Jump to content
computertooter

System.BrokenFileAssociation. False Positive?

Recommended Posts

A virus has prohibited my ability to turn off system restore. The virus is this:

System.BrokenFileAssociation

HKCR\.exe

HKCR\.com

HKCR\exefile\shell\open\command

I have the very latest version of SAS (as of 10:45 am May 24, 2011) and even though SAS picks it up, it does not quarantine/remove.

Please note that this same virus was addressed in a forum beginning 10-Feb-2009, and was addressed as unfixed up until 10-May 2010, when the thread drops. I am getting the exact same location references as was discussed back then.

In the original forum threads, all references was to this being a false positive. I have to disagree.

Please advise? Thank you!

Share this post


Link to post
Share on other sites

Please add me to the list of those receiving this detection at the conclusion of every scan.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/27/2011 at 07:02 PM

Application Version : 4.53.1000

Core Rules Database Version : 7152

Trace Rules Database Version: 4964

Scan type : Complete Scan

Total Scan Time : 00:30:00

Memory items scanned : 419

Memory threats detected : 0

Registry items scanned : 6154

Registry threats detected : 1

File items scanned : 22417

File threats detected : 0

System.BrokenFileAssociation

HKCR\.exe

Share this post


Link to post
Share on other sites

For those having this issue, please do the following:

1) Run the SAS .exe from here: https://www.superantispyware.com/downloads/SAS_FixEXEfile.com

2) Fully update SAS by right clicking on the SAS bug in the System Tray/Notification area.

3) Run a scan. If that item appears again, then Trust/Allow it.

Hi Seth and thanks for the reply. I don't intend to question your instructions to run FixExeFile but, should let you know there are not any problems with the file association executable or otherwise.

Additionally, I would rather have a fix to the alleged false positive aside from adding an exception. Having to add the exception would call into question my malware removal skills when dealing with clients.

Share this post


Link to post
Share on other sites

Hi Seth and thanks for the reply. I don't intend to question your instructions to run FixExeFile but, should let you know there are not any problems with the file association executable or otherwise.

Additionally, I would rather have a fix to the alleged false positive aside from adding an exception. Having to add the exception would call into question my malware removal skills when dealing with clients.

The rule that deals with that detection according to the developers; does more good that it does harm. Every once in a while we will see the "broken file association" which is detected somehow on the pc. As far as that is concerned Seth's instructions were spot on! Please let us know if you have any additional concerns! :D

Share this post


Link to post
Share on other sites
which is detected somehow on the pc

Therein lies the problem. IMHO, adding an exception which could potentially cause SAS to miss a detection in the future isn't "Spot on".

Share this post


Link to post
Share on other sites

Therein lies the problem. IMHO, adding an exception which could potentially cause SAS to miss a detection in the future isn't "Spot on".

It would not miss any detection based on the trusting of that detection. Have you run the file association fix provided? Then ran the scan again to see if it is detected?

Share this post


Link to post
Share on other sites

I have conveyed the instructions and am awaiting the results. I will post back with the same. Thanks.

Share this post


Link to post
Share on other sites

I have conveyed the instructions and am awaiting the results. I will post back with the same. Thanks.

Update: I had the client run ExeFileFix.com then perform another scan with SAS. I am happy to report the detection was not present at the conclusion. Although the main concern is the clients computer and that issue has been resolved thanks to Seth's advice, I am a little perplexed by this. The client had already run ExeFix.reg by DougKnox in the beginning of my assistance which seemed to have resolved the issue with executable files. Any help in understanding the later issue with the broken file association detected by SAS would be much appreciated.

Share this post


Link to post
Share on other sites

Update: I had the client run ExeFileFix.com then perform another scan with SAS. I am happy to report the detection was not present at the conclusion. Although the main concern is the clients computer and that issue has been resolved thanks to Seth's advice, I am a little perplexed by this. The client had already run ExeFix.reg by DougKnox in the beginning of my assistance which seemed to have resolved the issue with executable files. Any help in understanding the later issue with the broken file association detected by SAS would be much appreciated.

I too am having the same problem . Was wondering what fix to use for my system. Running XP HOME EDITION.

with Avg Free malwarebytes free SAS free and windows firewall. Having some brief freezing issues, delays in start ups.

Please note this is a used notebook I purchased and I do not have any back up disk or way to create up...and have no access to system restore ...when trying to access system restore I received a >>no access contact domain administrator<< message. I can access all programs and all seem to be pretty good. Newbie to much of this. Don't want to crash system with no way of recovery I would greatly appreciate your help in this matter.. log:enclosed

SUPERAntiSpyware Scan Log - 06-03-2011 - scan after #1quartantine.txt

Share this post


Link to post
Share on other sites

I too am having the same problem . Was wondering what fix to use for my system. Running XP HOME EDITION.

with Avg Free malwarebytes free SAS free and windows firewall. Having some brief freezing issues, delays in start ups.

