Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lsadydreamrider Fixing Barb's Computer


  • This topic is locked This topic is locked
49 replies to this topic

#1 Ladydreamrider

Ladydreamrider

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 28 June 2008 - 10:31 PM

Seems my retirees are downloading a lot of viruses these days... go figure. Thanks in advance for helping me out here. :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:13 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\rasr.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
F:\123.exe.exe
F:\123.exe.exe
C:\Program Files\Trend Micro\HijackThis\123.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\spywarewarning.mht
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?product=s...581&loc=New York, NY&qry=&url=http://www.myownstartpage.net/?cm=89486&lt=1&it=2008-02-24%2002:30:49&dt=2008-03-11%2000:03:39&q=http://my.starware.com/dp/startpage?src_id=408 (obfuscated)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {182BA797-C55D-4657-8126-B66BEA82954D} - C:\WINDOWS\system32\opnomjjI.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\rqRJCSLC.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79AE735F-9663-4B92-9602-39EB563FA30C} - C:\WINDOWS\system32\ljjihii.dll (file missing)
O2 - BHO: GNX Bingo - {903AD98D-8A91-4FBB-B5E1-4FFCA9003E6A} - C:\WINDOWS\kdftlboeorn.dll (file missing)
O2 - BHO: {d156bead-f3ea-6fab-7974-40aa34b6a339} - {933a6b43-aa04-4797-baf6-ae3fdaeb651d} - C:\WINDOWS\system32\bkuqrrmt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {cb5a26c3-d9b3-4ab0-9efc-443595518284} - C:\Program Files\Starware408\bin\Starware408.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Starware Videos Toolbar - {6e4cc754-caa4-4576-9af1-68323d5760d4} - C:\Program Files\Starware408\bin\Starware408.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: qvdntlmw - {19188BC4-4E06-48E6-9C54-8E94425AEF02} - C:\WINDOWS\qvdntlmw.dll (file missing)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\barbara mercurio\cftmon.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\rasr.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [1d0f117a] rundll32.exe "C:\WINDOWS\system32\lhkdkfoq.dll",b
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\rasr.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\barbara mercurio\cftmon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\rasr.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\rasr.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DD3FD9E-17E4-4FC6-B70A-68EF762D5ADE}: NameServer = 85.255.114.50,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{B78A52A1-AFAF-4299-82C6-1ACB8375385B}: NameServer = 85.255.114.50,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D44096-87DD-484A-8DDC-1D7C6381BDFA}: NameServer = 85.255.114.50,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A4DF8D-18F4-4828-9A12-E374BE9E1230}: NameServer = 85.255.114.50,85.255.112.221
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.50 85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.50 85.255.112.221
O20 - Winlogon Notify: rqRJCSLC - C:\WINDOWS\SYSTEM32\rqRJCSLC.dll
O20 - Winlogon Notify: __c00CA064 - C:\WINDOWS\system32\__c00CA064.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11147 bytes
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 06 July 2008 - 11:38 PM

Hello Ladydreamrider,

This computer is very infected, so it will take several steps.

First, please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 06 July 2008 - 11:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 08 July 2008 - 07:17 AM

Thanks for getting back to me. I will try to get this done this evening... July 8. I am having trouble getting anything because I can't get on line with the infected computer. I had to run HJT from a flash drive, but when I tried to put other tools on there, it tells me the file is corrupted.... so will get this on the flash, try and let you know... have to go to real world job right now. :thumbsup:
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 08 July 2008 - 03:01 PM

Hi Ladydreamrider ,

If you can get the computer online, then update the Symantec/Norton antivirus and run a complete scan.
This computer is heavily infected, probably because the owner did not update and run the Symantec/Norton antivirus programs. :thumbsup:

Edited by SifuMike, 08 July 2008 - 03:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 08 July 2008 - 08:47 PM

