1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved Computer Crashing and Fraud "Vista Spyware" Program

Discussion in 'Virus & Other Malware Removal' started by mobman47, Apr 27, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    I was cruising the internet, I clicked on a friendly program and vista asked me if I trusted it, I hit yes. Unfortunately, the question wasn't for the program, it was from a pop up (behind my current window) that occured at the same time from a fishy site. After doing so I swiftly hit myself in the forehead because I had a feeling this is where I was heading. Apparently I downloaded some kind of virus. My computer has no been giving me frequent pop ups of a "Vista Antispyware" program that feels the need to consistantly notify me "YOUR COMPUTER IS LOADED WITH VIRUSES, BUY NOW!" I'm not taking the bait. Especially because the program popped up in 7 indentical windows when left alone for an hour.

    I initially ran some malware and spyware scans, and they removed quite a bit, but the problem of the program persists. Unfortunately, I don't have any antivirus software because I haven't paid for one and my last trail-edition one ran out. I attempted to get the AVG installer from another computer, transfered it to a USB drive and put it on my computer, but the installer doesn't work without an internet connection. This is a problem because if I don't disconnect from the internet before signing in, or if I'm not in safe mode, the computer will go the blue screen within minutes. So far these are the only tools I've used.

    I also discovered that the virus disabled many things, when I start up the computer I get about 7 error windows for programs that aren't working properly, some of the important ones being system restore (not an option now) the run program, a bunch of DLLs I don't recognize, ect.

    Anyways, here's my hijack log to detect anything fishy, thank you to whomever helps, I appreciate it.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:44:07 AM, on 4/27/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Safe mode

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Users\Nate\AppData\Local\ave.exe
    C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: C:\Windows\system32\kvpn0tj72v.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\Windows\system32\kvpn0tj72v.dll (file missing)
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [net] "C:\Windows\system32\net.net"
    O4 - HKLM\..\Run: [ewrgetuj] C:\Users\Nate\AppData\Local\Temp\geurge.exe
    O4 - HKLM\..\Run: [lsdefrag] C:\Users\Nate\AppData\Local\Temp\esocnrwmax.exe
    O4 - HKLM\..\Run: [ezLife] rundll32 "tjvskwii.dll",,Run
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR .EXE" /background
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
    O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\PROGRAM FILES\DAEMON TOOLS LITE\daemon.exe" -autorun
    O4 - HKCU\..\Run: [uTorrent] "C:\PROGRAM FILES\UTORRENT\UTORRENT .EXE"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [mcexecwin] rundll32.exe C:\Users\Nate\AppData\Local\Temp\c20z1.dll, RestoreWindows
    O4 - HKCU\..\Run: [sysmon64x.exe] C:\Users\Nate\AppData\Local\Temp\sysmon64x.exe
    O4 - HKCU\..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\Users\Nate\APPDATA\LOCAL\TEMP\PXFQ45 .EXE
    O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\Users\Nate\APPDATA\LOCAL\TEMP\SMSS .EXE
    O4 - HKCU\..\Run: [newupdate1142C.exe] C:\Users\Nate\AppData\Roaming\E492C0F23A3788E958B9D63D945E5882\newupdate1142C.exe
    O4 - HKCU\..\Run: [YVIBBBHA8C] C:\Users\Nate\APPDATA\LOCAL\TEMP\xrx .exe
    O4 - HKCU\..\Run: [rinfri] RUNDLL32.EXE C:\Users\Nate\AppData\Local\Temp\msfdjgqe.dll,w
    O4 - HKCU\..\Run: [NEWUPDATE1142C .EXE] C:\Users\Nate\APPDATA\ROAMING\E492C0F23A3788E958B9D63D945E5882\NEWUPDATE1142C .EXE
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: CurseClientStartup.ccip
    O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{353C1925-B2BD-40E2-9890-7DFAC0BD39C9}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AAE4E841-1963-4AD4-9D14-58233F3A603D}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS1\Services\Tcpip\..\{353C1925-B2BD-40E2-9890-7DFAC0BD39C9}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS2\Services\Tcpip\..\{353C1925-B2BD-40E2-9890-7DFAC0BD39C9}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS3\Services\Tcpip\..\{353C1925-B2BD-40E2-9890-7DFAC0BD39C9}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\Windows\system32\kvpn0tj72v.dll (file missing)
    O23 - Service: Google Update Service (gupdate1cacc67fb03aba0) (gupdate1cacc67fb03aba0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7249 bytes
     
  2. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
  3. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Hello there :cool: Welcome to the TSG Forums.
    My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.


    Please note the following:
    • The fixes are specific to your problem and should only be used on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
    • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.



    Step 1

    Please download exeHelper to your desktop.
    Double-click on exeHelper.com to run the fix.
    A black window should pop up, press any key to close once the fix is completed.
    Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Step 2

    Download OTS to your Desktop

    • Close ALL OTHER PROGRAMS.
    • Double-click on OTS.exe to start the program.
    • Check the box that says Scan All Users
    • Under Basic Scans please change the radio button under Registry from Safe List to All.
    • Under Additional Scans check the following:
      • Reg - Desktop Components
      • Reg - Disabled MS Config Items
      • Reg - NetSvcs
      • Reg - Shell Spawning
      • Reg - Uninstall List
      • File - Lop Check
      • File - Purity Scan
      • Evnt - EvtViewer (last 10)
    • Please paste the contents of the following codebox into the Custom Scans box at the bottom
    Code:
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

    Step 3

    [​IMG] GMER Rootkit Scanner
    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable your security programs when done.


