32\wazuhope.dll [89088 2009-07-24] ()
AppInit_DLLs: C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: c:\windows\system32\sibofuda.dll => c:\windows\system32\sibofuda.dll [90112 2009-07-24] ()
AppInit_DLLs: ,C:\WINDOWS\System32\dssenh32.dll => C:\WINDOWS\System32\dssenh32.dll [135168 2009-02-01] ()
AppInit_DLLs: ,leyoyoji.dll => C:\WINDOWS\system32\leyoyoji.dll [52224 2009-07-24] ()
Lsa: [Notification Packages] scecli jmp32g.dll wojajugi.dll
SSODL: gevowedam - {63365df1-c369-4706-9306-02d0246e257d} - c:\windows\system32\sibofuda.dll ()
SSODL: sigiwosiz - {9205b1d0-62cd-4d46-a5d1-f6306e7c93c3} - c:\windows\system32\sibofuda.dll ()
SSODL: pefamulir - {7997c9c8-269f-4afb-affa-94e1481376ff} - c:\windows\system32\sibofuda.dll ()
SSODL: babumujeg - {c8ff3df5-e2bc-4989-ae32-e6f7b73b1037} - c:\windows\system32\wazuhope.dll ()
BHO: mysidesearch search enhancer -> {F1D79B94-03E2-863F-B0D2-84F9126676BA} -> C:\WINDOWS\system32\mcoqkzujlic.dll [2009-09-09] ()
FF DefaultSearchEngine: Yoog Search
FF DefaultSearchUrl: hxxp://www15.yoog.com/search.php?q=
FF SelectedSearchEngine: Yoog Search
FF Keyword.URL: hxxp://www15.yoog.com/search.php?q=
FF user.js: detected! => C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mq3tdcno.default\user.js [2009-10-31]
C:\WINDOWS\System32\dssenh32.dll
C:\WINDOWS\System32\dx8vb32.dll
C:\WINDOWS\System32\dssenh32.dll
C:\WINDOWS\System32\dssenh32.dll
C:\WINDOWS\System32\dssenh32.dll
c:\windows\system32\wazuhope.dll
C:\WINDOWS\System32\dssenh32.dll
c:\windows\system32\sibofuda.dll
C:\WINDOWS\System32\dssenh32.dll
C:\WINDOWS\system32\leyoyoji.dll
C:\WINDOWS\svcho.exe
c:\windows\system32\wazuhope.dll
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please try a fresh FRST scan
  • 0

#9
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

The fix went fine, thought just like last time with the scan, it closed abruptly.

Attached Files


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Nope it failed to delete the files and the run keys were re-instated

When you download this programme rename it to internet.exe as that may enable it to run.

If it fails to run then go to plan B

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

NSIS_extraction.png

  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

    3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

    PLAN B

    Create an emergency repair USB drive:
    Download Dr Web Live USB to your desktop
    • Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
    • Launch drwebliveusb.exe.
    • The program will detect available USB-devices automatically and prompt you to choose the one you?d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).
      liveusb_ru.jpg
    • To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
    • Files will be copied automatically.
    • Once the copying process is completed, press the Exit button to close the application.
    • Reboot the infected computer with the USB in the drive
    • Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
    • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

      Live%20boot%20screen.png
    • Use arrow keys to select DrWeb-LiveCD (Default)

      drwebselect.JPG
    • Press select objects for scanning

      drwebfolders.JPG
    • When the system is loaded, check the disks or folders you want to scan, and click on Start.
    • The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
      drwebscan.JPG
    • When it has completed

      drwebscancomplete.JPG
    • Select Open Report and copy to the USB
    • Once completed reboot to normal windows, and attach the report here

  • 0

Advertisements


#11
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

I didn't even realize this computer had a antivirus, its AVG 7.5.519
I tried to access the control center of AVG but access was denied?(Windows cannot access the specified device path or file, you may not have the appropriate permissions to access this file.), and the uninstall won't work:
(
Local machine: installation failed

    Initialization:
        Error: Checking of state of the item file avgcc.exe failed.
            File opening failed. %FILE% = "C:\Program Files\Grisoft\AVG7\avgcc.exe"
                Permission denied)
So I tried just ending the process on task manager, and clicked ok on the combfix prompt, but it showed another prompt saying
"Antivirus: 7.5.519
The above realtime scanners are still active but combofix shall continue to run kindly note that this is at your own risk"

Edited by Aerostalgia, 10 April 2016 - 01:24 PM.

  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Yes allow combofix to run


  • 0

#13
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

I think it worked, it feels like webpages are loading faster now.

 

Attached Files


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Could you now run a fresh FRST scan please as there will be other files that combofix did not see that will need removing

 

FRST should now generate two logs


  • 0

#15
Aerostalgia

Aerostalgia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts

Here you go

Attached Files


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP