Sickofit,
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
If by some chance Combofix will not run try renaming the combofix.exe to mycomfx.exe, and dclicking it.
whoost, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
Delete C:\WINDOWS\system32\mst120.dll
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Practice your reflexes on the Pause/Break button to see if you can capture that blue screen. Enter key to continue..
Please post that Hijackthis log, you have more than Ispynow on the machine, I think. Delete the copy of MBAM installer [mbam-setup.exe] from your machine, load in a fresh copy from your flashdrive, rename the MBAM installer to mybam-setup.exe, run it. It should work. Then:
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Hello, Sickofit, your hijackthis log is clean. Regarding ISpyNow, did you track down any of those files I listed?
Your problem is more than ISpyNow if the MBAM installer is blocked. If you have not already done so, please stop mbam-setup.exe from running. Download a fresh copy of the installer, rename it to mybam-setup.exe and see if it will run - it should.
Just so you do not have to chase about for instructions on MBAM:
=Dclick that file, mybam-setup.exe, to install the application,
-uncheck the Udate and Start options, then click Finish.
Start MBAM via the icon, immediately Update it.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
[Darn thread hijackers... :)]
Without another sys to load programs from, I can only suggest that you search Docs & Settings for files with these names :
nah_jpde.exe
runhh6110411.exe
learn32.dll
mscscc.dll
rehh
vigrs
Ina
comm3
fsh1
..and delete them. Once [if] you find some then note the file modification time [there is a column in Explorer that shows it] and work your way through each folder in D & S, ordering them by File Mod time to locate others with the same time as those you found. Tedious, I know. Restart, and see if they have stayed deleted.
Please post back with a list of those you found and deleted/
Okay, now we are getting somewhere. ISpyNow uses files it places under Documents & Settings, in various folders. And it rewrites them if they are damaged.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\c\nah_jpde.exe
O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\c\Application Data\Google\runhh6110411.exe"
Delete:
C:\Documents and Settings\c\nah_jpde.exe
C:\Documents and Settings\c\Application Data\Google\runhh6110411.exe
Then search D & S for files with these names , they will have similar file modification times:
learn32.dll
rehh
vigrs
Ina
comm3
fsh1
mscscc.dll
run611041
..and delete them also. Restart, and see if they have stayed deleted. Post back with a list of files that you found and deleted, please. You might order the files in each folder by Modification Time, and note any other files with the same time.
Hello, ranger, start with this:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Then:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Post those logs and we'll go from there.
Heh... well, thanks, James. I just enjoy discovering things, exploring... I found those pgms and others some time back, they just help me learn more about disk structure and stuff. Glad I could put them to use. Your disk is okay, no actual damage to it [only some data got altered in the "index", and we fixed that] so keep using it. The structures as shown in your third shot [with the E extended and X extended lines] are all correct - it is just the way the partition table is built.
May I sugggest you give some thought to getting the precious stuff onto cds or dvds? CD Rewritables are good. I use an extra harddrive for just backups, too. Syncback free is as good as you need.
Gratitude? Show it to the writer of Testdisk, not me.
And you're welcome. It's been fun.
James.. just going back to your last screenshot of testdisk-6.10 folder... if you expand that folder in the left margin, click on testdisk-doc-6.10 you will see that a doc folder exists inside it.... drag the doc folder to testdisk-6.10 folder. Then my help .cmd file will apply.
documentation.html is no use to us.
Note that if at any stage in this you get lost or confused you can q your way back and out to start again.
Anyway... your Seagate is detected correctly [shot 1]. In shot 2 it reads the MBR partition table and linked logical partitions' tables and shows a primary partition P, type LANstep [FEhex], not bootable, but the Extended partition and 2 logical partitions are missing. Next, the physical search of the disk sectors reveals [in shot 3] three partitions:
Primary 41381kB 40GB Photo Album
Logical 62915kB 60GB Support Files
Logical 15735kB 15GB Backup
... so we may conclude that the MBR partition table is corrupted.
