Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Unable to boot after Patched_c.Jee malware

Started by Alantb , Oct 13 2010 03:25 AM

  • This topic is locked This topic is locked
105 replies to this topic

#46 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 27 October 2010 - 10:26 PM

Hi Alantb,

In Task Manager
  • click file
  • click New Task(Run...)
  • type the following line into the open: field

    cmd

  • click ok
A black command window will open.

From the prompt type

copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\windows\explorer.exe

Hit enter.

There is a space after copy and a space after i386\explorer.exe

You should recieve a 1 file(s) copied message

Type exit and hit enter.

In Task Manager
  • click file
  • click New Task(Run...)
  • type the following line into the open:


    explorer.exe

  • click ok
Your desktop should appear.

Click your start button, right click My Computer and click properites
  • click the hardware tab
  • click Device manager
Any yellow ! marks?

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#47 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 29 October 2010 - 05:35 AM

Hi Oldman - Full Marks! :thumbup: Brilliant work on your behalf! :yeah: No yellow marks on the hardware and ostensibly it's all working. I haven't connected to the net yet, I feel that I should run some anti-malware first. I have AVGfree, Zone Alarm and Malwarebytes - these are (of course) not up-to-date. What can you suggest, bearing in mind that they didn't seem to fix the original problem - and what do you think this was?? Cheers, Alan

Edited by Alantb, 29 October 2010 - 05:37 AM.

#48 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 29 October 2010 - 06:00 AM

Hi Oldman; it's not quite all fixed just yet, the bug has blown my network and internet connections. I don't feel happy about restoring these until I am certain that i am bug free. Do you think that I should download something via the good pc onto a pendrive or such and use that to clean the system? Cheers, still really pleased with the job you have done :thumbup: Alan

#49 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 29 October 2010 - 06:19 AM

Hi Alantb,

Let's get a look at the system. Do not run any scans with anything unless requested to.

This tool will require you to download a file. Follow these instructions on the good computer. After you have downloaded both the tool, OTL, and the file, transfer both tool and file directly to the infected computer's desktop via the pendrive then follow the rest of the instructions for running OTL.

On the clean computer
Download OTL to your Desktop
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"

Transfer both OTL and scan.txt to the infected computer's desktop.

On the infected computer
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
  • Click the OK button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#50 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 29 October 2010 - 07:55 AM

Hi Oldman - here you go - Did That go OK?

Attached Files

  • Attached File  OTL.Txt   135.83KB   164 downloads
  • Attached File  Extras.Txt   39.46KB   168 downloads

Edited by Alantb, 29 October 2010 - 07:56 AM.

#51 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 October 2010 - 12:39 AM

Hi Alantb,

It worked just fine.

Download this file Attached File  fix.txt   629bytes   127 downloads
and transfer it to the desktop of the infected computer.

On the infected computer

First we need to disable a program that may interfer with our fixes. Please leave it disabled until we are finished.

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.
    (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
  • Click the OK button and navigate to the file fix.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan/Fixes box
  • Click the Run Fix button.
Please post the resulting log. If the log does not pop up it can be found at C:\_OTL\MovedFiles It will be a file named similar to 10302010 090000.log

After running OTL try connecting to the internet.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#52 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 30 October 2010 - 02:03 AM

Hi Oldman - here it is - I had to paste it in because the system said I wasn't allowed to upload this type of file - is this normal? Cheers, Alan Error: Unable to interpret <netsvcs> in the current context! Error: Unable to interpret <drivers32 > in the current context! Error: Unable to interpret <msconfig> in the current context! Error: Unable to interpret <safebootminimal> in the current context! Error: Unable to interpret <safebootnetwork> in the current context! Error: Unable to interpret <activex> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\*.*> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.com> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.dll> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.ini> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.ini2> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.exe> in the current context! Error: Unable to interpret <%systemroot%\system32\spool\prtprocs\w32x86\*.*> in the current context! Error: Unable to interpret <%systemroot%\REPAIR\*.bak1> in the current context! Error: Unable to interpret <%systemroot%\REPAIR\*.ini> in the current context! Error: Unable to interpret <%systemroot%\system32\*.jpg > in the current context! Error: Unable to interpret <%systemroot%\*.jpg > in the current context! Error: Unable to interpret <%systemroot%\*.png > in the current context! Error: Unable to interpret <%systemroot%\*.scr> in the current context! Error: Unable to interpret <%systemroot%\*._sy> in the current context! Error: Unable to interpret <%APPDATA%\Adobe\Update\*.*> in the current context! Error: Unable to interpret <%ALLUSERSPROFILE%\Favorites\*.*> in the current context! Error: Unable to interpret <%APPDATA%\Microsoft\*.* > in the current context! Error: Unable to interpret <%PROGRAMFILES%\*.*> in the current context! Error: Unable to interpret <%APPDATA%\Update\*.*> in the current context! Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context! Error: Unable to interpret <CREATERESTOREPOINT> in the current context! Error: Unable to interpret <%systemroot%\System32\config\*.sav > in the current context! Error: Unable to interpret <%PROGRAMFILES%\bak. /s> in the current context! Error: Unable to interpret <%systemroot%\system32\bak. /s> in the current context! Error: Unable to interpret <%ALLUSERSPROFILE%\Start Menu\*.lnk /x > in the current context! Error: Unable to interpret <%systemroot%\system32\config\systemprofile\*.dat /x> in the current context! Error: Unable to interpret <%systemroot%\*.config> in the current context! Error: Unable to interpret <%systemroot%\system32\*.db> in the current context! Error: Unable to interpret <%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x> in the current context! Error: Unable to interpret <%USERPROFILE%\Desktop\*.exe> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Common Files\*.*> in the current context! Error: Unable to interpret <%systemroot%\*.src> in the current context! Error: Unable to interpret <%systemroot%\install\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\DLL\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\HelpFiles\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\rundll\*.*> in the current context! Error: Unable to interpret <%systemroot%\winn32\*.*> in the current context! Error: Unable to interpret <%systemroot%\Java\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\test\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\Rundll32\*.*> in the current context! Error: Unable to interpret <%systemroot%\AppPatch\Custom\*.*> in the current context! Error: Unable to interpret <%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x> in the current context! Error: Unable to interpret <%PROGRAMFILES%\PC-Doctor\Downloads\*.*> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Internet Explorer\*.tmp> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Internet Explorer\*.dat> in the current context! Error: Unable to interpret <%USERPROFILE%\My Documents\*.exe> in the current context! Error: Unable to interpret <%USERPROFILE%\*.exe> in the current context! Error: Unable to interpret <%systemroot%\ADDINS\*.*> in the current context! Error: Unable to interpret <%systemroot%\assembly\*.bak2> in the current context! Error: Unable to interpret <%systemroot%\Config\*.*> in the current context! Error: Unable to interpret <%systemroot%\REPAIR\*.bak2> in the current context! Error: Unable to interpret <%systemroot%\SECURITY\Database\*.sdb /x> in the current context! Error: Unable to interpret <%systemroot%\SYSTEM\*.bak2> in the current context! Error: Unable to interpret <%systemroot%\Web\*.bak2> in the current context! Error: Unable to interpret <%systemroot%\Driver Cache\*.*> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Mozilla Firefox\0*.exe> in the current context! Error: Unable to interpret <%ProgramFiles%\Microsoft Common\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\TinyProxy.> in the current context! Error: Unable to interpret <%USERPROFILE%\Favorites\*.url /x> in the current context! Error: Unable to interpret <%systemroot%\system32\*.bk> in the current context! Error: Unable to interpret <%systemroot%\*.te> in the current context! Error: Unable to interpret <%systemroot%\system32\system32\*.