Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No desktop, links in start menu point to (null), "advanced virus remover", and more. Please help!


  • This topic is locked This topic is locked
24 replies to this topic

#1 L0v3LESS

L0v3LESS

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 15 November 2009 - 09:30 PM

My topic title and description basically sum up what's happening to the computer. It's running Windows XP Professional, and recently has been experiencing some issues relating to fake antivirus programs. Initially, the desktop was disabled but I could still access programs via the Start Menu. When I was working on the computer, some Google search links I clicked ended up redirecting me to fake advertising sites. I managed to get Malwarebytes onto the PC and scanned with it. After removing a bunch of trojans, an even bigger problem hit me the next day. None of the programs were gone, and now whenever I clicked on an item in the start menu the whole computer would freeze and nothing would occur. I can click Run --> msconfig, services.msc, devmgmt etc, but cannot Run anything pointing to Explorer or file directories. The only way to circumvent this is to go into msconfig and select Diagnostic Startup. I did this and then checked the services necessary for a USB drive to transfer files. I scanned using DDS and RootRepeal in this psuedo-safe mode like mode, as that was the only way I could be able to access programs. On another note, I cannot boot to safe mode, nor can I boot to DVDs, with a Linux Ubuntu live CD giving me several odd errors. Upon some internet searches, these were attributed to "corrupt system files" or "wrong bios settings". Any help would be greatly appreciated.

Please see DDS log below and RootRepeal/Attach log attached:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 21:15:37.92 on Sun 11/15/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper86.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://171.64.22.130/main/Install/en/US/CentraDownloader.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pxhnm43p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-16 02:08:50 0 d-----w- C:\VundoFix Backups
2009-11-16 02:07:17 0 d-s---w- C:\ComboFix
2009-11-14 08:12:40 0 ----a-w- c:\windows\system32\18467.exe
2009-11-14 07:57:55 0 d-----w- c:\program files\AdvancedVirusRemover
2009-11-14 07:52:39 0 ----a-w- c:\windows\system32\41.exe
2009-11-14 07:52:36 23040 ----a-w- c:\windows\system32\winhelper86.dll
2009-11-14 07:52:33 831 ----a-w- c:\windows\system32\critical_warning.html
2009-11-14 07:52:32 28432 ----a-w- c:\windows\system32\winupdate86.exe
2009-10-29 23:08:03 0 d-----w- c:\program files\Trend Micro
2009-10-22 23:20:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-22 23:20:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 23:20:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 23:20:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 23:20:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 17:50:07 118784 ----a-w- c:\windows\system32\chg.exe

==================== Find3M ====================

2009-10-21 04:08:54 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2008-05-22 13:16:59 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008052420080525\index.dat

============= FINISH: 21:16:55.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 24 November 2009 - 04:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 24 November 2009 - 09:26 PM

Hello;

As of now, the situation has worsened dramatically. When I boot up my PC and log in, the wallpaper and the mouse load, but no taskbar or desktop appears. I cannot execute keyboard functions as well: for example, CTRL+ALT+DEL gives me nothing. I cannot boot to safe mode: when I select it from the F8 menu, it loads the drivers and then gives me a blue screen. This is not a BSOD, it's simply a blue screen with no writing on it. After that, the computer goes nowhere. Is there a way to circumvent this?

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 24 November 2009 - 10:41 PM

Hi,

this does not sound good. If you have your windows CD close by I would recommend to run a repair install as a first step. This will replace all windows files and settings, but won't touch your installed programs and personal files. (also it would be better to back them up first)

Have you tried running the live-cd on another PC, does it work fine there? Can you please give me the exact error message?

Can you tell if the keyboard is still working once you have logged in? Could this be the problem for ctrl+alt+del not working?

Please also tell me which is the last driver you see loading in safe mode before the blue screen. Do you have the recovery console installed?

However I will tell you right fromt the start, that this may not be fixable.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 26 November 2009 - 05:12 PM

The keyboard works (because the numlock light is still on), and I did a Windows XP repair install. What happens now is that it freezes on the Windows XP loading screen that has the "Please wait..." text in the middle of it. At this point, I would assume that a liveCD is irrelevant? Thanks..

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 27 November 2009 - 08:05 AM

Hi,

could you check if you manage to load in safe mode? Since the repair install should have replaced all windows system files so the stalling should come from a third program, these are not loaded in safe mode though.

