Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a horrible VIRUS and my comp is completely useless please help


  • This topic is locked This topic is locked
9 replies to this topic

#1 coffeyman62490

coffeyman62490

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 October 2009 - 12:49 AM

i already started another thread and some guy helped me out and told me to post these.
1st heres the root repeal. btw, i dont know if it matters, these scans were all done while my computer was in safe mode so the amount of processes are a lot lower. thank you sooo much guys!

© AD, 2007-2009
==================================================
Scan Start Time: 2009/10/25 18:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF807D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BE4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7DDF000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Watson\Watson
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\MUI\MUI
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\JAVA\CLASSES\CLASSES
Status: Locked to the Windows API!

Path: C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943055\KB943055
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943485\KB943485
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB945553\KB945553
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB946026\KB946026
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\ASSEMBLY\TEMP\TEMP
Status: Locked to the Windows API!

Path: C:\WINDOWS\ASSEMBLY\TMP\TMP
Status: Locked to the Windows API!

Path: C:\WINDOWS\LHSP\g2p\g2p
Status: Locked to the Windows API!

Path: C:\WINDOWS\LHSP\language\language
Status: Locked to the Windows API!

Path: C:\WINDOWS\LHSP\tpp\tpp
Status: Locked to the Windows API!

Path: C:\WINDOWS\LHSP\voice\voice
Status: Locked to the Windows API!

Path: C:\WINDOWS\MSAPPS\MSINFO\MSINFO
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\IMEJP98\IMEJP98
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS
Status: Locked to the Windows API!

Path: C:\WINDOWS\IME\SHARED\RES\RES
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\avg8\dumps\avgnsx.exe_129009468500781250_f.dmp
Status: Allocation size mismatch (API: 5505024, Raw: 4849664)

Path: C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft
Status: Locked to the Windows API!

==EOF==








And now the dds log:








DDS (Ver_09-10-23.01) - NTFSx86 NETWORK
Run by Administrator at 22:28:49.70 on Mon 10/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.365 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com
uDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
mURLSearchHooks: H - No File
BHO: : {42f4f018-b942-47a6-9c3b-3d4125466d5a} - c:\windows\system32\ddao36o.dll
BHO: {4c44864a-facd-4927-ac28-26f36714c619} - ninukoso.dll
BHO: : {95e14bc7-c5f1-4545-8064-e8daa621580c} - c:\docume~1\admini~1\desktop\temp.dll
BHO: c:\windows\system32\itdx8b.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\itdx8b.dll
BHO: {c587e427-0351-430f-9116-25766dc10563} - c:\windows\system32\DATIMEu.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [kegumahiwe] Rundll32.exe "zomejuhe.dll",s
mRun: [combofix] c:\comfix26385c\cf22327.exe /c c:\comfix26385c\Combobatch.bat
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [SafetyCenter] c:\program files\safetycenter\start.exe
mRunOnce: [combofix] c:\comfix26385c\cf22327.exe /c c:\Comfix26385CCombobatch.bat
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {bb21f850-63f4-4ec9-bf9d-565bd30c9ae9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yawilaneb - {d8ba86ab-16d0-4644-8d2d-c4e3dc17cac0} - c:\windows\system32\yavekeve.dll
SSODL: polivoyal - {79f1faa3-de74-49d0-823a-b63f7661a172} - c:\windows\system32\sunapija.dll
STS: tokatiluy: {d8ba86ab-16d0-4644-8d2d-c4e3dc17cac0} - c:\windows\system32\yavekeve.dll
STS: c:\windows\system32\itdx8b.dll: {a2234b15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\itdx8b.dll
STS: jugezatag: {79f1faa3-de74-49d0-823a-b63f7661a172} - c:\windows\system32\sunapija.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-9 108552]
R3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2008-10-5 96256]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-10 28544]
S0 vkquwexg;vkquwexg;c:\windows\system32\drivers\combo-fix.sys --> c:\windows\system32\drivers\Combo-Fix.sys [?]
S1 1ddee9bc;1ddee9bc;c:\windows\system32\drivers\1ddee9bc.sys --> c:\windows\system32\drivers\1ddee9bc.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-9 335752]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-9 298776]
S2 kdvjd;kdvjd;\??\c:\windows\system32\drivers\siygzuyksjffir.sys --> c:\windows\system32\drivers\siygzuyksjffir.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-10-29 29744]
S4 gupdate1c9852b24188c2a;Google Update Service (gupdate1c9852b24188c2a);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-21 24652]