At the point where you took the shot 3 you must check that your directories and files exist in eg. your Photo Album partition - so start Testdisk, go back to that same screen which is the result of the Quick Search [green text], highlight the top partition and press p. In the new screen you should see your directories and files. If you highlight a directory and press the right arrow you will see files etc inside that.... Do they appear …
Try:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
James, to get the ball rolling could you give me these three screenshots, please?
Start Testdisk, choose Create a logfile, shoot the next screen with your disks shown. Save it.
Select the bad drive [Seagate], choose Proceed, then Intel, then Analyse, shoot and save the next screen.
Then choose Quick Search, N for No to Vista.... let it run. Shoot the next screen.
That will do for me for the moment, press q until you are out. Or play if you wish, you will not do any damage unless you agree to Delete or Write etc queries somewhere in there.
Post those three shots, combine them into one if you will.
Hang on.. almost there.... lessee, you dl the file testdisk-6.10.win.zip. That extracts to give a folder called testdisk-6.10 containing some files plus dos, ico and win folders. You may delete the dos folder. Okay, you've done all that.
**The doc folder is inside that testdisk-doc-6.10 (tar file)] - drag the doc folder into the testdisk-6.10 folder alongside ico and win folders.
Next, drag the testdisk-6.10 folder into your new parent folder. You've done that.
If you call your parent folder Disk Management you will have to change the paths in my lil .cmd files. Go with Disk Tools.. easier.
Scratch Pad folders are just my own very temp stores. Hang onto the .zip and .bz2 files for the moment, leave them in your dl folder.
I deleted some of those files... my testdisk-6.10 folder contains:
ico, doc, win folders[all contents untouched], plus only changelog and NEWS files.
Check your paths in the cmd files are correct and they should work.
Note... I use Opera on this site [for most browsing, actually]. Firefox has issues with it, IE I don't use.
Hello, James, that is sad. Well we can leave MBRWhiskey now. Time to get another tool, and this one will take an effort by you. It is not a straightforward download and run software package, so I will give you some instructions. Basically with this tool, Testdisk 6.10, we can bypass the MBR's partition table and just search for the physical partitions on the disk, then bypass file tables to copy out directories complete with files, or individual files.
This tool can also image a disk so that you have a complete backup [complete with errors] if you have a spare disk with at least the same capacity as the Seagate.
PhotoRec ignores basic disk structures and simply hunts for image files.
From this site: http://www.cgsecurity.org/wiki/TestDisk_Download
- download the Windows zip file of Testdisk 6.10, currently the 2nd from top.
- download the documentation bz2 archive.
Create a new folder, name it Disk Tools.
Extract contents of the zip file to a scratch folder, then drag the folder TestDisk-6.10 to Disk Tools, then delete the empty parent TestDisk-6.10-win folder.
Extract "to here" the documentation .tar file from the .bz2 file you downloaded, then extract "to here" from the .tar file the folder testdisk-6.10.
Drag the doc folder from that to Disk Tools\ testdisk-6.10
Easy? You should have:
X:\Disk Tools\TestDisk-6.10\doc + ico + win\.. [you can delete the dos folder]? I dunno what drive you put it on, …
That is what I wanted to see, James. Give this a shot... back into MBRWhiskey, Disk:1, highlight Partition 0 [the only one listed]]... see the type is 44hex? We need to change that to 07, so go Partition > Change type, type 07 into the New type(hex) box, Ok it.
As a side note... in that .ini file you made I believe there is an error [not yours or your disks]: where it says EndSector it should say SectorLength. don't worry about it now.. I just added this in case you use the tool on a multi-partition drive and the info does not add up.. :)
You cn move tons of stuff out of C: and away from Windows. It is a good idea. But some stuff should be left alongside Windows.. OE andIE will duplicate some of their files back in C:\Program Files if you move them.. so don't bother, but the OE data files can move. Local Settings... some Windows Application data should remain... Here is a rough I have been preparing, don't have time to poplish it, but this contains all the things I have moved. I have a batch file which automates it..