A live-cd is of no use for the repair now I believe, since we do not know where the problem is. However it can help identify f there is a problem with your hardware for example.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 27 November 2009 - 01:38 PM

Thank you for your response. Safe mode does load successfully, and the last driver that loads is "Mup.sys". What do I do from here?

EDIT: Weird things are happening to this computer. I'm in safe mode and it immediately gives me an error: "You're computer is infected with Win32.NetSky worm, please do a full system scan now." A red circle with a white x appears on the taskbar (almost like vundo), and the executable for malwarebytes (mbam.exe) has been deleted. System restore doesn't work, it gives me an error "This file has been infected, please do a full system scan". Very strange, as this is all in safe mode.. Thanks.

Edited by L0v3LESS, 27 November 2009 - 01:46 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 28 November 2009 - 10:03 AM

Hi,

you are clearly still infected. The good news is that safe mode seems to be working. :(

Please try to do the following:

On a clean computer download the following tool, attach a flash drive and run it:
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

This will prevent any infection to spread from your infected PC on the flash drive and from there on your clean PC.

After that please download the tools for the following instructions onto the flash drive and run these instructions on your infected PC:

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 28 November 2009 - 10:24 PM

Originally, rkill did not run on my computer.. I had to use HJT's process manager to kill "winupdate86" to get rid of the red x on the taskbar, and then my programs all worked again.. also, just as a note, there are several .exe files in my C:\ directory with nonsense names such as the ones ComboFix found. In addition, ComboFix claimed that Avast! was running, but it obviously wasn't (safemode?). Finally, the computer kept trying to install drivers for a printer (I would click "Finish", and it would load the window again). I just left it open and did everything. Please see log below:


ComboFix 09-11-28.03 - Administrator 11/28/2009 22:02.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1735 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1356 [VPS 091124-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\EurekaLog
c:\documents and settings\All Users\Application Data\77454936
c:\documents and settings\All Users\Application Data\77454936\77454936.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\LOGDD.tmp
c:\recycler\S-1-5-21-2639875214-4146284854-4043352858-500
C:\test.txt
c:\windows\system32\__c00BA8F6.dat
c:\windows\system32\11323.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11840.exe
c:\windows\system32\11942.exe
c:\windows\system32\12316.exe
c:\windows\system32\12382.exe
c:\windows\system32\12623.exe
c:\windows\system32\12859.exe
c:\windows\system32\13931.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15006.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15350.exe
c:\windows\system32\15724.exe
c:\windows\system32\15890.exe
c:\windows\system32\16118.exe
c:\windows\system32\16827.exe
c:\windows\system32\16944.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\1842.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\18756.exe
c:\windows\system32\19169.exe
c:\windows\system32\19264.exe
c:\windows\system32\19629.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\19954.exe
c:\windows\system32\20037.exe
c:\windows\system32\21538.exe
c:\windows\system32\21726.exe
c:\windows\system32\22190.exe
c:\windows\system32\22648.exe
c:\windows\system32\23281.exe
c:\windows\system32\23805.exe
c:\windows\system32\23811.exe
c:\windows\system32\24084.exe
c:\windows\system32\24370.exe
c:\windows\system32\24393.exe
c:\windows\system32\24464.exe
c:\windows\system32\24626.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26308.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27446.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\288.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30106.exe
c:\windows\system32\30333.exe
c:\windows\system32\3035.exe
c:\windows\system32\31101.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32439.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3548.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\4966.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5537.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6729.exe
c:\windows\system32\6868.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\7376.exe
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\8942.exe
c:\windows\system32\9040.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\a4v87ct.dll
c:\windows\system32\AVR10.exe
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\daqdrv.sys
c:\windows\system32\dewokawo.dll
c:\windows\system32\fgjk4wvb.dll
c:\windows\system32\fulipuyu.dll
c:\windows\system32\gemezolo.dll
c:\windows\system32\jevujuza.dll
c:\windows\system32\jikitopo.dll
c:\windows\system32\kopuruvu.dll
c:\windows\system32\kusohove.dll
c:\windows\system32\ludozoko.dll
c:\windows\system32\payojuvi.dll
c:\windows\system32\penifaga.dll
c:\windows\system32\rihosife.dll
c:\windows\system32\sarikuja.dll
c:\windows\system32\setawala.dll
c:\windows\system32\seweyaka.dll
c:\windows\system32\sezoheba.dll
c:\windows\system32\tdlcmd.dll
c:\windows\system32\tibefone.dll
c:\windows\system32\tofegahe.exe
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\yafuveyu.exe
c:\windows\system32\zomudumu.dll
c:\windows\Tasks\extbtznb.job
c:\windows\Temp\315639642.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_daqdrv
-------\Service_daqdrv


