Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of faux-Antimalware trojan/spyware issues


  • This topic is locked This topic is locked
51 replies to this topic

#1 monkeythedog

monkeythedog

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 23 April 2010 - 02:16 PM

Greetings. I've heard good things about this place, and I hope someone might be of assistance.

I happened upon some particularly nasty antimalware trojan/spyware stickiness a few days ago and have since been trying to get my computer back to normal. Using everything from Symantec, Malwarebytes' Anti-Malware and Hijackthis, I've managed to restore things to nearly working order.

Once I got over the initial frustration and at least got basic control of my machine back, I found that I was still unable to open IE or Firefox. I was getting odd error messages about missing dll files. So, I checked out another foum on here and thought that might do it. Not quite.

I've managed to at least get IE back to a functional state, but I'm still unable to open Firefox. I've tried uninstalling/reinstalling, but that didn't work either. When I try to open it now, all I get is an error message titled "Entry Point Not Found":

The procedure entry point WahGetContext could not be located in the dynamic link library WS2HELP.dll.


Any suggestions for how to clean this up and get my Firefox back and working?

Thanks in advance. A sixer of Sam Adams to anyone who can help.

Edited by Budapest, 23 April 2010 - 04:51 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 23 April 2010 - 04:53 PM

Run a scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 24 April 2010 - 03:40 PM

And this:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/24/2010 4:38:55 PM
mbam-log-2010-04-24 (16-38-55).txt

Scan type: Quick scan
Objects scanned: 105158
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\newuser\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 24 April 2010 - 04:18 PM

I removed your DDS log.

Please run another Malwarebytes scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 25 April 2010 - 02:04 PM

Thanks for the help. Here's the latest.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/25/2010 3:03:22 PM
mbam-log-2010-04-25 (15-03-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 194551
Time elapsed: 1 hour(s), 24 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#6 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 25 April 2010 - 02:34 PM

Once that Malwarebytes check ended, my Symantec came on and said I have a few more errors. It supposedly dealt with them and told me to restart.

I did. And when windows came back up, I got a new RUNDLL error that states the following:

Error loading C:\DOCUME~1\newuser\LOCALS~1\Temp\vookk2z9o.dll

The specified module could not be found.




#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 25 April 2010 - 03:47 PM

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply (you can edit out all the cookies if you like).
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 26 April 2010 - 11:11 AM

Here it is. Thanks again.
------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2010 at 05:46 AM

Application Version : 4.35.1002

Core Rules Database Version : 4850
Trace Rules Database Version: 2662

Scan type : Complete Scan
Total Scan Time : 04:37:22

Memory items scanned : 259
Memory threats detected : 0
Registry items scanned : 5386
Registry threats detected : 11
File items scanned : 97603
File threats detected : 79

Trojan.Agent/Gen-Ertfor
HKLM\Software\Classes\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}
HKCR\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}
HKCR\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}
HKCR\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}#ThreadingModel
HKCR\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}\InProcServer32
HKCR\CLSID\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RYHDZ4.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{A2BA40A0-74F1-52BD-F411-00B15A2C8953}
HKU\S-1-5-21-1085031214-1606980848-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2BA40A0-74F1-52BD-F411-00B15A2C8953}