=============== Created Last 30 ================

2009-10-25 12:50:07 0 d-----w- C:\COMfix
2009-10-25 12:15:37 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-25 12:15:37 2944 ----a-w- c:\windows\system32\drivers\null.sys
2009-10-25 12:06:03 0 d-----w- C:\cmdcons
2009-10-25 11:38:43 98816 ----a-w- c:\windows\sed.exe
2009-10-25 11:38:43 236544 ----a-w- c:\windows\PEV.exe
2009-10-25 11:38:43 161792 ----a-w- c:\windows\SWREG.exe
2009-10-25 11:31:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-25 11:30:06 0 d-----w- c:\program files\REGfix
2009-10-25 11:17:13 77 ----a-w- c:\windows\system32\uses32.dat
2009-10-25 02:59:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-25 02:54:09 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-25 02:54:01 0 d-----w- c:\program files\XCXC HELP
2009-10-24 23:10:33 0 d-s---w- c:\documents and settings\administrator\UserData
2009-10-24 08:57:08 1409 ----a-w- c:\windows\QTFont.for
2009-10-24 08:57:07 54156 ---ha-w- c:\windows\QTFont.qfn
2009-10-24 08:10:11 0 d-----w- c:\docume~1\admini~1\applic~1\Symantec
2009-10-24 05:15:57 0 d-----w- c:\program files\Active Security
2009-10-24 04:46:29 58 ----a-w- c:\windows\wp4.dat
2009-10-24 04:46:29 3 ----a-w- c:\windows\wp3.dat
2009-10-24 03:17:17 0 ----a-w- c:\windows\win32k.sys
2009-10-13 01:44:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2009-10-13 01:43:50 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-10-13 01:43:15 766 ----a-w- c:\windows\system32\Uninstall.ico
2009-10-13 01:43:00 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-10-13 01:42:32 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2009-09-10 22:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-24 04:43:55 1051170 --sha-w- c:\windows\system32\bapohiko.exe
2009-07-24 04:43:39 27136 --sha-w- c:\windows\system32\bomemoji.exe
2009-07-24 16:42:33 39424 --sha-w- c:\windows\system32\jisagoyi.dll
2009-07-24 16:42:32 3 --sha-w- c:\windows\system32\kahowuhi.dll
2009-07-24 04:43:55 39424 --sha-w- c:\windows\system32\lokonofe.dll
2009-07-24 04:43:39 53760 --sha-w- c:\windows\system32\manurege.dll
2009-07-25 04:42:50 39424 --sha-w- c:\windows\system32\namogizu.dll
2009-07-24 16:43:05 53760 --sha-w- c:\windows\system32\ninukoso.dll
2009-07-25 04:42:50 91648 --sha-w- c:\windows\system32\sunapija.dll
2009-07-24 16:42:32 53760 --sha-w- c:\windows\system32\tasutope.dll
2009-07-24 04:43:39 91648 --sha-w- c:\windows\system32\yavekeve.dll

============= FINISH: 22:29:28.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 24 October 2009 - 01:07 AM

Hi and Welcome.

Can you boot into the Recovery Console?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 coffeyman62490

coffeyman62490
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 October 2009 - 02:02 AM

yes i could... but i dont know what to do from there

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 24 October 2009 - 09:41 AM

What I like to give you is Explorer's Graphic Interface. It will be easier to continue.

Boot to the Recovery Console. At the C:\Windows prompt type the following and press Enter after each line:

Ren Explorer.exe Explorer.old
Copy C:\Windows\System32\Dllcache\Explorer.exe
Exit


The Computer will restart. Allow it to boot to Normal Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 coffeyman62490

coffeyman62490
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 October 2009 - 05:57 PM

when i go to windows recovery console it wont work, it says cant find NTLDR. which is weird cuz i booted to recovery console a few days ago and it worked fine i just didnt know what to do

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 24 October 2009 - 06:05 PM

Try an alternate Recovery Console:
  • Please download BurnAtOnce and save it to your desktop. Click on Downloads, then on burnatonce 0.99.5
    • Install it by double-clicking on the file bao0995.exe that you downloaded.
    • Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.
  • Download the rc.iso file.
  • Save it to your desktop.
  • Put a blank CD in your computer's burner.
  • Right-click on the file rc.iso, and select "burnatonce" from the menu.
  • Confirm that the box under the menu at the top says "rc.iso".
  • Click the "Write" button.
  • When the disk finishes, eject the CD.
  • Configure the computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
  • Insert the Image of rc.iso that you copied to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
  • When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
  • You will be prompted with the following options:

    A. To setup Windows XP, press Enter.
    B. To repair Windows XP installation using recovery console, press R.

    Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

  • You will be presented with the following:


    Microsoft Windows® Recovery Console

    The Recovery Console provides system repair and recovery functionality.
    Type EXIT to quit the Recovery Console and restart the computer.