Moving stuff. First decide what you wish to move out of C: -
I would suggest from User take Application Data, Cookies, Favourites, My Documents, Recent [My Recent Documents];
from Local Settings I would take History, Temp, Templates, Temporary Internet Files, leaving behind the actual Local Settings directory.
I would also relocate Outlook Express mail folders, Opera cache and Firefox cache.
And tell the sys the new default applications path. I think that's about it. Deep breath, now....
Step one - build your desired directory structure on PAPER. I would go something like:
(D:) Ephemera
\Downloads **
\Scratch Pad **
\User Documents and Data **
\\Don **
\\\My Documents
\\\Application Data **
\\\Cookies **
\\\Favourites **
\\\Firefox
\\\History **
\\\Opera Cache4
\\\Outlook Express **
\\\Recent
\\\Temp **
\\\Templates **
\\\Temporary Internet Files **
-on paper, …
Okaayy.. I just updated 7Zip and WINRAR.... & 7.Zip seems to be the winner for me.. it does iso files now. But I have both. And I am not a software reviewer, just a user of stuff, so I am not making choices based on vanishing margins or other esoterica.
Hello, James.. I'm not stressing here.. :)
Pleas use the link I gave you and not some other you found - you will get both files.
The .7z unzips to give two files [an html and an inf] plus a folder called files. Inside files you will find MBRWhiskey. Other download sites may not have this.
And off you go with it....
Info: WinRAR and 7-Zip are two file compressor/decompressor softwares, similar to WinZip but dealing with differing compression algorithms. WINRAR is possibly the most comprehensive, but comes with a nag. 7.Zip uses possibly the best algorithms, WinZip is simple but most restricted... argh.. look, the 3 are all different, and you can mostly get by with only 7-Zip. No nag. And straightforward as, it just does the job. Most formats you will come across are covered, but not .iso. So for that you need WinRAR or IsoBuster. Sigh. Have, then, &-Zip and WinRAR.
Easy as...
My Documents: Create a new My Documents folder, close ALL documents!! then rclick on My Documents link above My Computer, properties, press Move, browse to the new location, and OK.
Hi, James... re that linked page : I often try to give the author's home page to simply give him credit. Bart PE plugin is so that you can integrate the pgm with Bart's PE disc - we are not interested in that. Yep, that is the correct file, it's a .7z, and WINRAR or 7-Zip [both free] will both cope with that. It contains both the GUI and the commandline pgms.
"4. I have tried to use DM to make the C: Drive Active, but when I click on it the "Mark Partition as Active" is greyed out" - it already is Active, so that is fine.
The screenshot: dclick MBRWhiskey.exe to start it; in the HDD box click the down slider, select Drive:1 and the window will populate. Shoot it.
Then go Extra, Write Disk Structure & Part info to file..., Save it to MyDisksPartInf.ini.. drag to a notepad and post it. I have a feeling that this will show that the partition is hidden, or somehow corrupted.
What you could do yourself is read the partition window for Disk:1, and see if any partitions show as hidden. If one does, then simply:
-select that partition in the window,
-go Partition, Unhide.
I could add that the window does not fill until you select a disk; when you select Disk1 [the seagate] a screenshot of the populated window would be nice.
Hello, James.
-Your C: drive is the System drive, it IS being used to boot the system, it is Active [hence that option is greyed out]... I just wished to check before getting you to remove the Active status of the PA drive [seagate]. No active drive woulda made things unnecessarily complicated.
-Re the MBR partition style shown in Volumes tab... that is fine - it is the method Windows hard drives use to record the partition information of the drive, ie. the MBR records the start and length of all partitions on the drive. There is no problem there with files from its previous life.
We can look at the partition information; it may be corrupted. Take care with this tool you will download, don't misuse it. Delete means delete, and so on. But it is easy to use.
Get MBRWhiskey from: http://red.boot-land.net/index.html
Extract the files, MBRWhiskey.exe is the one we are interested in [MBRWiz.exe is command-line only].
Orright, start it [dclick the exe].
=Select Disk:0; go Disk, Save MBR to file, name it MBR_SaveDisk0.dat
=Select Disk:1:, and save its MBR also.
