Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sick PC


  • This topic is locked This topic is locked
33 replies to this topic

#1 brillo1902

brillo1902

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 10 July 2009 - 04:39 AM

Hi, my win 2000 PC is having increasing problems. It is based iin the office at work where employees have abused it to download all osrts of stuff and as such has become infected. It runs slower than it used too and much of the anti virus software such as avg and ad aware and spyboy either dont work now or halt half way through scans. Any help would be greatly appreciated.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:59, on 10/07/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.collectiveconcepts.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 62.49.123.1
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - F:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - F:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - F:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Internet Connection Wizard] F:\WINNT\stisvsq1.exe
O4 - HKLM\..\Run: [Games Acceleration] F:\WINNT\svshost1.exe
O4 - HKLM\..\Run: [Internet Mail and News] F:\WINNT\msqdevl1.exe
O4 - HKLM\..\Run: [Microsoft Management Console] F:\WINNT\lssas1.exe
O4 - HKLM\..\Run: [Multimedia extensions] F:\WINNT\mservice1.exe
O4 - HKLM\..\Run: [xp_sys] "F:\WINNT\servicepackfiles\mmwnd.exe" updated
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = F:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - F:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe

--
End of file - 3514 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 10 July 2009 - 06:39 AM

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top, tick on Scan All Users section
  • At File Age set it to 90 Days
  • In the Processes, Services, Drivers and Registry section, please set on Safe List.
  • In the Files Created Within and Files Modified Within section, set it to File Age
  • At the bottom, tick on all Safe List and Use Company Name WhiteList option
  • Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
    • Reg - Disabled MS Config Items
      Reg - Drivers32
      Reg - Ext
      Reg - IE Explorer Bar
      Reg - NetSvcs
      Reg - Safeboot Minimal
      Reg - Safeboot Network
      File - Lop Check
      File - Purity Scan
  • Do NOT change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Download RootRepeal.zip and unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..



ATTACH these logs in your next reply

1. OTS
2. RootRepeal

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 13 July 2009 - 05:26 AM

Hi Fenzodahl,

Thanks for you assistance. I have attached both files from both scans althouth the Root Repeal crashed!

Thanks

Rob

Attached Files

  • Attached File  OTS.Txt   124.01KB   14 downloads


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 13 July 2009 - 06:59 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop

Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Files to delete:
f:\documents and settings\administrator\local settings\temp\4.tmp\b2e.dll
f:\documents and settings\administrator\local settings\temp\5.tmp\b2e.dll
f:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
f:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
f:\winnt\servicepackfiles\mmwnd.exe

Folders to delete:
f:\documents and settings\administrator\local settings\temp\5.tmp
f:\documents and settings\administrator\local settings\temp\4.tmp

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.




NEXT


Run the OTS by OldTimer. Copy/Paste the information in the codebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1659004503-1336601894-1801674531-500\] > -> HKEY_USERS\S-1-5-21-1659004503-1336601894-1801674531-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "xp_sys" -> F:\WINNT\servicepackfiles\mmwnd.exe ["F:\WINNT\servicepackfiles\mmwnd.exe" updated]
[Files/Folders - Modified Within 90 Days]
NY -> b2e.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\5.tmp\b2e.dll
NY -> b2e.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\b2e.dll
NY -> qmgr0.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here. I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post these logs in your next reply

1. The Avenger
2. OTS
3. GMER

Edited by fenzodahl512, 13 July 2009 - 07:00 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 14 July 2009 - 02:29 AM

Hi Fenzodahl

Carried out all requested tasks and the results are attached below:

PC seems to be much healthier too.

Avenger Log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "f:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "f:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
File "f:\winnt\servicepackfiles\mmwnd.exe" deleted successfully.

Error: folder "f:\documents and settings\administrator\local settings\temp\5.tmp" not found!
Deletion of folder "f:\documents and settings\administrator\local settings\temp\5.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "f:\documents and settings\administrator\local settings\temp\4.tmp" not found!
Deletion of folder "f:\documents and settings\administrator\local settings\temp\4.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Deletion of file "f:\documents and settings\administrator\local settings\temp\4.tmp\b2e.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Deletion of file "f:\documents and settings\administrator\local settings\temp\5.tmp\b2e.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.


