# Multiple issues?

Discussion in 'Virus & Other Malware Removal' started by Crayon5, Aug 18, 2009.

Not open for further replies.
1. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
Howdy folks, Win XP. I've got the 2010 bug, attempted to run AVG and Ariva but the system crashes before they can complete, then blue screen, automatic re-boot and it starts all over again. I've downloaded Combofix, HJT and Spybot but they won't install after clicking on the saved exe. ATF cleaner will install but doesn't help. Any ideas?

2. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
Ok, no reply so there's probably information I'm not including that I should. What specifically should I include that you need in order to diagnose the problem? I don't know if it's one or multiple problems.

3. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
Hi, Welcome to TSG!!

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
1. Close any open browsers.
2. If your Real protection or Antivirus intervenes with OTS, allow it to run.
3. Open the OTS folder and double-click on OTS.exe to start the program.
4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
5. Now click the Run Scan button on the toolbar.
6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
8. Save that notepad file
Use the Reply button, scroll down to the attachments section and attach the notepad file here.

NOTE: The only people who can see attachments in the HJT forum are: the thread starter, Admins & Mods, and HJT Helpers & Trainees.

Joined:
Aug 18, 2009
Messages:
49
Here you go!

Joined:
Aug 18, 2009
Messages:
49
Sorry

File size:
211.5 KB
Views:
4
6. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
I've submitted the OTS, is there anything else you need?

7. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
Start OTS. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.

Code:
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (AntipPro2009_12) AntipyPro_12 [Win32_Own | Auto | Stopped] ->
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {F54AF7DE-6038-4026-8433-CC30E3F17212} [HKLM] -> C:\WINDOWS\System32\dddesot.dll [ICQSys (IE PlugIn)]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "net" -> C:\WINDOWS\System32\net.net ["C:\WINDOWS\system32\net.net"]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "%windir%\system32\drivers\svchost.exe" -> C:\WINDOWS\System32\drivers\svchost.exe [%windir%\system32\drivers\svchost.exe:*:Enabled:svchost]
[Files/Folders - Created Within 30 Days]
NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> onhelp.htm -> C:\WINDOWS\System32\onhelp.htm
NY -> bennuar.old -> C:\WINDOWS\System32\bennuar.old
NY -> dddesot.dll -> C:\WINDOWS\System32\dddesot.dll
NY -> ppp4.dat -> C:\WINDOWS\ppp4.dat
NY -> sysnet.dat -> C:\WINDOWS\System32\sysnet.dat
NY -> ppp3.dat -> C:\WINDOWS\ppp3.dat
NY -> desot.exe -> C:\WINDOWS\System32\desot.exe
NY -> sonhelp.htm -> C:\WINDOWS\System32\sonhelp.htm
NY -> Windows Antivirus Pro.lnk -> C:\Documents and Settings\theMIKESHOW\Desktop\Windows Antivirus Pro.lnk
NY -> bived.com -> C:\WINDOWS\System32\bived.com
NY -> ypevamen.reg -> C:\Program Files\Common Files\ypevamen.reg
NY -> equtoduham.dat -> C:\Program Files\Common Files\equtoduham.dat
NY -> emudurir.dat -> C:\Documents and Settings\theMIKESHOW\Application Data\emudurir.dat
NY -> ipizuza.bin -> C:\Documents and Settings\theMIKESHOW\Application Data\ipizuza.bin
NY -> ybexebepu.exe -> C:\Program Files\Common Files\ybexebepu.exe
NY -> iguz.bat -> C:\Documents and Settings\theMIKESHOW\Application Data\iguz.bat
NY -> unyvybasyl.scr -> C:\WINDOWS\unyvybasyl.scr
NY -> abusof.dl -> C:\Documents and Settings\All Users\Application Data\abusof.dl
NY -> wydyraw.sys -> C:\Documents and Settings\All Users\Documents\wydyraw.sys
NY -> iveg.ban -> C:\WINDOWS\iveg.ban
NY -> obocymojo.dll -> C:\WINDOWS\obocymojo.dll
NY -> jecot.vbs -> C:\Documents and Settings\theMIKESHOW\Local Settings\Application Data\jecot.vbs
NY -> iryna.exe -> C:\Documents and Settings\All Users\Application Data\iryna.exe
NY -> kypaqyga.reg -> C:\Documents and Settings\All Users\Application Data\kypaqyga.reg
NY -> PC_Antispyware2010 -> C:\Program Files\PC_Antispyware2010
NY -> msb.exe -> C:\WINDOWS\msb.exe
NY -> braviax.exe -> C:\WINDOWS\braviax.exe
NY -> msa.exe -> C:\WINDOWS\msa.exe
NY -> {7B02EF0B-A410-4938-8480-9BA26420A627}.job -> C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
NY -> {BB65B0FB-5712-401b-B616-E69AC55E2757}.job -> C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[Files/Folders - Modified Within 30 Days]
NY -> 7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 84 C:\Documents and Settings\theMIKESHOW\Local Settings\temp\*.tmp files -> C:\Documents and Settings\theMIKESHOW\Local Settings\temp\*.tmp
NY -> 1 C:\Documents and Settings\theMIKESHOW\Local Settings\temp\is-7EA6M.tmp\_isetup\*.tmp files -> C:\Documents and Settings\theMIKESHOW\Local Settings\temp\is-7EA6M.tmp\_isetup\*.tmp
NY -> 2 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> {BB65B0FB-5712-401b-B616-E69AC55E2757}.job -> C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here.

I will review the information when it comes back in.

8. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
More hours in a day?

9. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
Sorry about this delay but I've been trying to do what you said. I don't get a window message pop-up upon completion, just re-boot then I attempt to do it again with the same results.

10. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
After the fix is completed I get a pop-up that says the system requires a reboot to finish cleaning up the files. Then automatic reboot no matter what I do.

11. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
Download ComboFix from one of these locations:

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

• At the next prompt, click 'Yes' to run the full ComboFix scan.
• When the tool is finished, it will produce a report for you.

12. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
Combofix certainly has been a life saver in the past but how do I get it to download to the desktop? It goes to downloads folder and right clicking on the link does no good, there must be a setting somewhere I'm forgetting. I have the recovery console installed (the one you choose on the bios) from an old Combofix installation, I think. Blue screen when I go with recovery. When I try to do an accessory/system tools/system recovery I get a prompt asking for me to choose a program to use, which I don't know. I can make a copy/shortcut of Combofix and put it on the desktop bur obviously that doesn't work.

13. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
I've been able to run Avira and AVG but they find the same stuff and can't get rid of it.

14. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
If you can get the machine to boot up properly I would suggest you get your data backed up to a cd, dvd or thumb drive.

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.

15. ### Crayon5Thread Starter

Joined:
Aug 18, 2009
Messages:
49
I can't wait to do that, thx! But when I go to load it from the desktop it asks which program do you want to use? I redirect it back to the desktop exe. and it just disappears, re-doing results in the same

As Seen On

### Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

over 733,556 other people just like you!