2 replies to this topic

[Sony]

Hello Rorschach 112, Thank you so much for your help. I couldn't operate my PC for a couple of days because the Spyware Guard 2008 paralyzed the system. I had to download the ComboFix to have them removed. Now I can follow your instruction and use the OTScanIt2 to scan the system. The report is attached for your review. Thanks again for all your help. Sony

Attached Files

•  OTScanIt2.zip   31.8KB   1437 downloads

[Rorschach112]

hi

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Download haxfix.exe
and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon"
• Click "Next"
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Copy the contents of that logfile and paste it into this thread.

Start OTScanIt2. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Pwiwerokowu" -> %SystemRoot%\atulesolas.dll [rundll32.exe "C:\WINDOWS\atulesolas.dll",e]
YY -> "Tcaqiwelo" -> %SystemRoot%\Svisihutaf.dll [rundll32.exe "C:\WINDOWS\Svisihutaf.dll",e]
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Microsoft Common\svchost.exe" -> C:\Program Files\Microsoft Common\svchost.exe [C:\Program Files\Microsoft Common\svchost.exe:*:Enabled:svchost]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{1da61194-cef8-11dc-a426-00038a000015}\Shell\AutoRun\command\\"" -> [semo2x.exe]
YN -> \{1da61194-cef8-11dc-a426-00038a000015}\Shell\explore\Command\\"" -> [semo2x.exe]
YN -> \{1da61194-cef8-11dc-a426-00038a000015}\Shell\open\Command\\"" -> [semo2x.exe]
YN -> \{1da61195-cef8-11dc-a426-00038a000015}\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe -a]
YN -> \{49bd546c-13d2-11dd-a4af-00037ab0967e}\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe -a]
YN -> \{5139984d-7d81-11dc-a365-001b77d64389}\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe -a]
YN -> \{5827ca0d-380b-11dd-a4eb-ec43c893ba7a}\Shell\Auto\command\\"" -> F:\Windows.scr [F:\Windows.scr]
YN -> \{62b4aff4-9382-11dc-a397-001b77d64389}\Shell\AutoRun\command\\"" -> [mp3.exe]
YN -> \{80d97d0a-836a-11dc-a371-001b77d64389}\Shell\AutoRun\command\\"" -> E:\LaunchU3.exe [E:\LaunchU3.exe]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Alcmtr hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %SystemRoot%\Alcmtr.exe
YN -> GoBoingo hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> %ProgramFiles%\Boingo\GoBoingo\GoBoingo
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
YN -> ati0cixx.sys ->
YN -> ati0unxx.sys ->
YN -> ati2qjxx.sys ->
YN -> ati2scxx.sys ->
YN -> ati3rfxx.sys ->
YN -> ati4cjxx.sys ->
YN -> ati4vexx.sys ->
YN -> ati6qxxx.sys ->
YN -> ati6tbxx.sys ->
YN -> ati6tmxx.sys ->
YN -> ati6ymxx.sys ->
YN -> ati7pixx.sys ->
YN -> ati8gnxx.sys ->
YN -> ati8nxxx.sys ->
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
YN -> ati0cixx.sys ->
YN -> ati0unxx.sys ->
YN -> ati2qjxx.sys ->
YN -> ati2scxx.sys ->
YN -> ati3rfxx.sys ->
YN -> ati4cjxx.sys ->
YN -> ati4vexx.sys ->
YN -> ati6qxxx.sys ->
YN -> ati6tbxx.sys ->
YN -> ati6tmxx.sys ->
YN -> ati6ymxx.sys ->
YN -> ati7pixx.sys ->
YN -> ati8gnxx.sys ->
YN -> ati8nxxx.sys ->
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
YY -> Protocol_Catalog9\Catalog_Entries\000000000001 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000002 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000003 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000004 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000005 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000006 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000007 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000008 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000009 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000010 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000011 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000012 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000013 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000014 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000015 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000016 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000017 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000018 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000019 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000020 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000021 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000022 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000023 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000024 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000025 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000026 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
YY -> Protocol_Catalog9\Catalog_Entries\000000000027 -> %UserProfile%\Local Settings\Temp\ntdll64.dll
[Files/Folders - Created Within 90 Days]
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> win32hlp.cnf -> %SystemRoot%\System32\win32hlp.cnf
NY -> SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe
NY -> SWREG.exe -> %SystemRoot%\SWREG.exe
NY -> SWSC.exe -> %SystemRoot%\SWSC.exe
NY -> sed.exe -> %SystemRoot%\sed.exe
NY -> fdsv.exe -> %SystemRoot%\fdsv.exe
NY -> grep.exe -> %SystemRoot%\grep.exe
NY -> zip.exe -> %SystemRoot%\zip.exe
NY -> VFIND.exe -> %SystemRoot%\VFIND.exe
NY -> NIRCMD.exe -> %SystemRoot%\NIRCMD.exe
NY -> Qoobox -> %SystemDrive%\Qoobox
NY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
NY -> atulesolas.dll -> %SystemRoot%\atulesolas.dll
NY -> 6aa41fd0.sys -> %SystemRoot%\System32\drivers\6aa41fd0.sys
NY -> d0a1d59b.sys -> %SystemRoot%\System32\drivers\d0a1d59b.sys
NY -> rpnxsyw.exe -> %SystemDrive%\rpnxsyw.exe
NY -> uyrte.exe -> %SystemDrive%\uyrte.exe
NY -> elbff.exe -> %SystemDrive%\elbff.exe
NY -> 7863832 -> %SystemDrive%\7863832
NY -> lpote.exe -> %SystemDrive%\lpote.exe
NY -> Svisihutaf.dll -> %SystemRoot%\Svisihutaf.dll
NY -> dmraspk.exe -> %SystemDrive%\dmraspk.exe
NY -> nods32.dll -> %SystemRoot%\System32\nods32.dll
NY -> za.dat -> %SystemRoot%\System32\za.dat
NY -> vnql.exe -> %SystemDrive%\vnql.exe
NY -> aqpbouph.exe -> %SystemDrive%\aqpbouph.exe
NY -> ofijsgzp.job -> %SystemRoot%\tasks\ofijsgzp.job
NY -> xxyxVmnn.dll -> %SystemRoot%\System32\xxyxVmnn.dll
NY -> FXEZQJV.INI -> %SystemRoot%\FXEZQJV.INI
[Custom Scans]
YY -> GADCOM.EXE-229766BF.pf -> C:\WINDOWS\Prefetch\GADCOM.EXE
NY -> aqpbouph.exe -> C:\aqpbouph.exe
NY -> dmraspk.exe -> C:\dmraspk.exe
NY -> elbff.exe -> C:\elbff.exe
NY -> lpote.exe -> C:\lpote.exe
NY -> rpnxsyw.exe -> C:\rpnxsyw.exe
NY -> uyrte.exe -> C:\uyrte.exe
NY -> vnql.exe -> C:\vnql.exe
NY -> ofijsgzp.job -> C:\WINDOWS\Tasks\ofijsgzp.job
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

[Rorschach112]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log