Adware.Tracking Cookie
C:\Documents and Settings\newuser\Cookies\stu@ads.widgetbucks[1].txt
C:\Documents and Settings\newuser\Cookies\stu@bs.serving-sys[2].txt
C:\Documents and Settings\newuser\Cookies\stu@tribalfusion[2].txt
C:\Documents and Settings\newuser\Cookies\stu@statcounter[1].txt
C:\Documents and Settings\newuser\Cookies\stu@sales.liveperson[1].txt
C:\Documents and Settings\newuser\Cookies\stu@gettyimages.122.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@insightexpressai[2].txt
C:\Documents and Settings\newuser\Cookies\stu@adrevolver[2].txt
C:\Documents and Settings\newuser\Cookies\stu@centralmediaserver[2].txt
C:\Documents and Settings\newuser\Cookies\stu@invitemedia[2].txt
C:\Documents and Settings\newuser\Cookies\stu@apartmentfinder[1].txt
C:\Documents and Settings\newuser\Cookies\stu@usatoday1.112.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@adecn[1].txt
C:\Documents and Settings\newuser\Cookies\stu@yieldmanager[1].txt
C:\Documents and Settings\newuser\Cookies\stu@at.atwola[2].txt
C:\Documents and Settings\newuser\Cookies\stu@windowsmedia[1].txt
C:\Documents and Settings\newuser\Cookies\stu@realmedia[1].txt
C:\Documents and Settings\newuser\Cookies\stu@msnportal.112.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@indexstats[2].txt
C:\Documents and Settings\newuser\Cookies\stu@collective-media[1].txt
C:\Documents and Settings\newuser\Cookies\stu@burstnet[2].txt
C:\Documents and Settings\newuser\Cookies\stu@specificmedia[1].txt
C:\Documents and Settings\newuser\Cookies\stu@ads.pgatour[1].txt
C:\Documents and Settings\newuser\Cookies\stu@www.burstnet[2].txt
C:\Documents and Settings\newuser\Cookies\stu@zedo[1].txt
C:\Documents and Settings\newuser\Cookies\stu@adbrite[1].txt
C:\Documents and Settings\newuser\Cookies\stu@msnbc.112.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@tacoda[1].txt
C:\Documents and Settings\newuser\Cookies\stu@ads.bcserving[1].txt
C:\Documents and Settings\newuser\Cookies\stu@statse.webtrendslive[1].txt
C:\Documents and Settings\newuser\Cookies\stu@media6degrees[2].txt
C:\Documents and Settings\newuser\Cookies\stu@qnsr[1].txt
C:\Documents and Settings\newuser\Cookies\stu@2o7[2].txt
C:\Documents and Settings\newuser\Cookies\stu@questionmarket[2].txt
C:\Documents and Settings\newuser\Cookies\stu@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@specificclick[2].txt
C:\Documents and Settings\newuser\Cookies\stu@mediaplex[1].txt
C:\Documents and Settings\newuser\Cookies\stu@revsci[2].txt
C:\Documents and Settings\newuser\Cookies\stu@host.oddcast[2].txt
C:\Documents and Settings\newuser\Cookies\stu@ad.yieldmanager[2].txt
C:\Documents and Settings\newuser\Cookies\stu@adserv.prsa[2].txt
C:\Documents and Settings\newuser\Cookies\stu@doubleclick[1].txt
C:\Documents and Settings\newuser\Cookies\stu@serving-sys[1].txt
C:\Documents and Settings\newuser\Cookies\stu@surveymonkey.122.2o7[1].txt
C:\Documents and Settings\newuser\Cookies\stu@content.yieldmanager[3].txt
C:\Documents and Settings\newuser\Cookies\stu@c7.zedo[2].txt
C:\Documents and Settings\newuser\Cookies\stu@adopt.specificclick[2].txt
C:\Documents and Settings\newuser\Cookies\stu@admarketplace[1].txt
C:\Documents and Settings\newuser\Cookies\stu@fastclick[1].txt
C:\Documents and Settings\newuser\Cookies\stu@interclick[2].txt
C:\Documents and Settings\newuser\Cookies\stu@advertise[1].txt
C:\Documents and Settings\newuser\Cookies\stu@atdmt[1].txt
C:\Documents and Settings\newuser\Cookies\stu@counter.surfcounters[1].txt
C:\Documents and Settings\newuser\Cookies\stu@bridge1.admarketplace[1].txt
C:\Documents and Settings\newuser\Cookies\stu@www.apartmentfinder[1].txt
C:\Documents and Settings\newuser\Cookies\stu@legolas-media[1].txt
C:\Documents and Settings\newuser\Cookies\stu@advertising[1].txt
C:\Documents and Settings\newuser\Cookies\stu@www.burstbeacon[1].txt
C:\Documents and Settings\newuser\Cookies\stu@apmebf[2].txt
C:\Documents and Settings\newuser\Cookies\stu@media.adrevolver[1].txt
C:\Documents and Settings\newuser\Cookies\stu@imrworldwide[2].txt
C:\Documents and Settings\newuser\Cookies\stu@roiservice[1].txt
C:\Documents and Settings\newuser\Cookies\stu@sales.liveperson[3].txt
C:\Documents and Settings\newuser\Cookies\stu@rotator.adjuggler[2].txt
C:\Documents and Settings\newuser\Cookies\stu@ads.pointroll[1].txt
C:\Documents and Settings\newuser\Cookies\stu@pointroll[2].txt
C:\Documents and Settings\newuser\Cookies\stu@cb.adbureau[2].txt
C:\Documents and Settings\newuser\Cookies\stu@trafficmp[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yadro[2].txt

Rootkit.Agent/Gen-TDS[Pragma]
HKU\.DEFAULT\Software\Pragma
HKU\S-1-5-18\Software\Pragma

Trojan.Agent/Gen-FakeAV
C:\DOCUMENTS AND SETTINGS\NEWUSER\LOCAL SETTINGS\TEMP\985219194.EXE

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\D04TNIUW.DLL


#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 26 April 2010 - 04:14 PM

Run another Malwarebytes scan and post the log.

Also, let me know how your computer is running now.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 26 April 2010 - 09:14 PM

When I last rebooted, I got the same pop-up error when Windows loaded.

Error loading C:\DOCUME~1\newuser\LOCALS~1\Temp\vookk2z9o.dll

The specified module could not be found.


Beyond that, Firefox still won't open. I'm still getting this error message when I try to open it.

The procedure entry point WahGetContext could not be located in the dynamic link library WS2HELP.dll.


I'm running Malwarebytes again now and will post the log.

#11 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 27 April 2010 - 01:36 AM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/27/2010 2:35:25 AM
mbam-log-2010-04-27 (02-35-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 195544
Time elapsed: 1 hour(s), 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 27 April 2010 - 01:43 AM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 monkeythedog

monkeythedog
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Location:Boston
  • Local time:06:45 AM

Posted 27 April 2010 - 04:00 PM

In trying to run the Dr. Web express scan in safe mode, my computer basically stopped processing. Thinking it had choked on the program, I did a manual restart. But when I tried to restart in safe mode (and later, trying to restart normal windows), I got a new error message:

Windows could not start because the following file is missing or corrupt:
\WINDOWS\SYSTEM\vgaoem.fon

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.


I literally cannot even load Windows. Any ideas?

Edited by monkeythedog, 27 April 2010 - 04:16 PM.


#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:45 PM

Posted 27 April 2010 - 06:07 PM

I am going to get some more help here from other members. Hang in there.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:45 AM

Posted 27 April 2010 - 07:00 PM

Hi, monkeythedog smile.gif

welcome.gif

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      vgaoem.fon
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users