The Norton is way out of date... and I think he has gone into porn sites. I can't download the malwarebytes. I've tried safe mode, reg. mode. I've tried as admin, but don't have the correct passcode...I've tried the passcode to the computer and admin... neither works.
I keep getting a Critical System Warning window and inside the message says Possible spyware: cyberlog-x
Then it tries to go online which I cannot do.
I've tried to go one using my wireless network, but that is blocked. I've turned on the services and tried that, but it is still blocked. When I reboot, some of the services are turned off again. Plug and Play is not one of the ones turned off.
Any other suggestions will be appreciated and tried. (I've even tried downloading RegistrarLite but can't open that.)
I've done run regedit and searched to manually delete files, but it doesn't find the cyberlog-x. I don't think that is real problem anyway.
Why do people wait until things are soooo bad before asking for help... :thumbsup:
Thanks!
LD
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 08 July 2008 - 09:26 PM

Hi LD,

This computer is very infected. I just hope it is not too late to fix it. :thumbsup:


You can try running F-Secure online scan and Malwarebytes with
SAFE MODE WITH NETWORKING (but not at the same time)

When you bootup to the safe mode menu screen, select from the following option:
Safe Mode with Networking
This option loads all these files and drivers and the services and drivers necessary to start networking.


Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml

Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient


Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post


If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Edited by SifuMike, 08 July 2008 - 09:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 08 July 2008 - 11:15 PM

I can't get online even in safemode with networking. I tried to run Malwarebytes in Safemode with networking (I can't boot into just plain safe mode, nothing comes up...go figure. ) I also can't get in as administrator. It's says I don't have admin rights in safe mode and in regular mode it asks for a password that I don't know.

That's why I was trying to delete the bad files manually, but I don't know what files to try to find. I need to delete the key file/files and maybe we can get online to clean the rest.

Is there anyway to download these files from a flash drive? So far using that method hasn't worked either.

I hate admitting defeat to the enemy!! :thumbsup:

Any clues here? I really do appreciate you trying to help me.
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 08 July 2008 - 11:29 PM

Hello Ladydreamrider,

I have not run out of ideas yet. :thumbsup:

See if you can download SDFix and save it to your Desktop.

If you cant download it, then put it on a flash drive and run it that way.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

Edited by SifuMike, 08 July 2008 - 11:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 09 July 2008 - 10:39 PM

I didn't get to this today. Will try it tomorrow morning. Thanks.
LD
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 09 July 2008 - 10:43 PM

No rush. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 10 July 2008 - 08:29 AM

Okay... try this again. I had all this typed once and lost the page...
under Environment Variables
Variable Value
Temp C:\Documents and Settings\barbara mercurio\Local Settings\Temp
TMP
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 10 July 2008 - 08:39 AM

What are you having problems with? I did not understand your previous message.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 10 July 2008 - 08:46 AM

Continuing
TMP C:\Documents and Settings\barbara mercurio\Local Settings


System Variables
Variable Value
CLASSPATH .;D:\Program Files\QuickTime\QTSystem\QTJava.zip
ComSpec C:WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK NO
NUMBER_OF_PROCESSORS 2
OS WINDOW_NT (I don't understand this one...I'm running winXP)
Pathext .COM;.EXE;.BAT;.CMD;.VBS;VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 6 Model 14 Stepping 8 GenuineIntel
PROCESSOR_LEVEL 6
PROCESSOR_REVISION 0e08
QTJAVA C:\Program Files\QuickTime\QTSystem\Java.zip
SAFEBOOT_OPTION NETWORK (That explains why I can't get into just SAFE MODE)
TEMP C:\WINDOWS\TEMP
TMP C:\WINDOWS\TEMP
windir C:\WINDOWS


I think I maybe seeing some of the problem here, but I have no idea how to fix any of this, so I become even more... your willing student... :thumbsup:
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#14 Ladydreamrider

Ladydreamrider
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:54 PM

Posted 10 July 2008 - 08:47 AM

Oh yes... I cannot get online with that laptop at all. I'm using my computer to communicate...
I hate malware, but I sure am learning a lot... yea!
Our main business is not to see what lies dimly at a distance,but to do what lies clearly at hand. - Thomas Carlyle

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:54 PM

Posted 10 July 2008 - 08:58 AM

Did you do what I told you in my previous post? :thumbsup:

See if you can download SDFix and save it to your Desktop.

If you cant download it, then put it on a flash drive and run it that way.




You dont need to get online.
I said to download SDFix to a flash drive on the good computer,
put the flash drive in the bad computer and run SDFix that way.

You need to run SDFix in either Safe Mode or Safe Mode with networking.

Edited by SifuMike, 10 July 2008 - 09:35 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users