That was for safety, and you can keep those files until you change the disks' partitioning.
=go Extra, Write Disk Structure & Part info to file..., Save it to MyDisksPartInf.ini
Do not be tempted to Repair the MBR - it will only do it for the Active disk, anyway, and that one is okay.
These are my crossword puzzles.
Ok, to continue.. I would like to see the MBAM log... the one with Successfully deleted and Delete on reboot, which instruction you would have followed, of course.
tdssserv.sys is a rootkit, MBAM found and should have deleted it...
Hello, James... u can post screenshots, you know [printscreen, then Accessories, Paint, paste into it], but I get the picture from your description.
You are seeing the optical drive in Disk Mgmnt cos you have a cd in the drive, hence the CDFS partition -that is of no concern. What is interesting is that the cd drive is shown above the problem hard drive in the first list - in my experience, no matter the drive letter assigned, it should appear at the bottom ie. after the hard drives.
I notice the Photo Album drive has no drive letter assigned. But it is shown as Active?!!
Active means that the PA drive is being used to provide the booting files for Windows; here is a bit of backgrounding for you:
When you first set up the partition(s) on a disk a boot sector will be written for each volume; one, which will be on a primary partition, and one only, must be marked as Active, unless this is a slave or data disk in which case none are marked Active. There will be only one boot sector per volume [volume = drive, if you wish.. eg c:, or d:]. The disk's master boot record will be written at the same time. Only one of these per disk.
XP can be placed in any partition, including logical, by itself.
When it commences loading the OS, BIOS searches for the Master Boot Record on the master …
Jim, when you ran MBAM did you clilck the Remove Selected button? Cos everywhere I am seeing "No action taken." If you did not, then please rerun MBAM, post the log.
And present the log from this task, please...?
So firstly:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Addressing your other queries.. do not format any partition on that data drive... it will make file recovery a little more tedious.
Does the drive show in Disk Management [via Admin Tools, Comp Mgmnt] ? There should be no need to initialise the drive. Does Disk Management show that as an option?
Hello, james. Your hardware setup is fine. Your problem is that Explorer is not looking at the drive root when it starts, so as to catalogue the root directories.
Can applications access the drive and related files? Possibly not if you have not used them since the reinstallation...
If you open an Explorer window [dclick My Computer] and type the drive letter.. eg. D:\ into the Address Bar does it open in that directory? And can you then move throught the folders therein?
If that does not work can you open the drive via Internet Explorer [type D:\ into the address bar.... etc]?
Jim, it is not a memory problem, it is a problem with a program trying to access reserved memory. In other words, it is caused by some sloppy software, and sloppy software is occasionally found in malware. So firstly:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application, then ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything found is checked, and click Remove Selected. Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
...an then:
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Good luck with that. Have you ever separated the heatsink/CPU? Could be that there is a temporary heating issue when the chip is first fired up.
Well, yes it does. And it would pay to eliminate the hdd as a source.
Because your machine is actually still bootable then do this [this procedure will burn a diagnostic program onto a cd which in turn may be used to boot your machine and check the hd] :
You'll need access to a computer with Internet connectivity and a CD burner, plus a blank CD-R or CD-RW.
Then go to this link: http://www.woyaa.com/cgi-bin/download/jump.cgi?ID=708646
or this link: http://support.thetechguys.com/Uploads/%7Bb4d5f239-78d9-4bd8-8e7a-2de1983b4d7d%7D/DiagCD23.exe
Either Run the file download or Save diagcd23.exe to your computer and dclick it to run. The procedure is quite automatic: you will be asked to insert a blank CD for burning the file.
Once the disk is created, put it in your broken machine, then restart it. It should boot from the CD and then give you the opportunity to run a Long HDD (hard disk) test. The utility supports a wide range of disk manufacturers.
Say how you get on.
A problem with the page file will lock your sys down solid, if it is trying to access it. Think hdd problems.
