Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Run Task Manager, Cannot Run Spybot...


  • Please log in to reply
12 replies to this topic

#1 seriously?

seriously?

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 01 June 2008 - 03:41 PM

Okay, I'm running a genuine Win XP Home Edition. I have SpyHunter 3 Full Version and Spybot S&D. For some reason I cannot open Spybot or for that matter Firefox, so I have to use IE now. When I try to open Task Manager I get the message "Task Manager has been disabled by your administrator" which is ridiculous because I am the only administrator. I have scanned and removed the infected files using SpyHunter, but they've come back. I've tried Safe Mode earlier (which didn't help much), but now I can't access that either. I press F12 sometimes, and F8 other times and all I get, instead of the usual choices for safe modes, is a black screen with a blinking underscore in the top left corner which disappears after a few seconds and the start up resumes as usual. I get Windows security alerts and "Critical System Warnings". All this wasn't there this morning. I tried restoring the system to an earlier time but the problems persisted. Also, a warning sign has taken over my desktop background and it says 'Warning: Spyware threat has beeen detected on your PC' and then under it some more text and a link leading to some fake website selling antivirus software called SpyMaxx and AntispyStorm2008. SpyHunter has grouped some of this malicious software as 'Adware.command', but it still comes back after rebooting. What to do? I'm losing my mind. :thumbsup:

Edited by seriously?, 01 June 2008 - 03:50 PM.


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:50 AM

Posted 01 June 2008 - 04:08 PM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

let's try sdfix from safe mode, the directions are quite intricate, you might want to print them up

But first try

Please download SafeBootKeyRepair.exe by sUBs to repair Safe Mode.

http://download.bleepingcomputer.com/sUBs/...otKeyRepair.exe


To run SafeBootKeyRepair.exe:
1. Close all programs/windows so that you have nothing open and are at your Desktop.
2. Double-click the SafeBootKeyRepair.exe file.
When finished, it shall produce a log for you.
3. Post the entire contents of C:\SafeBoot_Repair.txt in your next reply.
Chewy

No. Try not. Do... or do not. There is no try.

#3 seriously?

seriously?
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 01 June 2008 - 04:36 PM

Thanks. Here we go:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================


#4 seriously?

seriously?
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 01 June 2008 - 05:18 PM

Well, Safe Mode is still not available...after F8 it just skips straight to loading Normal mode. What should I do? And these damn fake warnings are still popping up everywhere in all kinds of shapes and forms. Now there's a red "Windows Security Center system warning" which resembles the BitDefender.
And I still cannot open Firefox or Spybot S&D...I don't dare check what else I cannot open too. Um, Office works, Movie Maker works...dunno... :thumbsup:

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:50 AM

Posted 01 June 2008 - 05:25 PM

http://www.malwareremoval.com/tutorials/safemodeboot.php

follow these directions exactly
Chewy

No. Try not. Do... or do not. There is no try.

#6 seriously?

seriously?
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 01 June 2008 - 05:31 PM

Oddly enough, pressing the F5 repeatedly worked. I'm in safe mode. Should I have SDfix installed?

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:50 AM

Posted 01 June 2008 - 05:34 PM

you can install sdfix from safe mode, don't leave safe mode if you can help it
Chewy

No. Try not. Do... or do not. There is no try.

#8 seriously?

seriously?
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 01 June 2008 - 06:27 PM

Hmm, I seem to be stuck at "Checking Running Processes and Services" and I'm not getting the '20 minutes' thing.

#9 seriously?

seriously?
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 02 June 2008 - 06:40 AM

Well I've run the SDFix successfully, but the virus is still there. :thumbsup:

[b]SDFix: Version 1.187 [/b]
Run by Admin on Mon 02.06.2008 at 12:11

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]: 
cmdService
MsSecurity1.209.4
Network Monitor

[b]Path [/b]:
C:\WINDOWS\QWRtaW4\command.exe 
C:\WINDOWS\444.471 service
C:\Program Files\Network Monitor\netmon.exe service

cmdService - Deleted
MsSecurity1.209.4 - Deleted
Network Monitor - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default IE HomePage 
Restoring Default Desktop Wallpaper 

Rebooting


[b]Checking Files [/b]: 

Trojan Files Found:

C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\WINDOWS\system32\vntiho06\vntiho061083.exe - Deleted
C:\WINDOWS\system32\Z1\wdpars11.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\muotr.so  - Deleted
C:\WINDOWS\system32\hljwugsf.bin  - Deleted
C:\WINDOWS\system32\pac.txt  - Deleted
C:\WINDOWS\system32\spywarewarning.mht  - Deleted
C:\WINDOWS\system32\spywarewarning2.mht  - Deleted