*> in the current context! Error: Unable to interpret <%ALLUSERSPROFILE%\*.dat /x> in the current context! Error: Unable to interpret <%systemroot%\system32\drivers\*.rmv> in the current context! Error: Unable to interpret <dir /b "%systemroot%\system32\*.exe" | find /i " " /c> in the current context! Error: Unable to interpret <dir /b "%systemroot%\*.exe" | find /i " " /c> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Microsoft\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\Wbem\proquota.exe> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Mozilla Firefox\*.dat> in the current context! Error: Unable to interpret <%USERPROFILE%\Cookies\*.txt /x> in the current context! Error: Unable to interpret <%SystemRoot%\system32\fonts\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\winlog\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\Language\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\Settings\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.quo> in the current context! Error: Unable to interpret <%SYSTEMROOT%\AppPatch\*.exe> in the current context! Error: Unable to interpret <%SYSTEMROOT%\inf\*.exe> in the current context! Error: Unable to interpret <%SYSTEMROOT%\Installer\*.exe> in the current context! Error: Unable to interpret <%systemroot%\system32\config\*.bak2> in the current context! Error: Unable to interpret <%systemroot%\system32\Computers\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\Sound\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\SpecialImg\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\code\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\draft\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\MSSSys\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Javascript\*.*> in the current context! Error: Unable to interpret <%systemroot%\pchealth\helpctr\System\*.exe /s> in the current context! Error: Unable to interpret <%systemroot%\Web\*.exe> in the current context! Error: Unable to interpret <%systemroot%\system32\msn\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.tro> in the current context! Error: Unable to interpret <%AppData%\Microsoft\Installer\msupdates\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Messenger\*.exe> in the current context! Error: Unable to interpret <%systemroot%\system32\systhem32\*.*> in the current context! Error: Unable to interpret <%systemroot%\system\*.exe> in the current context! Error: Unable to interpret <%USERPROFILE%\Templates\*.tmp> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\explorexxx.exe\*.*> in the current context! Error: Unable to interpret <%Windir%\Installer\*.tmp> in the current context! Error: Unable to interpret <%systemroot%\System32\*.xco> in the current context! Error: Unable to interpret <%ProgramFiles%\system32\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\windos\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\sandbox\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\*.amo> in the current context! Error: Unable to interpret <%SystemRoot%\system32\Windows Live\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\logs\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Bifrost\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\*.goo> in the current context! Error: Unable to interpret <%systemroot%\system32\IME\*.*> in the current context! Error: Unable to interpret <%systemroot%\BackUp\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.ico> in the current context! Error: Unable to interpret <%systemroot%\system\*.dat> in the current context! Error: Unable to interpret <%systemroot%\system\*.exe> in the current context! Error: Unable to interpret <%AppData%\Macromedia\Common\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\dir\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\system32\ras\*.exe> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\MFILES\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\mDNSRespon.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\services\*.*> in the current context! Error: Unable to interpret <%systemroot%\Spooler\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\system32\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\Setup\*.dll /x> in the current context! Error: Unable to interpret <%systemroot%\system32\*.mine > in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\cleansweep.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\ras\*.dll > in the current context! Error: Unable to interpret <%systemroot%\system32\ras\*.drv> in the current context! Error: Unable to interpret <%systemroot%\*.iq > in the current context! Error: Unable to interpret <%systemroot%\system32\XP\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Extracted\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\windows\*.*> in the current context! Error: Unable to interpret <%systemroot%\logs\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Win.Msi\*.*> in the current context! Error: Unable to interpret <%systemroot%\regedit\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\skype\*.*> in the current context! Error: Unable to interpret <%AppData%\Adobe\dlluplwin25\*.*> in the current context! Error: Unable to interpret <%UserProfile%\*.dat> in the current context! Error: Unable to interpret <%UserProfile%\*.dll> in the current context! Error: Unable to interpret <%systemroot%\system32\*.sxo> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Gazma\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\system32\spynet\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\System\*.*> in the current context! Error: Unable to interpret <%appdata%\Microsoft\Windows\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\WinDir\*.*> in the current context! Error: Unable to interpret <%systemroot%\_\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\windows32\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\win\*.