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-25 04:41 . 2007-07-27 12:00 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2009-11-25 04:40 . 2009-11-25 04:40 -------- d-----w- c:\windows\LastGood.Tmp
2009-11-25 04:02 . 2007-07-27 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-11-25 04:02 . 2007-07-27 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-11-25 04:02 . 2007-07-27 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-11-25 04:02 . 2007-07-27 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-11-25 04:01 . 2009-11-25 04:01 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2009-11-24 14:49 . 2009-11-24 14:49 71424 ----a-w- c:\windows\system32\drivers\axfeoth.sys
2009-11-21 20:07 . 2009-11-21 20:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-21 16:35 . 2009-11-21 16:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-21 16:24 . 2009-11-21 16:24 38400 ----a-w- C:\ldvlhbee.exe
2009-11-21 16:24 . 2009-11-22 04:08 52736 ----a-w- c:\windows\system32\caonima2.exe
2009-11-21 16:24 . 2009-11-21 16:24 14336 ----a-w- C:\jpvedf.exe
2009-11-21 16:24 . 2009-11-21 16:24 32768 ----a-w- C:\maslf.exe
2009-11-21 16:24 . 2009-11-21 16:24 132075 ----a-w- C:\xrvho.exe
2009-11-21 08:18 . 2009-11-22 16:39 118784 ----a-w- c:\windows\system32\chg.exe
2009-11-20 20:01 . 2009-11-20 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-20 08:22 . 2009-11-20 08:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 23:29 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-19 23:28 . 2009-11-19 23:28 -------- d-----w- c:\program files\Panda Security
2009-11-19 23:28 . 2009-11-21 08:01 -------- d-----w- c:\windows\ie8updates
2009-11-19 23:25 . 2009-11-19 23:27 -------- dc-h--w- c:\windows\ie8
2009-11-17 22:07 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-17 22:07 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-17 22:07 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-17 22:07 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-17 22:07 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-17 22:07 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-17 22:07 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-17 22:07 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-17 22:06 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-17 22:06 . 2009-11-17 22:06 -------- d-----w- c:\program files\Alwil Software
2009-11-16 02:08 . 2009-11-16 02:08 -------- d-----w- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 04:38 . 2004-08-09 13:28 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-21 16:24 . 2009-10-22 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 08:17 . 2008-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC
2009-11-17 16:52 . 2008-04-09 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-11-11 14:33 . 2008-04-01 21:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-03 01:42 . 2009-10-03 00:49 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 23:08 . 2009-10-29 23:08 -------- d-----w- c:\program files\Trend Micro
2009-10-23 02:36 . 2008-02-09 03:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 02:36 . 2008-02-22 04:31 -------- d--h--w- c:\documents and settings\Administrator\Application Data\ijjigame
2009-10-23 02:36 . 2009-09-08 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitZipper
2009-10-22 23:23 . 2009-09-08 05:28 -------- d-----w- c:\program files\Winferno
2009-10-22 23:20 . 2009-10-22 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-22 23:20 . 2009-10-22 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 23:20 . 2009-06-02 12:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 01:33 . 2009-10-01 01:33 -------- d-----w- c:\program files\QuickTime
2009-10-01 01:32 . 2008-04-04 21:51 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 01:32 . 2009-10-01 01:32 -------- d-----w- c:\program files\Apple Software Update
2009-09-10 19:54 . 2009-10-22 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-22 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-08-19 319000]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2008-01-22 26112]
"SRFirstRun"="srclient.dll" - c:\windows\system32\srclient.dll [2004-08-04 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-07-27 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2007-07-27 12:00 628224 ----a-w- c:\windows\system32\catsrvut.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Network Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk
backup=c:\windows\pss\Wireless Network Monitor.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/19/2009 6:29 PM 28552]
S1 albxfhid;albxfhid;\??\c:\windows\system32\drivers\albxfhid.sys --> c:\windows\system32\drivers\albxfhid.sys [?]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/17/2009 5:07 PM 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/17/2009 5:07 PM 20560]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2/8/2008 10:07 PM 797720]
S2 qodbifucubffoa;qodbifucubffoa;c:\windows\system32\drivers\axfeoth.sys [11/24/2009 9:49 AM 71424]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/14/2007 5:04 PM 551680]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\SMINST\virtdisk.sys [2/8/2008 10:08 PM 57344]
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2008-04-05 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://171.64.22.130/main/Install/en/US/CentraDownloader.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pxhnm43p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{a57fc7db-05e4-495f-8917-24bbd09dd419} - sarikuja.dll
HKLM-Run-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-81470626 - c:\docume~1\ALLUSE~1\APPLIC~1\81470626\81470626.exe
HKLM-Run-77454936 - c:\docume~1\ALLUSE~1\APPLIC~1\77454936\77454936.exe
HKLM-Run-winupdate86.exe - c:\windows\system32\winupdate86.exe
HKLM-Run-batonohipu - fulipuyu.dll
SharedTaskScheduler-{ab3f9034-0c0c-428d-bf42-6ad5d6b78b9c} - c:\windows\system32\ludozoko.dll
SSODL-sitodujir-{ab3f9034-0c0c-428d-bf42-6ad5d6b78b9c} - c:\windows\system32\ludozoko.dll
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 22:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-11-28 22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 03:17