OTS Log :

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-1659004503-1336601894-1801674531-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1659004503-1336601894-1801674531-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xp_sys deleted successfully.
File F:\WINNT\servicepackfiles\mmwnd.exe not found.
[Files/Folders - Modified Within 90 Days]
File F:\Documents and Settings\Administrator\Local Settings\Temp\5.tmp\b2e.dll not found!
File F:\Documents and Settings\Administrator\Local Settings\Temp\4.tmp\b2e.dll not found!
File F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat not found!
File F:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat not found!
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
File delete failed. F:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1183776 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
F:\WINNT\msiinst.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1839083 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 2.92 mb

< End of fix log >
OTS by OldTimer - Version 3.0.9.3 fix logfile created on 07142009_080636

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


GMER Log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-14 08:33:21
Windows 5.0.2195 Service Pack 4


---- User IAT/EAT - GMER 1.0.15 ----

IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!CreateProcessW] [230214FD] F:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\System32\USERENV.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2_32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT F:\WINNT\Explorer.EXE[212] @ F:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] F:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service F:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit code detected

---- EOF - GMER 1.0.15 ----


Regards

Rob

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 14 July 2009 - 05:24 AM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 14 July 2009 - 06:20 AM

Hi Fenzodahl

Everything was running like a dream but then i attempted to download an old version of Zone Alarm that was compatible with Windows 2000, since then it runs like a dog! I try to open Add/Remove programs but the window opens and nothing fills the gap before it locks and i can do nothing with it. I dont actually think it completed the installation but something went wrong! :-(

Anyway i managed to download the tool and here is the log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !

Cheers

Rob

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 14 July 2009 - 08:38 AM

I didn't ask you to install Zone Alarm yet..


Ok.. copy/paste (not cut and paste) the mbr.exe that you saved on the Desktop to C:\WINNT folder..

Then, go to Start >> Run >> copy/paste below >> Press Enter

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\WINNT\mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 15 July 2009 - 02:00 AM

Sorry about that, wont do anything else unless instructed.

Did what you said in last message but cant find a log file. Is it definately C: and not F: as it is F: that Windows 2000 is installe don i believe?

Thanks

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 July 2009 - 09:12 AM

Sorry, it should be F:\WINNT

my mistake :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 16 July 2009 - 02:41 AM

Hiya

Really wish i'd listened to you and not attempted to install Zone alarm because for an hour or so it was quick and virus/spyware free. No obvious signs of Spyware etc now but it takes an eternity to boot and do any command. Anyway carried out the above request and althought the mbr.log file was not found where you suggested i did a search for it and found it at F:\Document and Settings\Administrator

See result below:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 July 2009 - 11:34 AM

Erm.. not sure why I still see the "MBR code detected" thingy.. Lets do PrevX step..

Please download PrevX 3.0 and install it to your computer
  • Run PrevX after install it.. It should automatically do "quick scan"
  • If it found anything that needs to be removed, please copy what it says and post here.
  • After the scan finish, click on PrevX once again.
  • Go to Tools >> Deep Scan >> and then scan the computer..
  • After the "Deep Scan" finish, go to Tools >> Save Scan Results >> Then save it to your Desktop
  • The log will be too long to be posted or attach here.. Please upload it to RapidShare or 2shared.com and then post the link to download here..
If you do not know how to upload it to 2shared, please follow below instruction

Upload PrevX log at link below:
http://www.2shared.com/

Then, after you successfully upload it, please copy/paste the link given under Here is your download link: tab..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 17 July 2009 - 05:25 AM

Hi mate

Initial scan found nothing, Deep scan underway. Will post results on completion.

Thanks

#14 brillo1902

brillo1902
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 17 July 2009 - 06:28 AM

Here is link to scan results:

http://www.2shared.com/file/6727410/ac38c8...an_Results.html

Regards

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 18 July 2009 - 06:31 AM

Erm.. GMER found mbr rootkit.. mbr.exe -f command didn't fix it.. PrevX didn't detect it (or is PrevX detects it?? if yes, pls tell me)

I found a tool that I'm not familiar with.. I'll need to do some testing before sent it out to you.. lets do this one first...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users