*> in the current context! Error: Unable to interpret <%AppData%\Microsoft\CD Burning\*.*> in the current context! Error: Unable to interpret <%systemroot%\*.cab> in the current context! Error: Unable to interpret <%systemroot%\K.Backup\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Massenger\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\*.doc> in the current context! Error: Unable to interpret <%systemroot%\Office12\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\Rundl32.exe\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\yahoo.net\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.igo> in the current context! Error: Unable to interpret <%systemroot%\*.rew> in the current context! Error: Unable to interpret <%systemroot%\System32\spool\DRIVERS\W32X86\3\*.exe> in the current context! Error: Unable to interpret <%USERPROFILE%\.COMMgr\*.*> in the current context! Error: Unable to interpret <%USERPROFILE%\Desktop\*.bat> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Common Files\Real\visualizations\*.rpv /x> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Internet Explorer\*.Jmp> in the current context! Error: Unable to interpret <%PROGRAMFILES%\Windows NT\system\*.dll> in the current context! Error: Unable to interpret <%systemroot%\system32\*.ext> in the current context! Error: Unable to interpret <%systemroot%\system32\Com\*.cfg> in the current context! Error: Unable to interpret <%systemroot%\system32\btz\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\EMP\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\expo\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\inet2\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\xrem\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Microsoft\*.*> in the current context! Error: Unable to interpret <%systemroot%\usgwmt\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\B\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\lspp\*.*> in the current context! Error: Unable to interpret <%systemroot%\Kral\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\windowsdvd.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.ipo> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\usxxxxxxxx.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.mof> in the current context! Error: Unable to interpret <%systemroot%\*.atm> in the current context! Error: Unable to interpret <%systemroot%\system32\svhost\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\system32\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Docmentt\*.*> in the current context! Error: Unable to interpret <%systemroot%\Help\*.vbs> in the current context! Error: Unable to interpret <%ProgramFiles%\Windows WinSxs\*.* /s> in the current context! Error: Unable to interpret <%ProgramFiles%\Outlook Express\IDT\*.* /s> in the current context! Error: Unable to interpret <%ProgramFiles%\Microsoft Office\365\*.* /s> in the current context! Error: Unable to interpret <%ProgramFiles%\Windows Live\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\win32\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\RECYCLER\*.*> in the current context! Error: Unable to interpret <%systemroot%\Fresh1\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Kekj\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\GDU\*.*> in the current context! Error: Unable to interpret <%systemroot%\KA\*.*> in the current context! Error: Unable to interpret <%systemroot%\R\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.fyo> in the current context! Error: Unable to interpret <%USERPROFILE%\System\*.*> in the current context! Error: Unable to interpret <%systemroot%\Source\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\ac\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\MSDN\*.*> in the current context! Error: Unable to interpret <%AppData%\AdobeUM\winvcldll54\*.* /s> in the current context! Error: Unable to interpret <%ProgramFiles%\Internet Explorer\*.ico> in the current context! Error: Unable to interpret <%systemroot%\system32\*.ojo> in the current context! Error: Unable to interpret <%systemroot%\system32\d323s\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\re\*.*> in the current context! Error: Unable to interpret <%UserProfile%\Microsoft\*.dll> in the current context! Error: Unable to interpret <%UserProfile%\Microsoft\*.log> in the current context! Error: Unable to interpret <%systemroot%\Bios\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Spool\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\promp3\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Driver\*.* /s> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\inetserver.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\java\trustlib\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Common Files\designer\*.exe> in the current context! Error: Unable to interpret <%ProgramFiles%\*.> in the current context! Error: Unable to interpret <%systemroot%\system32\*.tso> in the current context! Error: Unable to interpret <%ALLUSERSPROFILE%\Documents\Server\*.*> in the current context! Error: Unable to interpret <%systemroot%\*.pif> in the current context! Error: Unable to interpret <%systemroot%\system32\n7533\*.