Could Not Remove C:\WINDOWS\x.exe
Could Not Remove C:\WINDOWS\y.exe
Could Not Remove C:\WINDOWS\accesss.exe 
Could Not Remove C:\WINDOWS\astctl32.ocx 
Could Not Remove C:\WINDOWS\avpcc.dll 
Could Not Remove C:\WINDOWS\clrssn.exe 
Could Not Remove C:\WINDOWS\cpan.dll 
Could Not Remove C:\WINDOWS\ctfmon32.exe 
Could Not Remove C:\WINDOWS\ctrlpan.dll 
Could Not Remove C:\WINDOWS\default.htm 
Could Not Remove C:\WINDOWS\directx32.exe 
Could Not Remove C:\WINDOWS\dnsrelay.dll 
Could Not Remove C:\WINDOWS\editpad.exe 
Could Not Remove C:\WINDOWS\explore.exe 
Could Not Remove C:\WINDOWS\explorer32.exe 
Could Not Remove C:\WINDOWS\funniest.exe 
Could Not Remove C:\WINDOWS\funny.exe 
Could Not Remove C:\WINDOWS\gfmnaaa.dll 
Could Not Remove C:\WINDOWS\helpcvs.exe 
Could Not Remove C:\WINDOWS\iedll.exe 
Could Not Remove C:\WINDOWS\iexplorer.exe 
Could Not Remove C:\WINDOWS\inetinf.exe 
Could Not Remove C:\WINDOWS\internet.exe 
Could Not Remove C:\WINDOWS\loader.exe 
Could Not Remove C:\WINDOWS\msconfd.dll 
Could Not Remove C:\WINDOWS\msspi.dll 
Could Not Remove C:\WINDOWS\mssys.exe 
Could Not Remove C:\WINDOWS\msupdate.exe 
Could Not Remove C:\WINDOWS\mswsc10.dll 
Could Not Remove C:\WINDOWS\mswsc20.dll 
Could Not Remove C:\WINDOWS\mtwirl32.dll 
Could Not Remove C:\WINDOWS\notepad32.exe 
Could Not Remove C:\WINDOWS\olehelp.exe 
Could Not Remove C:\WINDOWS\qttasks.exe 
Could Not Remove C:\WINDOWS\quicken.exe 
Could Not Remove C:\WINDOWS\rundll16.exe 
Could Not Remove C:\WINDOWS\rundll32.vbe 
Could Not Remove C:\WINDOWS\searchword.dll 
Could Not Remove C:\WINDOWS\sistem.exe 
Could Not Remove C:\WINDOWS\svchost32.exe 
Could Not Remove C:\WINDOWS\svcinit.exe 
Could Not Remove C:\WINDOWS\systeem.exe 
Could Not Remove C:\WINDOWS\systemcritical.exe 
Could Not Remove C:\WINDOWS\time.exe 
Could Not Remove C:\WINDOWS\users32.exe 
Could Not Remove C:\WINDOWS\waol.exe 
Could Not Remove C:\WINDOWS\win32e.exe 
Could Not Remove C:\WINDOWS\win64.exe 
Could Not Remove C:\WINDOWS\winajbm.dll 
Could Not Remove C:\WINDOWS\window.exe 
Could Not Remove C:\WINDOWS\winmgnt.exe 
Could Not Remove C:\WINDOWS\xplugin.dll 
Could Not Remove C:\WINDOWS\xxxvideo.hta 

Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\WINDOWS\system32\vntiho06 - Removed
Folder C:\WINDOWS\system32\Z1 - Removed


Removing Temp Files

[b]ADS Check [/b]:
 


								 [b]Final Check [/b]:


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\WINDOWS\\system32\\LMabcoms.exe"="C:\\WINDOWS\\system32\\LMabcoms.exe:*:Enabled:Lexmark Enhanced TCP/IP"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:

