[neataznyam]

well I still can't get otl to work but I got into command promt when we went into repair system

[Advertisements]

It says you posted at 2:55. Perhaps we should have got someone who lives in Hawaii.

Anyway see if you can do:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. (Or get into Command Prompt any way you can) Type with an Enter after each line:

sfc  /scannow

(Once this finishes - Does it finish?)  

cd \windows

copy regedit.exe regedit.com

regedit.com

(Are you able to get into the registry editor?  Leave it running and get back to me.)

[RKinner]

It says you posted at 2:55. Perhaps we should have got someone who lives in Hawaii.

Anyway see if you can do:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. (Or get into Command Prompt any way you can) Type with an Enter after each line:

sfc  /scannow

(Once this finishes - Does it finish?)  

cd \windows

copy regedit.exe regedit.com

regedit.com

(Are you able to get into the registry editor?  Leave it running and get back to me.)

[neataznyam]

well it says 1 file copied and it did scan. After I typed in the last regedit.com nothing happened, just went back to c:\windows if that's what was suppose to happen.

Edited by neataznyam, 21 April 2012 - 12:17 PM.

[RKinner]

No. Was hoping we could get the registry editor to come up.

Copy this line:

reg delete HKEY_CURRENT_USER\SOFTWARE\Classes\exefile

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

Do you get an error? What does the error say?

When you right clicked on the unhookexe.inf file did you have an option to Merge?

[RKinner]

If reg delete fails then see if you can create and boot off the PC Regedit CD they talk about midway on this page:

http://www.raymond.c...ing-in-windows/

Start with:

1. Download PC Regedit

They give you some info on how to burn the CD but the easiest way is with the free iso burner:

http://www.freeisoburner.com/

If you can get it to boot then you probably need to have it open C:\Users\henry\NTUSER.DAT or USRCLASS.DAT to find the HKEY_CURRENT_USER\SOFTWARE\Classes\exefile
which we want to delete.

If you can't get that to work then try the Windows Defender Offline program:

http://windows.micro...efender-offline

Apparently if MSSE finds a problem it can't handle it tells the user to run Windows Defender Offline but I don't think you need MSSE to run it. The nice thing about it is it does not need a second program to burn a CD or create a bootable USB drive. There is a separate program for 32 and 64 bit systems. You will need the 64 bit version. Then you have a choice of blank CD or a USB drive or .iso file. You boot off the CD or USB and it gives you some choices (Quick Scan and Full Scan if I remember correctly - may be other choices). Then it scans your system and fixes anything it knows how to fix but I think it asks permission so you can't just let it run overnight.

[neataznyam]

well I deleted the file, it said successfully completed operation

Edited by neataznyam, 21 April 2012 - 04:37 PM.

[neataznyam]

for unhook I didn't see a merge when I right clicked but I saw install

[RKinner]

Interesting that it lets reg work. Did that make a difference in running other exe files?

Right click on a file that won't run and select Properties then look if it says anything about the file being blocked. Click on Unblock. See if it will run now.


Try copying the next line and pasting it into a command prompt as before.

reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" "%userprofile%\Desktop\ifeo.txt"

It should create a file called ifeo.txt on your desktop. If so please attach the file to your next post.

[neataznyam]

here you go

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acrobat.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcrobatInfo.exe]
"DisableExceptionChainValidation"=dword:00000000
@=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions]
"mscoree.dll"=dword:00000001
"mscorwks.dll"=dword:00000001
"mso.dll"=dword:00000001
"msjava.dll"=dword:00000001
"msci_uno.dll"=dword:00000001
"jvm.dll"=dword:00000001
"jvm_g.dll"=dword:00000001
"javai.dll"=dword:00000001
"vb40032.dll"=dword:00000001
"vbe6.dll"=dword:00000001
"ums.dll"=dword:00000001
"main123w.dll"=dword:00000001
"udtapi.dll"=dword:00000001
"mscorsvr.dll"=dword:00000001
"eMigrationmmc.dll"=dword:00000001
"eProcedureMMC.dll"=dword:00000001
"eQueryMMC.dll"=dword:00000001
"EncryptPatchVer.dll"=dword:00000001
"Cleanup.dll"=dword:00000001
"divx.dll"=dword:00000001
"divxdec.ax"=dword:00000001
"fullsoft.dll"=dword:00000001
"NSWSTE.dll"=dword:00000001
"ASSTE.dll"=dword:00000001
"NPMLIC.dll"=dword:00000001
"PMSTE.dll"=dword:00000001
"AVSTE.dll"=dword:00000001
"NAVOPTRF.dll"=dword:00000001
"DRMINST.dll"=dword:00000001
"TFDTCTT8.dll"=dwo rd:00000001
"DJSMAR00.dll"=dword:00000001
"xlmlEN.dll"=dword:00000001
"ISSTE.dll"=dword:00000001
"symlcnet.dll"=dword:00000001
"ppw32hlp.dll"=dword:00000001
"Apitrap.dll"=dword:00000001
"Vegas60k.dll"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"DisableExceptionChainValidation"=dword:00000000
"DisableUserModeCallbackFilter"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MovieMaker.exe]
"CWDIllegalInDllSearch"=dword:ffffffff
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLXAlbumDownloadWizard.exe]
"CWDIllegalInDllSearch"=dword:ffffffff

[RKinner]

Try copying the next line and pasting it into a command prompt as before.

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "%userprofile%\Desktop\LMRun.txt"

It should create a file called LMRun.txt on your desktop.

Let's see if we can get it to delete the malware entries now that we have a backup copy.

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob

if that seems to work

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v xmlimig

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v dplaysvr

Then

reg export HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "%userprofile%\Desktop\CURun.txt"


It should create a file called CURun.txt on your desktop.

reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob

reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v xmlimig

reg delete HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v dplaysvr



reg export "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" "%userprofile%\Desktop\Winlogon.txt"


Attach or copy and paste "Winlogon.txt"



reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System "%userprofile%\Desktop\LMPolicies.txt"


Attach or copy and paste "LMPolicies.txt"



reg export "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]" "%userprofile%\Desktop\Policies.txt"


Attach or copy and paste "CUPolicies.txt"

[neataznyam]

the first line i pasted I got a message about windows\system32\mscoree.dll saying this file does not have a program associated with it for the performing this action. Please install a program or, if one is laready installed create an association in the default programs control panel.

[neataznyam]

I did reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob and when it ask yes or no I keep putting yes and it keeps asking me the same question, the same thing happened with the following entries

Edited by neataznyam, 21 April 2012 - 07:38 PM.

[RKinner]

Can you uninstall your AdAware and SuperAntiSpyware? One of them may be causing us problems. We may need to reset the permissions on the registry.

Can you get the reg export lines to work? Pleas copy and paste any you can get.

[neataznyam]

okay I got the lmrun file, do i just paste what's inside there to the command prompt because thats what I did and it said adobeaamupdater-10" is not recognized as an internal or external command, operable program or batch file.

[RKinner]

You can also try adding a /f. Then it shouldn't ask for a yes or no.

reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v devicemob /f