    1: C:\WINDOWS

    Which Windows Installation would you like to log onto
    (To cancel, press ENTER)?

  • Press the number 1 on your keyboard and hit Enter.
  • At the command prompt, type the following command and press Enter:

    Ren Explorer.exe Explorer.old
    Copy C:\Windows\System32\Dllcache\Explorer.exe
Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

Edited by JSntgRvr, 24 October 2009 - 06:41 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 24 October 2009 - 08:15 PM

Here is another option:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it in a place you can remember, such as C:\.
  • Once saved, double click on the fix.bat file.
  • The computer will restart.

@echo Off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\WINDOWS\Watson\Watson"
"C:\WINDOWS\msdownld.tmp\msdownld.tmp"
"C:\WINDOWS\MUI\MUI"
"C:\WINDOWS\PIF\PIF"
"C:\WINDOWS\Config\Config"
"C:\WINDOWS\Connection Wizard\Connection Wizard"
"C:\WINDOWS\Registration\CRMLog\CRMLog"
"C:\WINDOWS\JAVA\CLASSES\CLASSES"
"C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB"
"C:\WINDOWS\$hf_mig$\KB943055\KB943055"
"C:\WINDOWS\$hf_mig$\KB943485\KB943485"
"C:\WINDOWS\$hf_mig$\KB945553\KB945553"
"C:\WINDOWS\$hf_mig$\KB946026\KB946026"
"C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs"
"C:\WINDOWS\Debug\UserMode\UserMode"
"C:\WINDOWS\ASSEMBLY\TEMP\TEMP"
"C:\WINDOWS\ASSEMBLY\TMP\TMP"
"C:\WINDOWS\LHSP\g2p\g2p"
"C:\WINDOWS\LHSP\language\language"
"C:\WINDOWS\LHSP\tpp\tpp"
"C:\WINDOWS\LHSP\voice\voice"
"C:\WINDOWS\MSAPPS\MSINFO\MSINFO"
"C:\WINDOWS\IME\IMEJP98\IMEJP98"
"C:\WINDOWS\WinSxS\InstallTemp\InstallTemp"
"C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered"
"C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps"
"C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH"
"C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles"
"C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs"
"C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp"
"C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS"
"C:\WINDOWS\IME\CHTIME\Applets\Applets"
"C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS"
"C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS"
"C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS"
"C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS"
"C:\WINDOWS\IME\SHARED\RES\RES"
"C:\WINDOWS\Sun\Java\Deployment\Deployment"
"C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup"
"C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup"
"C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\backup\backup"
"C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint"
"C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News"
"C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS"
"C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0"
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft"
"C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft"
) do (
rd /s/q %%g >nul 2>&1
if exist %%g (echo %%~g .... Unable to Delete>>"%temp%\log.txt") ELSE echo %%~g ..... Deleted Successfully !!>>"%temp%\log.txt"
)
Ren C:\Windows\Explorer.exe Exlorer.exe.vir
Copy c:\Windows\System32\Dllcache\Explorer.exe C:\Windows
Shutdown -r -t 01
Exit


Upon restart run the following command:

start notepad "%temp%\log.txt"

Post the content of the Log.txt.

Edited by JSntgRvr, 24 October 2009 - 08:17 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 coffeyman62490

coffeyman62490
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 25 October 2009 - 03:34 AM

thanks for the help heres the log. so also i finally got malwarebytes to run so i think it deleted most of my problems and i really just wanna be able to get explorer.exe to run and my task manager because my task manager only works in safe mode. also ive just been bored searchin around the registry and was wondering do these look suspicious at all?

"HKEY_USERS\S-1-5-19\software\microsoft\windows\winuvomi" ???
theres a few weird entries in it... nalihemi, towihola, and yuwijaji.?? should i delete those? im just searchin my registry just cause im searchin for the reason of my disabled task manager. Any advice?
thanks again guys u guys are great!