That M&S job is a pretty cheap effort, caper... they couldn even be bothered, or didn have the nouse, to write a worm. A chain letter. Still, if you've got a big pool of dills...
System Restore is limited in the amount of system file repair it can do .
If you have different icons in explorer then your shell32.dll has likely been modified along with some other changes to make the File Protection System ignore it. To restore that file you would have to copy in a fresh file both to system32 and the dllcache, plus fix any reg mods.
If WFPS has been modified then my guess is that sfc would not fix that issue, it certainly would not fix WFPS. And shell32.dll is not the only source of icons for explorer, which itself contains icons.
You could of course slave the drive and copy in replacements to system32 and dllcache, cos shell32.dll is used all the time [under winlogon.exe]. But that would not repair WFPS.
The other changes I have not a clue about, except that if the Start button has been modded then explorer.exe itself has been changed... so I am thinking that you will need to do a lot of careful, time-consuming excisions and replacements [once you track them all down], else a Windows Repair.
With the latter you won't lose any data or personal settings, you may need to reinstall a few apps, or none if you are lucky, you will have to dl all the Windows Security Updates again. It'a a price to pay....
This link will give you an idea of what is involved to mod that Start button alone, but …
Looks sweet. Just do a manual check that this thing is really gone:
C:\DOCUMENTS and SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\catchme.sys
And if all seems fine, then... all is fine. Cheers.
Weasel, could you post the combofix log also? C:\combofix.txt
And the SDFix log; it's saved into the SDFix folder as Report.txt.
Weasel, don't use that previous script - I missed one file to delete, so use this modified version instead. The vundo infection there appears to have rootkit capabilities. I should also point out that your friend has had a keylogger trojan on his sys and so it is important that he changes important passwords and bank accounts that he may have accessed from the computer.
The new CFScript.txt:
Killall::
File::
C:\WINDOWS\system32\aKUBdMoq.ini2
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUMENTS and SETTINGS\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00Ah, nice, weasel.
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.
Killall::
File::
C:\WINDOWS\system32\qoMdBUKa.dll
C:\WINDOWS\system32\ssqnMETJ.dll
C:\WINDOWS\system32\nnnNHYqn.dll
C:\WINDOWS\system32\xxyvuutq.dll
C:\WINDOWS\system32\fccYSiGV.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\grswptdl.exe
C:\WINDOWS\nfavxwdbpgs.dll
C:\WINDOWS\kgxmotapktx.dll
C:\WINDOWS\erms.exe
C:\WINDOWS\agpqlrfm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{769D8280-A207-4EEA-9963-F8B156C32855}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE1F7FF-5D9E-4213-8BD1-54B2AA144997}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{769D8280-A207-4EEA-9963-F8B156C32855}"= -
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvuutq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= hex(7):6d,73,76,31,5f,30,00,00Good. Now drag the CFScript.txt icon onto the Combofix icon [mycmbfx.exe] on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
Please now run sfc /scannow
You should now be able to update MBAM and run it also; post the log.
There should be no need to run the other scans.
Main problem, caper, is to get any exes to run. Most sys ones do, but not sfc.exe, and not so far any tool exes I have suggested. It's fun.... may be a simple blacklist at work, but it is not started via the methods that hijackthis lists.
Weasel.. combofix: rename the desktop icon to MyCF55.exe, then dclick it. Remember to turn off net connection, firewall, system defence and AV first. If it runs you may find that it has timed out, in which case it will tell you so & delete itself, > dl a fresh copy.
[system defence? the sort of thing that comes with, say, Comodo - it would drive you nuts as CF tries to install and run]
VIRUS ALERT!... yeah, weasel, I did notice that the header of your Hijackthis log was modified to include that [your sys clock has been affected]. Virus Alert! is relatively easy to fix, our problem is something that came in alongside it and appears to have blacklisted a lot of removal tools which would remove Virus Alert and perhaps this other infection.
Let's try this now:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Immediately rename the file to SMFix.zip, then extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and rename smitfraudfix.cmd to SMFix.cmd; double-click SMFix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ ..
Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
or here: http://www.bleepingcomputer.com/resources/link252.html
and save it to your desktop. Rename SDFix.exe to MySD.exe; dclick MySD.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=Please clean with CCleaner.
=You MUST restart your computer in Safe Mode.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will …
It cannot be policy blocking the exes from running because you would get a warning about it, although you could check in the Event Viewer [under admin tools], Software, to see if there have been any block events. I cannot figure what could block some system exes like sfc.exe, but not regedit.exe; still allow you to run some third party software app exes, eg.? CCleaner, Unlocker but not others such as those I have requested or activeX's. How did Clam get by it? There must be a blacklist file of exes in your sys in some malware....
In the zipped file is a list of "cohort" files that are associated with the trojans you had. Just open a cmd window and paste in each of the two lines, making sure wordwrap is not checked in notepad.
And if that does not help then perhaps there is nothing for it but to follow one of two restoration plans depending on whether the pc has valuable data/files/applications.
If it does then the aim would be to Repair windows, which would keep all data and most applications intact, including any malware which could simply break the new installation.
Copying off data is an option, with fingers crossed that the problem is not due to a worm or virus.
Reinstalling windows without a formatting of the partition would expose the new OS to the same risk.
Personally, I'd go for the Repair cos it takes but an hour …
Hello weasel... Okay, thanks...lessee, do you have this file by any chance?:
C:\Windows\System32\Drivers\tdssserv.sys
-delete it. There may be others like this:
C:\Windows\System32\tdsss?.dll ..where the ? represents other letters.
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
=You must restart your computer in Safe Mode:
- Log in by using the Administrator account.
=Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
More, weasel... fix your exe associations keys in registry with this reg file:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"What happens if you use TM to stop the explorer.exe process, and then use it to start one of your problem .exe pgms? You can try this in Safe mode.
"net accounts" is the cmd you are looking for.. you run it in a cmd window. It is one of the net services commands, and help is here...
Paste this into a run window: %windir%\hh.exe ms-its:%windir%\Help\ntcmds.chm::/ntcmds.htm
or on the net here: http://www.ss64.com/nt/net_useradmin.html
Of course, that method treats your wife as an equal.. that may not suit your religion, or you may just wish to keep that little bit of extra control over her... so in that case use "net user"
Help is in pretty much the same places.
Combofix is now configured so that it will only run from the desktop.
Re the Panda scan and "the security warning bar refuses to show itself" just check in IE options that "Download signed ActiveX controls" is set to Prompt.
Nothing shows as bad in that file.. thanks. Did Combofix not work? What happens if you dl the file using another computer to a thumbdrive, drag it onto your desktop and then dclick the icon there?
And did you try the Panda scan using Firefox [which does not use ActiveX]?
Does TM work in normal mode now?
Anyway, try this in a cmd window in Safe mode: rmdir /S C:\WINDOWS\privacy_danger
And if that will not delete the directory run through it file by file with this tool [normal mode or safe]:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
mmm... I did check another didier page.. but no mention of differences. Look, that file I gave you is merely a list of things to load, individual drivers or groups thereof. If any are incorrect.. ie in my list but not in your machine, or the list is incomplete.. then you will merely get what you get now - nothing. And we can remove those supplied subkeys if needs be. It is safe to try.
Weasel, I'd like to see the contents of a couple of reg keys...
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
reg query "HKCU\Software\Microsoft\Internet Explorer\Main" >C:\showkey.txt
reg query "HKCU\Software\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" >>C:\showkey.txt
reg query "HKLM\SOFTWARE\Microsoft\Internet Connection Wizard" >>C:\showkey.txt
start C:\showkey.txt
pauseIf showkey.txt is long please attach the file to your next post.
Delete that directory, privacy_danger. This will do it [see if TM works in normal mode now]:
Go TM, Run cmd, then paste in the window:
rmdir /s /q C:\WINDOWS\privacy_danger
Let's see if these are blocked - first clean, then do the scan [and Safe Mode with Networking is fine, if needs be]:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run …
Using Safe Mode would be just fine, weasel