*> in the current context! Error: Unable to interpret <%systemroot%\Us18336\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.zip> in the current context! Error: Unable to interpret <%systemroot%\system32\*.wgo> in the current context! Error: Unable to interpret <%systemroot%\system32\dllcache\*.com> in the current context! Error: Unable to interpret <%systemroot%\system32\dllchache\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\038840\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\13E92A\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\1CB5AD\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\52682A\*.*> in the current context! Error: Unable to interpret <%USERPROFILE%\My Documents\*.htm > in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Mr_CF\*.*> in the current context! Error: Unable to interpret <%USERPROFILE%\My Documents\*.dll> in the current context! Error: Unable to interpret <%USERPROFILE%\My Documents\*.ccc> in the current context! Error: Unable to interpret <%systemroot%\system32\Sis\*.*> in the current context! Error: Unable to interpret <%systemroot%\Microsft\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\driverwinx.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\BifroXx\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\TSTP\*.*> in the current context! Error: Unable to interpret <%systemroot%\winsn\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\windata\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\msixxxxxxx.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.sao> in the current context! Error: Unable to interpret <%systemroot%\system32\*.iem > in the current context! Error: Unable to interpret <%systemroot%\system32\*.mdd> in the current context! Error: Unable to interpret <%systemroot%\system32\*.wlo> in the current context! Error: Unable to interpret <%systemroot%\system32\*.skn> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Winup\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\test\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\med\*.*> in the current context! Error: Unable to interpret <%systemroot%\Bifrost\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\explorer.exe\*.*> in the current context! Error: Unable to interpret <%UserProfile%\UserData\*.dat /x> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Arquivo de programas\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\tcpview\*.*> in the current context! Error: Unable to interpret <%systemroot%\system32\*.lyo> in the current context! Error: Unable to interpret <%ProgramFiles%\huanbang2\*.*> in the current context! Error: Unable to interpret <%systemroot%\winhuanbang\*.*> in the current context! Error: Unable to interpret <%systemroot%\minrsv.ini\*.*> in the current context! Error: Unable to interpret <%systemroot%\assembly\GAC\*.*> in the current context! Error: Unable to interpret <%AppData%\Adobe\crtmswin91\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\Windows NT\Accessories\*.exe> in the current context! Error: Unable to interpret <%systemroot%\system32\*.pdo> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\APPDATASH\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\sy\*.*> in the current context! Error: Unable to interpret <%systemroot%\*.cot> in the current context! Error: Unable to interpret <%systemroot%\system32\*.html> in the current context! Error: Unable to interpret <%systemroot%\system32\win32.exe\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\9283\*.*> in the current context! Error: Unable to interpret <%systemroot%\System32\hardpol\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\Fonts\*.dat> in the current context! Error: Unable to interpret <%ProgramFiles%\WinNTsystem operation\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\moneyxmexx.exe\*.*> in the current context! Error: Unable to interpret <%USERPROFILE%\Templates\*.exe> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\MSOCache\*.*> in the current context! Error: Unable to interpret <%systemroot%\inf\win\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\users\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\Media\*.exe> in the current context! Error: Unable to interpret <%systemroot%\Media\*.dll> in the current context! Error: Unable to interpret <%AppData%\AdobeUM\upldrvdrv2\*.*> in the current context! Error: Unable to interpret <%ProgramFiles%\wiselink\*.*> in the current context! Error: Unable to interpret <%systemroot%\*.wd> in the current context! Error: Unable to interpret <%systemroot%\boot\*.*> in the current context! Error: Unable to interpret <%systemroot%\ime\*.dll /x> in the current context! Error: Unable to interpret <%systemroot%\system32\GroupPolicy\User\Scripts\*.* /s> in the current context! Error: Unable to interpret <%systemroot%\system32\*.INS> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\Temporary\*.*> in the current context! Error: Unable to interpret <%AppData%\AdobeUM\vclvclupl66\*.*> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\KEY\*.* /s> in the current context! Error: Unable to interpret <%SYSTEMDRIVE%\INVRSO\*.*> in the current context! Error: Unable to interpret <%systemroot%\Config\Audit\*.* /s> in the current context! Error: Unable to interpret <%ProgramFiles%\facebook\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\___hptmp\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\Macromedia\*.*> in the current context! Error: Unable to interpret <%SystemRoot%\system32\Macrocmp\*.*> in the current context! Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU> in the current context! Error: Unable to interpret <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs> in the current context! OTL by OldTimer - Version 3.2.17.1 log created on 10302010_085341

