58 replies to this topic

[Mirrodin]

I haven't been able to do the scan yet, I've just been incredibly busy. I probably won't be able to do the scan today either. I just wanted to make a post to tell you that, so that the topic isn't locked.

[CatByte]

OK, no problem, thanks for letting me know

[Mirrodin]

This past week has been hell for me. Just incredibly busy with school and family stuff that popped up. I'm not going to bore you with the details of why I was busy though. Everything looked fine on the computer and everything was working properly until three days ago. The computer started siplaying the pop up windows again and at first, I just thought it was a "normal" virus and I ran Malwarebytes which was still there. I say still there, because now the .exe doesn't display, just like before, and the pop ups have become worse.

[CatByte]

Hi,

Were you ever able to find out how to disable / remove mcAfee from your system.

While it is still enabled it is probably interfering in the fixes we are doing:

Please do the following:

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• In the custom scans section copy and paste in the following
  

  %systemroot%\*. /s /r

• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[LDTate]

This is a school computer,

C:\Documents and Settings\jmart366\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe

Sorry to butt in here but as Technician at a school district, I need ask a few questions.

Are you allowed to work on the schools computers?
Do you have domain / network administrators?

This type of infection should have been prevented at the server / domain level.

You had this infection before and replaced the hard drive.
It's possible your network is infected. Have you reported this?

Why would a P2P program like LimeWire be allowed on your computers?

[Mirrodin]

I attempted the scan, but part way through it, I got blue screened and was forced to restart the computer. I'll attempt it again once I finish this post. LDTate: We are allowed to download and use whatever programs we wish on the computer. I have Windows Live Messenger on this computer as well as AIM, which didn't come with the computer. We're allowed to use what we wish. The campus' network somehow has limewire or any P2P/torrent download program blocked, so its impossible to use them on campus.

[Mirrodin]

OTS.txt is attached. After the scan was completed, it displayed the OTS.txt. Then the computer forced a reboot on me, but so far, nothing seems to be worse. Also, McAfee's viruscan found and deleted a "y.exy"

Attached Files

•  OTS.Txt   249.26KB   386 downloads

[CatByte]

Hi,

Please do the following:

Start OTS
Copy/Paste the information inside the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Processes - Safe List]
YY -> askupgrade.exe -> C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
YY -> askservice.exe -> C:\Program Files\AskBarDis\bar\bin\AskService.exe
[Win32 Services - Safe List]
YY -> (ASKUpgrade) ASKUpgrade [Win32_Own | Auto | Running] -> C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
YY -> (ASKService) ASKService [Win32_Own | Auto | Running] -> C:\Program Files\AskBarDis\bar\bin\AskService.exe
[Modules - Safe List]
YY -> fopihofu.dll -> C:\WINDOWS\System32\fopihofu.dll
YY -> siyizene.dll -> C:\WINDOWS\System32\siyizene.dll
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {201f27d4-3704-41d6-89c1-aa35e39143ed} [HKLM] -> C:\Program Files\AskBarDis\bar\bin\askBar.dll [AskBar BHO]
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YY -> {c2b6d7b0-a02f-48eb-9f08-f1ebbf51fb0a} [HKLM] -> C:\WINDOWS\System32\fetuboji.dll [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{3041d03e-fd4b-44e0-b742-2d9b88305f98}" [HKLM] -> C:\Program Files\AskBarDis\bar\bin\askBar.dll [Ask Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "veluhepoj" -> C:\WINDOWS\System32\fopihofu.DLL [Rundll32.exe "c:\windows\system32\fopihofu.dll",a]
YY -> "yojududabo" -> C:\WINDOWS\System32\siyizene.dll [Rundll32.exe "siyizene.dll",s]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{97cfe1bc-b455-49a0-9195-db27a6de3a21}" [HKLM] -> C:\WINDOWS\System32\fopihofu.dll [mifigakal]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{97cfe1bc-b455-49a0-9195-db27a6de3a21}" [HKLM] -> C:\WINDOWS\System32\fopihofu.dll [gahurihor]
[Files/Folders - Created Within 30 Days]
NY -> AskBarDis -> C:\Program Files\AskBarDis
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 Days]
NY -> hikuline -> C:\WINDOWS\System32\hikuline
NY -> 7 C:\Documents and Settings\jmart366\Local Settings\temp\*.tmp files -> C:\Documents and Settings\jmart366\Local Settings\temp\*.tmp
NY -> 5 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY -> fopihofu.dll -> C:\WINDOWS\System32\fopihofu.dll
NY -> tisawipu.dll -> C:\WINDOWS\System32\tisawipu.dll
NY -> yonubima.dll -> C:\WINDOWS\System32\yonubima.dll
NY -> defubigo.dll -> C:\WINDOWS\System32\defubigo.dll
NY -> votifiwa.dll -> C:\WINDOWS\System32\votifiwa.dll
NY -> siyizene.dll -> C:\WINDOWS\System32\siyizene.dll
NY -> fetuboji.dll -> C:\WINDOWS\System32\fetuboji.dll
NY -> siliyada.dll -> C:\WINDOWS\System32\siliyada.dll
NY -> torayowo.dll -> C:\WINDOWS\System32\torayowo.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTS will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

[Mirrodin]

For some reason copy and paste have been disabled, so I have to type it out in the box. I don't know if I should do that or not, there might be some minor thing that I miss that messes up everything, so I'll wait for your input.

Edited by Mirrodin, 26 October 2009 - 04:19 PM.

[CatByte]

Hi Try using the keyboard shortcuts to copy and paste Ctrl +A to select all the text Ctrl +C to copy it Ctrl +V to paste it into OTS

[Mirrodin]

I tried the shortcuts as well. Nothing has worked.

[CatByte]

Try it in safe mode

[Mirrodin]

Will do.

[Mirrodin]

When in safe mode, I can't access the internet so I can't really get to the info. I'm guessing save the page as an HTML page or something?

[CatByte]

No, Does your safe mode with networking not allow you to connect? I am uploading a batch fix for you extract it to your desktop, click on the fix.bat icon it will only take a moment to run. A notepad should open when complete. See if your ability to copy./paste returns once it's done.