    If you have trouble running GMER, please try running it in Safe Mode. To get to Safe Mode you'll need to repeatedly tap the F8 key on your keyboard as you turn your computer on until a black and white menu appears with the option.

    If you continue to have trouble with it, try running it without the "Files" scan checked.



    Again, if the results are really long, please attach them using the instructions I gave you at the end of step 1. This is to avoid having to scroll down the page too much make the space cleaner.
     
  4. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    Hello Neonfx, thanks for taking the time to help me out in my current situation.

    My computer can't connect to the internet due to it crashing if it does so. I primarily run my computer in safe mode to avoid the problem since there's no networking. So at the moment, I'm using another computer so I can download the files, transfer them to a USB device, and transfer the files to my own computer. That being said, I was able to download OTS, and GMER, but this computer isn't allowing me to download the exehelper because its detecting a Trojan file. Is this file safe for this computer? In the meantime, can I run the other programs or is it essential that exehelper is run first?
     
  5. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    The program is perfectly safe but because of the nature of what it does, certain security programs will detect it as malware. Please tell your security program to ignore it, or add it to the safe list.

    And yes, exehelper targets your specific infection and will really help the other programs to run smoothly. It needs to be run first.


    Also, have you tried booting to Safe Mode with Networking?



    Do the following on the clean computer to prevent it from getting infected from your USB drive. Do this before plugging the USB drive back into that computer:

    Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.

      Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
     
  6. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    I ran all three programs, no problems encountered. Here's the exehelper results

    exeHelper by Raktor
    Build 20100414
    Run at 18:39:21 on 04/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Deleting file C:\Users\Nate\AppData\Local\ave.exe
    Error deleting C:\Users\Nate\AppData\Local\ave.exe - Set for removal on reboot - PLEASE REBOOT
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Removing HKCR\secfile
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 18:42:46 on 04/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    OTS and GMER results are attached.
     

    Attached Files:

    • OTS.Txt
      File size:
      209.6 KB
      Views:
      2
    • gmer.log
      File size:
      20.1 KB
      Views:
      1
  7. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Great. Let's do this now:


    NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop



    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
    • Double click on ComboFix.exe & follow the prompts.

      Note: Combofix will run without the Recovery Console installed.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Notes:

    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  8. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    I turned my security off, ran the program, it automatically restarted after it finished, and now my computer won't boot at all. It only goes as far as the boot screen telling me to put in my vista disk and run a repair because system file System32\Drivers\pxxavfpn is missing or corrupt. But I'm putting the disk in and restarting the computer and its not loading the disk.
     
  9. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    The computer really is severely infected.

    System32\Drivers\pxxavfpn is not a System file and is infact one of the infection's files so using your disk to repair the file will not work. The reason the computer will not boot was because it was made to think the file is necessary and when ComboFix removed it, it caused that to happen.


    Can you burn a CD using this other system? We're going to have to attack this from outside of the system.
     
  10. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    Yes, I have CD's available to burn, what do I need to burn to em?
     
  11. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Lets give this a try. You will need your flash drive to move information from the sick computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

    Here is what you need to do.

    Two programs to download

    First

    Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Boot the Non working computer using the boot CD you just created.
    • In order to do so, the computer must be set to boot from the CD first
      Note : For information click here
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked "Do you wish to load the remote registry", select Yes
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under the Custom Scan box paste this in

        %SYSTEMDRIVE%\*.*
        /md5start
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.



    Also, please try to get me these files by copying them to your flash drive if they're there:

    C:\QooBox\ComboFix-quarantined-files.txt
    C:\ComboFix.txt
     
  12. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    so I double clicked the OTLPE icon but instead of it asking me "Do you wish to load the remote registry" It just asks me to choose a windows directory. Which do I choose? I tried a couple but it gave me error messages.
     
  13. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    What's the error message it gives you?

    Your windows directory would be C:\Windows.


    You can also use this environment to backup any files you want to save. The most efficient way to fix your system would be to back everything up and then reinstall windows from scratch. I can still try to fix your system but if this is something you would like to do, let me know. I have no idea how long it will take but reinstalling windows should only take a few hours.
     
  14. mobman47

    mobman47 Thread Starter

    Joined:
    Dec 24, 2007
    Messages:
    33
    It says windows is not windows 2000 or higher, I may end up just doing the full system reinstall
     
  15. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    I don't know why it's giving you that error; it could be a number of things the principal of which is that the infection spread so much that it corrupted system files.

    I highly recommend the reinstall if you're willing to do it. I can get your computer back up and running but I can't guarantee that I'll be able to get everything, no program or person can guarantee that.

    Could you at least get me these two files if they're there?

    C:\QooBox\ComboFix-quarantined-files.txt
    C:\ComboFix.txt


    I want to see if it's something I should report to the program's developer.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919597

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice