 |  |  |  |  |  |  |  |
Not sure whats wrong,please take a look!!
 |
•
•
Join Date: May 2005
Posts: 3,204
Reputation: 
Solved Threads: 188
..and here is a more complete list of files to paste into Avenger:
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
C:\WINDOWS\system32\drivers\oryeobyk.sys
C:\WINDOWS\system32\drivers\ovygriae.sys
C:\WINDOWS\system32\drivers\fakofips.sys
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak2
When that completes, please UPDATE AVG AS, make sure that Recommended action is set to Quarantine [instructions in earlier post]; then run CCleaner, and lastly scan with AVG.
Post all those logs.
Files to delete:
C:\windows\.protected
C:\symlcsv1.exe
C:\WINDOWS\system32\ogycsrw.exe
C:\WINDOWS\system32\hzhkhdet.exe
C:\WINDOWS\IFinst27.exe
C:\3b10545d3d62bb28bf60f37c
C:\WINDOWS\system32\linkprd.exe
C:\WINDOWS\system32\pmbvkxh_nav.dat
C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE
C:\WINDOWS\system32\drivers\oryeobyk.sys
C:\WINDOWS\system32\drivers\ovygriae.sys
C:\WINDOWS\system32\drivers\fakofips.sys
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\ttvwa.ini2
C:\WINDOWS\system32\ttvwa.bak1
C:\WINDOWS\system32\ttvwa.bak2
When that completes, please UPDATE AVG AS, make sure that Recommended action is set to Quarantine [instructions in earlier post]; then run CCleaner, and lastly scan with AVG.
Post all those logs.
Deep, deep in the woods, but walking about.
i already did post 38.. how do i make a restore point??... and no i cant get a windows cd 
Last edited by krisparmley; May 2nd, 2007 at 7:06 am.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
To make a restore point: Start > programs > accessories > system tools > system restore and follow instructions there.
[[the quick way in is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
No prob with having done #38, just follow on. And nobody you know has a cd you can borrow? no nerdy kids nearby? Tell me about your puter, was it loaded with XP SP2 when you got it? If so, there is a chance that the necessary system repair files are in a hidden partition on it...
[[the quick way in is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]
No prob with having done #38, just follow on. And nobody you know has a cd you can borrow? no nerdy kids nearby? Tell me about your puter, was it loaded with XP SP2 when you got it? If so, there is a chance that the necessary system repair files are in a hidden partition on it...
Last edited by gerbil; May 2nd, 2007 at 7:40 am.
Deep, deep in the woods, but walking about.
i hope that restore point worked through rstart run as system restore doesnt work!!ive asked everyone i know for a cd! the pc was already loaded with XP when purchased.
Logfile of The Avenger version 1, by Swandog46Running from registry key:\Registry\Machine\System\CurrentControlSet\Services\uqoivdrc*******************Script file located at: \??\C:\bclgskhk.txtScript file opened successfully.Script file read successfullyBackups directory opened successfully at C:\Avenger*******************Beginning to process script file:File C:\windows\.protected not found!Deletion of file C:\windows\.protected failed!Could not process line:C:\windows\.protectedStatus: 0xc0000034File C:\symlcsv1.exe not found!Deletion of file C:\symlcsv1.exe failed!Could not process line:C:\symlcsv1.exeStatus: 0xc0000034File C:\WINDOWS\system32\ogycsrw.exe not found!Deletion of file C:\WINDOWS\system32\ogycsrw.exe failed!Could not process line:C:\WINDOWS\system32\ogycsrw.exeStatus: 0xc0000034File C:\WINDOWS\system32\hzhkhdet.exe not found!Deletion of file C:\WINDOWS\system32\hzhkhdet.exe failed!Could not process line:C:\WINDOWS\system32\hzhkhdet.exeStatus: 0xc0000034File C:\WINDOWS\IFinst27.exe not found!Deletion of file C:\WINDOWS\IFinst27.exe failed!Could not process line:C:\WINDOWS\IFinst27.exeStatus: 0xc0000034Error: C:\3b10545d3d62bb28bf60f37c is a folder, not a file!Deletion of file C:\3b10545d3d62bb28bf60f37c failed!Could not process line:C:\3b10545d3d62bb28bf60f37cStatus: 0xc00000baFile C:\WINDOWS\system32\linkprd.exe not found!Deletion of file C:\WINDOWS\system32\linkprd.exe failed!Could not process line:C:\WINDOWS\system32\linkprd.exeStatus: 0xc0000034File C:\WINDOWS\system32\pmbvkxh_nav.dat not found!Deletion of file C:\WINDOWS\system32\pmbvkxh_nav.dat failed!Could not process line:C:\WINDOWS\system32\pmbvkxh_nav.datStatus: 0xc0000034Could not open file C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE for deletionDeletion of file C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE failed!Could not process line:C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXEStatus: 0xc000003aFile C:\WINDOWS\system32\drivers\oryeobyk.sys deleted successfully.File C:\WINDOWS\system32\drivers\ovygriae.sys deleted successfully.File C:\WINDOWS\system32\drivers\fakofips.sys deleted successfully.File C:\WINDOWS\system32\tmp.reg deleted successfully.File C:\WINDOWS\system32\Process.exe deleted successfully.File C:\WINDOWS\system32\dumphive.exe deleted successfully.File C:\WINDOWS\system32\SrchSTS.exe deleted successfully.File C:\WINDOWS\system32\ttvwa.ini2 deleted successfully.File C:\WINDOWS\system32\ttvwa.bak1 deleted successfully.File C:\WINDOWS\system32\ttvwa.bak2 deleted successfully.Completed script processing.*******************Finished! Terminate.
! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run wskveucd REG_SZ C:\fbbqkmik.bat! REG.EXE VERSION 3.0HKEY_USERS\.default\software\microsoft\windows\currentversion\run Nqnzqv REG_SZ C:\DOCUME~1\Kristy\APPLIC~1\PPPATC~1\NPDB~1.EXE! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ TTRIB~1 hkey REG_SZ HKCU command REG_SZ C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE inimapping REG_SZ 0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALServHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPathHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgentHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPServiceHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXEHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXEHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GqxowronHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManagerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button ManagerHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button MonitorHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBootHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mousepadHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheckHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemonHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenterHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwizHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpiStatHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTrayHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime TaskHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControlHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkypeHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundManHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSchedHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIMHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan OnlineHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTaskHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gqxowron key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ TTRIB~1 hkey REG_SZ HKCU command REG_SZ C:\DOCUME~1\Kristy\MYDOCU~1\SCURIT~1\TTRIB~1.EXE inimapping REG_SZ 0! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load key REG_SZ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows item REG_SZ ???? hkey REG_SZ HKCU command REG_SZ ???? inimapping REG_SZ 1! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run key REG_SZ SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows item REG_SZ ???? hkey REG_SZ HKCU command REG_SZ ???? inimapping REG_SZ 1! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w03a1090.dll key REG_SZ SOFTWARE\Microsoft\Windows\CurrentVersion\Run item REG_SZ RUNDLL32 hkey REG_SZ HKLM command REG_SZ RUNDLL32.EXE w03a1090.dll,I2 00085ca3003a1090 inimapping REG_SZ 0
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
i am out, totally out, of mouse batteries. It took me 5 minutes to navigate here with the keyboard!! So i'm off to bed; tomorrow I shall look at those logs.
What is inside folder C:\3B54105..... or similar?
Most of those "not found" files in the Avenger log you just posted were deleted in the #38 run - that's fine. What is the file in the middle of tht list above- C
Docs and SETS\...\KRISTY\....TTRIB~1.exe ?? I think that is a problem to us... I'll work on it.
What is inside folder C:\3B54105..... or similar?
Most of those "not found" files in the Avenger log you just posted were deleted in the #38 run - that's fine. What is the file in the middle of tht list above- C
Docs and SETS\...\KRISTY\....TTRIB~1.exe ?? I think that is a problem to us... I'll work on it. Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
AVG broke? -that can happen. Uninstall it and reload, update; if you did not keep the original installer somewhere to reuse just dl a new copy.
Kristy, navigate to this file and delete it: C:\Documents and settings\Kristy\My documents\Scurit....?\ATTRIB....?.exe
If that works then delete the folder Scurit..?
Could not do it? Then download this program Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it. Then just rclick on ATTRIB....exe and select Unlocker from the menu, delete and Ok.
Still could not do it? Then save the text below as a batch file: copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop.
Restart in Safe mode and dclick the icon to run it. It will list to a text file in your C:\ root folder, C:\krquery.txt - post me that file please. If you need to use this method I have made the cmd screen pause [hit any key..] so that you can read if it carries out the delete command successfully - tell me if..
**************************************************************
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TTRIB~1 > c: krquery.txt
cd My Documents
del /F SCURIT~1\TTRIB~1.EXE
del SCURIT~1
pause
**************************************************************
Do you have in your puter an i386 folder somewhere? It could be C:\i386, or you may have a hidden partition D:\ [to see if that exists start Disk Management: go run, diskmgmt.msc -and Enter. Tell me what you find cos we need i386 [it's up to 500MB, thousands of files...]
Still no luck with Vundofix running? -try downloading a fresh copy....
Kristy, navigate to this file and delete it: C:\Documents and settings\Kristy\My documents\Scurit....?\ATTRIB....?.exe
If that works then delete the folder Scurit..?
Could not do it? Then download this program Unlocker 1.8.5 from http://ccollomb.free.fr/unlocker/ -install it. Then just rclick on ATTRIB....exe and select Unlocker from the menu, delete and Ok.
Still could not do it? Then save the text below as a batch file: copy all the text between the stars below to a notepad [turn OFF wordwrap!!], name it bugremv.bat and save it [as All files] to your desktop.
Restart in Safe mode and dclick the icon to run it. It will list to a text file in your C:\ root folder, C:\krquery.txt - post me that file please. If you need to use this method I have made the cmd screen pause [hit any key..] so that you can read if it carries out the delete command successfully - tell me if..
**************************************************************
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v TTRIB~1 > c: krquery.txt
cd My Documents
del /F SCURIT~1\TTRIB~1.EXE
del SCURIT~1
pause
**************************************************************
Do you have in your puter an i386 folder somewhere? It could be C:\i386, or you may have a hidden partition D:\ [to see if that exists start Disk Management: go run, diskmgmt.msc -and Enter. Tell me what you find cos we need i386 [it's up to 500MB, thousands of files...]
Still no luck with Vundofix running? -try downloading a fresh copy....
Last edited by gerbil; May 3rd, 2007 at 10:50 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Kristy, let's try something else to get IE running... this is to check that the processes IE uses are correctly registered in your well, registry.. 
. I wanted the CD or the i386 folder to check that the process libraries [dll's] were not broken, but we'll do this first.
Go Start, run, and paste in the first line below and press Enter. Wait as each dll is registered - it will display a window indicating the file ran successfully [or failed - don't worry about that..], after which you click OK.
regsvr32 urlmon.dll mshtml.dll shdocvw.dll browseui.dll jscript.dll vbscript.dll scrrun.dll msxml.dll actxprxy.dll softpub.dll wintrust.dll dssenh.dll
Now paste this line.... same process to follow.
regsvr32 rsaenh.dll gpkcsp.dll sccbase.dll slbcsp.dll cryptdlg.dll oleaut32.dll ole32.dll shell32.dll msjava.dll hlink.dll Schannel.dll Rsabase.dll initpki.dll
Tell me how you get on with IE now.
. I wanted the CD or the i386 folder to check that the process libraries [dll's] were not broken, but we'll do this first. Go Start, run, and paste in the first line below and press Enter. Wait as each dll is registered - it will display a window indicating the file ran successfully [or failed - don't worry about that..], after which you click OK.
regsvr32 urlmon.dll mshtml.dll shdocvw.dll browseui.dll jscript.dll vbscript.dll scrrun.dll msxml.dll actxprxy.dll softpub.dll wintrust.dll dssenh.dll
Now paste this line.... same process to follow.
regsvr32 rsaenh.dll gpkcsp.dll sccbase.dll slbcsp.dll cryptdlg.dll oleaut32.dll ole32.dll shell32.dll msjava.dll hlink.dll Schannel.dll Rsabase.dll initpki.dll
Tell me how you get on with IE now.
Deep, deep in the woods, but walking about.
|
Similar Threads
- erm... not realy sure whats wrong. (Motherboards, CPUs and RAM)
- Whats wrong with my computer??? (Viruses, Spyware and other Nasties)
- Whats wrong with this class??? (C++)
- errors in my file but not sure whats wrong file attatched (Visual Basic 4 / 5 / 6)
- whats wrong with my cpu fsb and ram bus speed? (Motherboards, CPUs and RAM)
- Whats wrong with this code (PHP)
- Whats Wrong Withj This 6800 Graphic Card (Monitors, Displays and Video Cards)
- merged:nesting loops (C++)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Help Plz
- Next Thread: Fakes & redirects when searching
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack audio backtoschoolspeech bar blackhat botnet china commercials conficker connect control crosssitescripting cyber cyberwarfare ddos domains e-mafia email europe facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news obama onlinethreats paedophile panel parents pdf phishing police president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses volume vulnerability war warning windows worm zero-day zeroday