#53 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 October 2010 - 02:40 AM

Hi Alantb,

Seems you tried to attach the file. .log files are not allowed so copy and paste is the way to go. It also looks like you pasted the scan.txt instead of the fix.txt into the Custom Scans/fixes box. My fault.


Let's do it this way.

On the clean computer

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

:Services

:OTL
DRV - (jghh) -- C:\WINDOWS\System32\drivers\ibgm.sys File not found
DRV - (khqlmxop) -- C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys ()
IE - HKCU\..\URLSearchHook: *{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-

:Files
C:\Documents and Settings\All Users\Documents\Server
ipconfig /flushdns /c
C:\WINDOWS\tasks\At*.job

:Commands
[emptytemp]
[createrestorepoint]
[Reboot]

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "fix1.txt"
  • Click save

Transfer the notepad to the infected computer's desktop.

On the infected computer

Delete the notepad named fix.txt from your desktop.

Open the file fix1.txt
  • right click on the text and click select all
  • right click on the highlighted text and click copy

Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, right click and select paste
The text from the notepad should appear.

Click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#54 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 30 October 2010 - 05:59 AM

Hi Oldman; Here we go again, have I done it right this time?
Enjoy Halloween!
Alan

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service jghh stopped successfully!
Service jghh deleted successfully!
File C:\WINDOWS\System32\drivers\ibgm.sys File not found not found.
Service khqlmxop stopped successfully!
Service khqlmxop deleted successfully!
C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{66f2e20d-0da8-4c11-a9c8-dd8477b88acd} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\ not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
========== FILES ==========
C:\Documents and Settings\All Users\Documents\Server folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
C:\Documents and Settings\All Users\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\All Users\Desktop\cmd.txt deleted successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Alan
->Temp folder emptied: 22684648 bytes
->Temporary Internet Files folder emptied: 70565805 bytes
->Java cache emptied: 72664737 bytes
->FireFox cache emptied: 45532517 bytes
->Flash cache emptied: 15638 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 2053128 bytes
->Temporary Internet Files folder emptied: 2179629 bytes
->Flash cache emptied: 1254 bytes

User: NetworkService
->Temp folder emptied: 1989516 bytes
->Temporary Internet Files folder emptied: 1740067 bytes
->Flash cache emptied: 6042 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2190207 bytes
%systemroot%\System32 .tmp files removed: 1162769 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3552764 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 65358724 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 925777735 bytes

Total Files Cleaned = 1,161.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.17.1 log created on 10302010_124948

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#55 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 30 October 2010 - 11:29 AM

Hi Alantb, Good job. Try connecting to the internet now so we can continue directly with the infected computer. Please describe any symptoms/problems you are having. Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove

#56 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 30 October 2010 - 03:48 PM

Hi Oldman; I hope tomorrow will do, it's bedtime over here; Cheers, Alan

#57 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 02 November 2010 - 12:24 PM

Hi Oldman; I connected to the net and it seemed to work but when I hit a key to sort my emails on date the box rebooted. So I rebooted in safe mode and it seemed to work . . . then the screen went black. So being very daring I rebooted normally and ran AVG, which told me of 79 cookies from ZEDO and got rid of them. Right now it may be working normally but I haven't put it onto the internal network yet in case it may still have something going wrong somewhere. which it could transmit to the other PC's. (Network is only two PCs and a laptop, nothing grand). More after dinner, Alan

#58 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 02 November 2010 - 05:10 PM

Hi Oldman. By chance I came across something called 'Pandobar' in the registry. I'm sure that it shouldn't be there. Any comment?

#59 oldman960

oldman960

    Forum God

  • Retired Classroom Teacher
  • 14,770 posts

Posted 02 November 2010 - 05:50 PM

Hi Alantb,

Please do not run any scans on your computer unless requested. There may be more serious malware present and as you found out your AV only made things worse. Also do not do any self fixing and definatley do not go tinkering in the registry.

Yes keep the infected computer isolated from your network. It will be easier to work on it now that you are able to go online.

Pandobar is adware, we will deal with it during the coarse of the cleaning.

Let's get some more diagnostics on this machine.


Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Please post the contents of that file.


Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Saffe Mode


Please post back with
  • MBRCheck log
  • GMER log

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation 5Iv60h9.jpg
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#60 Alantb

Alantb

    Authentic Member

  • Authentic Member
  • PipPip
  • 62 posts

Posted 03 November 2010 - 03:02 AM

Hi Oldman PC wouldn't complete booting up beyond showing the desktop picture - but it worked (?) when I unplugged the internet connection. In order to stop the anti-virus etc programs (AVG & ZoneAlarm) I had to uninstall them. Task Manager ran and there seemed to be quite a lot of activity until I pulled out the Net connection . . .Anyhow I've put GMER and MBRCheck on a pendrive and will run them later. I still have Malwarebytes ans Spybot installed - but since these are 'run when asked' type programs and not set up to run automatically they shouldn't interfere .......... or will they? Cheers - sorry about running AVG, everything seemed normal so I thought I would see if it picked anything up. Alan

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·