Pre-Run: 133,831,979,008 bytes free
Post-Run: 134,288,642,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 78DDCD1643AF4FE18E1D6A768905A6BA

Edited by L0v3LESS, 28 November 2009 - 10:26 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 29 November 2009 - 02:52 PM

Hi,

The files you are referring to a probably malicious, we will try to take them out with the following script. Could you please try and see if you can boot back into normal mode now?

If so please run the following script with Combofix from normal mode:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\axfeoth.sys
C:\ldvlhbee.exe
c:\windows\system32\caonima2.exe
C:\jpvedf.exe
C:\maslf.exe
C:\xrvho.exe
c:\windows\system32\drivers\albxfhid.sys
Driver::
albxfhid
qodbifucubffoa


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

If you can't get into normal mode, please run the script in safe mode and let me know about it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 29 November 2009 - 05:17 PM

Running normal mode, internet is back. Windows keeps asking me to activate, but when I click "Activate Windows", nothing happens.. Any solution to this problem?

Please see ComboFix below:


ComboFix 09-11-28.03 - Administrator 11/29/2009 16:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1599 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091124-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\jpvedf.exe"
"C:\ldvlhbee.exe"
"C:\maslf.exe"
"c:\windows\system32\caonima2.exe"
"c:\windows\system32\drivers\albxfhid.sys"
"c:\windows\system32\drivers\axfeoth.sys"
"C:\xrvho.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\jpvedf.exe
C:\ldvlhbee.exe
C:\maslf.exe
c:\windows\system32\caonima2.exe
c:\windows\system32\drivers\axfeoth.sys
C:\xrvho.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QODBIFUCUBFFOA
-------\Service_albxfhid
-------\Service_qodbifucubffoa