C:\WINDOWS\Watson\Watson ..... Deleted Successfully !!
C:\WINDOWS\msdownld.tmp\msdownld.tmp ..... Deleted Successfully !!
C:\WINDOWS\MUI\MUI ..... Deleted Successfully !!
C:\WINDOWS\PIF\PIF ..... Deleted Successfully !!
C:\WINDOWS\Config\Config ..... Deleted Successfully !!
C:\WINDOWS\Connection Wizard\Connection Wizard ..... Deleted Successfully !!
C:\WINDOWS\Registration\CRMLog\CRMLog ..... Deleted Successfully !!
C:\WINDOWS\JAVA\CLASSES\CLASSES ..... Deleted Successfully !!
C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB ..... Deleted Successfully !!
C:\WINDOWS\$hf_mig$\KB943055\KB943055 ..... Deleted Successfully !!
C:\WINDOWS\$hf_mig$\KB943485\KB943485 ..... Deleted Successfully !!
C:\WINDOWS\$hf_mig$\KB945553\KB945553 ..... Deleted Successfully !!
C:\WINDOWS\$hf_mig$\KB946026\KB946026 ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs ..... Deleted Successfully !!
C:\WINDOWS\Debug\UserMode\UserMode ..... Deleted Successfully !!
C:\WINDOWS\ASSEMBLY\TEMP\TEMP ..... Deleted Successfully !!
C:\WINDOWS\ASSEMBLY\TMP\TMP ..... Deleted Successfully !!
C:\WINDOWS\LHSP\g2p\g2p ..... Deleted Successfully !!
C:\WINDOWS\LHSP\language\language ..... Deleted Successfully !!
C:\WINDOWS\LHSP\tpp\tpp ..... Deleted Successfully !!
C:\WINDOWS\LHSP\voice\voice ..... Deleted Successfully !!
C:\WINDOWS\MSAPPS\MSINFO\MSINFO ..... Deleted Successfully !!
C:\WINDOWS\IME\IMEJP98\IMEJP98 ..... Deleted Successfully !!
C:\WINDOWS\WinSxS\InstallTemp\InstallTemp ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp ..... Deleted Successfully !!
C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS ..... Deleted Successfully !!
C:\WINDOWS\IME\CHTIME\Applets\Applets ..... Deleted Successfully !!
C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS ..... Deleted Successfully !!
C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS ..... Deleted Successfully !!
C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS ..... Deleted Successfully !!
C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS ..... Deleted Successfully !!
C:\WINDOWS\IME\SHARED\RES\RES ..... Deleted Successfully !!
C:\WINDOWS\Sun\Java\Deployment\Deployment ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\d61766d223927760d60364c3824ce500\backup\backup ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\Config\News\News ..... Deleted Successfully !!
C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS ..... Deleted Successfully !!
C:\WINDOWS\Installer\$PatchCache$\Managed\18555481990E8AB4CBB63FB4F26006C0\1.0.0\1.0.0 ..... Deleted Successfully !!
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs ..... Deleted Successfully !!
C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz ..... Deleted Successfully !!
C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib ..... Deleted Successfully !!
C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70 ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft ..... Deleted Successfully !!
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft ..... Deleted Successfully !!

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 25 October 2009 - 10:31 AM

Hi, coffeyman62490 :(

Download OTS.exe by OldTimer to your Desktop.
  • Close any open browsers.
  • Double-click on OTS.exe to start the program.
  • Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


    :Files
    c:\windows\system32\bapohiko.exe
    c:\windows\system32\bomemoji.exe
    c:\windows\system32\jisagoyi.dll
    c:\windows\system32\kahowuhi.dll
    c:\windows\system32\lokonofe.dll
    c:\windows\system32\manurege.dll
    c:\windows\system32\namogizu.dll
    c:\windows\system32\ninukoso.dll
    c:\windows\system32\sunapija.dll
    c:\windows\system32\tasutope.dll
    c:\windows\system32\yavekeve.dll
    c:\windows\system32\zomejuhe.dll
    c:\comfix26385c\Combobatch.bat
    c:\windows\system32\itdx8b.dll
    c:\windows\system32\sunapija.dll
    c:\windows\system32\DATIMEu.dll
    c:\docume~1\admini~1\desktop\temp.dll



    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
  • Launch OTS.exe once again.
  • Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

Edited by JSntgRvr, 25 October 2009 - 10:53 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:09 PM

Posted 01 November 2009 - 08:28 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users