C:\WINDOWS\x.exe Found
C:\WINDOWS\y.exe Found
C:\WINDOWS\accesss.exe  Found
C:\WINDOWS\astctl32.ocx  Found
C:\WINDOWS\avpcc.dll  Found
C:\WINDOWS\clrssn.exe  Found
C:\WINDOWS\cpan.dll  Found
C:\WINDOWS\ctfmon32.exe  Found
C:\WINDOWS\ctrlpan.dll  Found
C:\WINDOWS\default.htm  Found
C:\WINDOWS\directx32.exe  Found
C:\WINDOWS\dnsrelay.dll  Found
C:\WINDOWS\editpad.exe  Found
C:\WINDOWS\explore.exe  Found
C:\WINDOWS\explorer32.exe  Found
C:\WINDOWS\funniest.exe  Found
C:\WINDOWS\funny.exe  Found
C:\WINDOWS\gfmnaaa.dll  Found
C:\WINDOWS\helpcvs.exe  Found
C:\WINDOWS\iedll.exe  Found
C:\WINDOWS\iexplorer.exe  Found
C:\WINDOWS\inetinf.exe  Found
C:\WINDOWS\internet.exe  Found
C:\WINDOWS\loader.exe  Found
C:\WINDOWS\msconfd.dll  Found
C:\WINDOWS\msspi.dll  Found
C:\WINDOWS\mssys.exe  Found
C:\WINDOWS\msupdate.exe  Found
C:\WINDOWS\mswsc10.dll  Found
C:\WINDOWS\mswsc20.dll  Found
C:\WINDOWS\mtwirl32.dll  Found
C:\WINDOWS\notepad32.exe  Found
C:\WINDOWS\olehelp.exe  Found
C:\WINDOWS\qttasks.exe  Found
C:\WINDOWS\quicken.exe  Found
C:\WINDOWS\rundll16.exe  Found
C:\WINDOWS\rundll32.vbe  Found
C:\WINDOWS\searchword.dll  Found
C:\WINDOWS\sistem.exe  Found
C:\WINDOWS\svchost32.exe  Found
C:\WINDOWS\svcinit.exe  Found
C:\WINDOWS\systeem.exe  Found
C:\WINDOWS\systemcritical.exe  Found
C:\WINDOWS\time.exe  Found
C:\WINDOWS\users32.exe  Found
C:\WINDOWS\waol.exe  Found
C:\WINDOWS\win32e.exe  Found
C:\WINDOWS\win64.exe  Found
C:\WINDOWS\winajbm.dll  Found
C:\WINDOWS\window.exe  Found
C:\WINDOWS\winmgnt.exe  Found
C:\WINDOWS\xplugin.dll  Found
C:\WINDOWS\xxxvideo.hta  Found

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Wed  3 May 2006	   163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007		31,232 A.SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007		27,648 A.SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sun 26 Jun 2005	   616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005		45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Tue 27 May 2008		72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Wed 31 Oct 2007	   106,496 A.SHR --- "C:\WINDOWS\system\_sv_CMD_\_U_.exe"
Fri 22 Dec 2006			 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue  4 Jun 2002		84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue  4 Jun 2002		44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002		73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002		65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun  9 Jun 2002		36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue  4 Jun 2002		20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002	   102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002	   176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002	   208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002	   217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun  9 Jun 2002		40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sun  4 Nov 2001	   225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001	   225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004	   232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun  9 Jun 2002	   525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002	   245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002		45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002		98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002		94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002		90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002	   102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun  9 Jun 2002		49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Thu 20 Mar 2008		 5,632 ..SHR --- "C:\Program Files\eRightSoft\SUPER\spk\1stRun.exe"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT5.tmp"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT3.tmp"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT7.tmp"
Mon  5 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BITC.tmp"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT6.tmp"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT8.tmp"
Sun 25 May 2008			 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT4.tmp"

[b]Finished![/b]


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:50 AM

Posted 02 June 2008 - 07:17 AM

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

It's really time to pass you on to the hjt team, if you need any help doing the preperations please ask, someone here might know a trick or two.

You have a nasty mix of backdoortrojans/rootkits if I am not mistaken

Seeing the P2P applications makes it obvious where the infections came from


http://www.microsoft.com/technet/community...gmt/sm0504.mspx
Chewy

No. Try not. Do... or do not. There is no try.

#11 GRM1

GRM1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:50 PM

Posted 12 June 2008 - 05:53 PM

Hi, just letting you know that the link doesn't work for me for SafeBootRepair.exe in post #2 above.
GRM1

Edited by GRM1, 12 June 2008 - 06:24 PM.


#12 GRM1

GRM1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:07:50 PM

Posted 15 June 2008 - 08:41 PM

HI, I've just tried to access the SafeBootKeyRepair link from a virus-free computer and the link still failed. I'm just wondering whether I can download that package from somewhere else? Thanks,
G

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:50 AM

Posted 16 June 2008 - 09:30 AM

I am sure the download link was pulled for good reason, malware has had too much time to adapt to that fix, and other newer approaches should be used
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users