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-25 04:41 . 2007-07-27 12:00 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2009-11-25 04:02 . 2007-07-27 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-11-25 04:02 . 2007-07-27 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-11-25 04:02 . 2007-07-27 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-11-25 04:02 . 2007-07-27 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-11-25 04:01 . 2009-11-25 04:01 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2009-11-21 20:07 . 2009-11-21 20:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-21 16:35 . 2009-11-21 16:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-20 20:01 . 2009-11-20 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-20 08:22 . 2009-11-20 08:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-19 23:29 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-19 23:28 . 2009-11-19 23:28 -------- d-----w- c:\program files\Panda Security
2009-11-19 23:28 . 2009-11-21 08:01 -------- d-----w- c:\windows\ie8updates
2009-11-19 23:25 . 2009-11-19 23:27 -------- dc-h--w- c:\windows\ie8
2009-11-17 22:07 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-17 22:07 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-17 22:07 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-17 22:07 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-17 22:07 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-17 22:07 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-17 22:07 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-17 22:07 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-17 22:06 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-17 22:06 . 2009-11-17 22:06 -------- d-----w- c:\program files\Alwil Software
2009-11-16 02:08 . 2009-11-16 02:08 -------- d-----w- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 22:06 . 2008-09-19 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC
2009-11-29 21:50 . 2008-02-18 23:21 93624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-25 04:38 . 2004-08-09 13:28 23444 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-21 16:24 . 2009-10-22 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-17 16:52 . 2008-04-09 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-11-11 14:33 . 2008-04-01 21:43 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-03 01:42 . 2009-10-03 00:49 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 23:08 . 2009-10-29 23:08 -------- d-----w- c:\program files\Trend Micro
2009-10-23 02:36 . 2008-02-09 03:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-23 02:36 . 2008-02-22 04:31 -------- d--h--w- c:\documents and settings\Administrator\Application Data\ijjigame
2009-10-23 02:36 . 2009-09-08 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitZipper
2009-10-22 23:23 . 2009-09-08 05:28 -------- d-----w- c:\program files\Winferno
2009-10-22 23:20 . 2009-10-22 23:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-22 23:20 . 2009-10-22 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 23:20 . 2009-06-02 12:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 01:33 . 2009-10-01 01:33 -------- d-----w- c:\program files\QuickTime
2009-10-01 01:32 . 2008-04-04 21:51 -------- d-----w- c:\program files\Common Files\Apple
2009-10-01 01:32 . 2009-10-01 01:32 -------- d-----w- c:\program files\Apple Software Update
2009-09-10 19:54 . 2009-10-22 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-22 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-29_03.12.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-29 22:06 . 2009-11-29 22:06 16384 c:\windows\temp\Perflib_Perfdata_608.dat
+ 2004-08-09 13:44 . 2009-11-29 21:51 90470 c:\windows\system32\perfc009.dat
+ 2004-08-09 13:44 . 2009-11-29 21:51 492500 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-08-19 319000]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2007-07-27 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Network Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk
backup=c:\windows\pss\Wireless Network Monitor.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\CentraOne\\bin\\launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/19/2009 6:29 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/17/2009 5:07 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/17/2009 5:07 PM 20560]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2/8/2008 10:07 PM 797720]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [12/14/2007 5:04 PM 551680]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\SMINST\virtdisk.sys [2/8/2008 10:08 PM 57344]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://171.64.22.130/main/Install/en/US/CentraDownloader.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pxhnm43p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2508)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\WgaTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2009-11-29 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 22:11
ComboFix2.txt 2009-11-29 03:17

Pre-Run: 132,157,771,776 bytes free
Post-Run: 132,116,955,136 bytes free

- - End Of File - - B25BD944E288D82B5AB41FD270C81C31

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 29 November 2009 - 07:28 PM

Hi,

could you please run a scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

As well as a new scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

To see what is left on your system. Please also let me know if the problem with the activation persists.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 29 November 2009 - 10:09 PM

Activation link still does not work, nor does command line "oobe/msoobe /a".

MalwareBytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3259
Windows 5.1.2600 Service Pack 2

11/29/2009 9:01:56 PM
mbam-log-2009-11-29 (21-01-56).txt

Scan type: Quick Scan
Objects scanned: 104637
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-29 22:06:50
Windows 5.1.2600 Service Pack 2
Running: 4c676b48.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtcyfod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACB476B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACB47574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACB47A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xACB4714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACB4764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xACB4708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xACB470F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACB4776E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACB4772E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACB478AE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB99A0000, 0x17C940, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[932] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[932] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:44 PM

Posted 01 December 2009 - 08:14 AM

Hi,

the good news is, that I don't see any infection present on your PC anymore. Just to be safe I would like to do an online scan:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
In regards to your activation problem: What exactly happens when you enter "oobe/msoobe /a", do you get no reaction at all? Or do you get the same activation window, which crashes?

Please try to run Dial-A-Fix to fix some common errors:
Please read through this guide first
  • Please download Dial-A-Fix
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix
Let me know if this improves things.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 L0v3LESS

L0v3LESS
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:new york
  • Local time:09:44 AM

Posted 01 December 2009 - 05:20 PM

Hi, Dial-a-fix did not allow me to open windows activation window. When I run oobe/msoobe /a, the command prompt says that oobe is not a recognized command. When I click the link, nothing happens. Also, an issue is present with internet explorer (it has now reverted back to IE6, i had IE8 before). When I open it and enter a link, it gives me an error "The requested lookup key was not found in any active activation context." Will scan with ESET now, but any solutions to those problems?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users