Please note this is a used notebook I purchased and I do not have any back up disk or way to create up...and have no access to system restore ...when trying to access system restore I received a >>no access contact domain administrator<< message. I can access all programs and all seem to be pretty good. Newbie to much of this. Don't want to crash system with no way of recovery I would greatly appreciate your help in this matter.. log:enclosed

Welcome to the SAS forum.

Please follow the instructions in post #3.

Share this post


Link to post
Share on other sites

Welcome to the SAS forum.

Please follow the instructions in post #3.

someone just brought it to my attention while looking at a earlier sas log that I also have Norton install on notebook it was in C:\Documents and Settings\All Users\Application Data did find it while looking through program, add and remove, or downloads it was hidden to me...they had avg free and Norton on puter already maybe why it have the problems when i got it ..so i loaded sas and mbam to locate and fix . this may be over my head to take care of. i haven't followed instructions yet in post #3 what to do now..or should i take it in some where. looks like there may be possible shareware in there as well not sure not familiar...enclosed is the first scan done with sas. these items are in quarantine all except cookies which i deleted. if u need me to do some kinda total system log or something i would have to know how to do so..thanks

SUPERAntiSpyware Scan Log - 06-02-2011 - scan#1.txt

Share this post


Link to post
Share on other sites

someone just brought it to my attention while looking at a earlier sas log that I also have Norton install on notebook it was in C:\Documents and Settings\All Users\Application Data did find it while looking through program, add and remove, or downloads it was hidden to me...they had avg free and Norton on puter already maybe why it have the problems when i got it ..so i loaded sas and mbam to locate and fix . this may be over my head to take care of. i haven't followed instructions yet in post #3 what to do now..or should i take it in some where. looks like there may be possible shareware in there as well not sure not familiar...enclosed is the first scan done with sas. these items are in quarantine all except cookies which i deleted. if u need me to do some kinda total system log or something i would have to know how to do so..thanks

1) Once again...follow the simple instructions in post #3.

2) Run the Norton Removal Tool to completely get rid of Norton: http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

3) Run a scan with the Eset online scanner. When you run it, put a check in "Remove Found Threats" and "Scan Archives": http://www.eset.com/us/online-scanner

Share this post


Link to post
Share on other sites

1) Once again...follow the simple instructions in post #3.

2) Run the Norton Removal Tool to completely get rid of Norton: http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

3) Run a scan with the Eset online scanner. When you run it, put a check in "Remove Found Threats" and "Scan Archives": http://www.eset.com/us/online-scanner

will do ...I have also enclosed the avg scan...results

avg scan 6-4-2011 # 1.zip

Share this post


Link to post
Share on other sites

will do ...I have also enclosed the avg scan...results

I ran fix in post #3 results after scan 0 threats detected

Ran the Norton removal tool then a ran a search no Norton files but removal tool

Ran Eset Scan 13 total infected files

10 files infected

variant of Java/Trojan Downloader.openstream.nice trojan

3 file infected

Js/Esploxit.Pdfka.OWU.GEN Trojan

1 file infected

WINDOWS32/Adware.Litze.H application

All infected files cleaned deleted and quarantined

restarted computer and then ran Scans

Mbam 0 found

SAS 0 found

Avg same items was picked up again that was in above post attachments with the rXJ trojan horse in it.

ran a search for those infected files not found the wins/32svchost.exe.1228 trojan horse agent rXJ and the wins/explore.exe 1558 trojan horse agent rXJ keep returning every time I run a AVG scan

and the rootkit scan IRP hook\Driver\iastor DriverStartIo ox870A48F3 was still there and returns upon each scan

I have not experienced the freezing up so far and I can not access system restore still and I have only experienced one start up delay so far (which I give a reboot and then it starts up right away)

Other than that all seems to be working fine and thank you with your patience with me Seth

Share this post


Link to post
Share on other sites

I ran fix in post #3 results after scan 0 threats detected

Ran the Norton removal tool then a ran a search no Norton files but removal tool

Ran Eset Scan 13 total infected files

10 files infected

variant of Java/Trojan Downloader.openstream.nice trojan

3 file infected

Js/Esploxit.Pdfka.OWU.GEN Trojan

1 file infected

WINDOWS32/Adware.Litze.H application

All infected files cleaned deleted and quarantined

restarted computer and then ran Scans

Mbam 0 found

SAS 0 found

Avg same items was picked up again that was in above post attachments with the rXJ trojan horse in it.

ran a search for those infected files not found the wins/32svchost.exe.1228 trojan horse agent rXJ and the wins/explore.exe 1558 trojan horse agent rXJ keep returning every time I run a AVG scan

and the rootkit scan IRP hook\Driver\iastor DriverStartIo ox870A48F3 was still there and returns upon each scan

I have not experienced the freezing up so far and I can not access system restore still and I have only experienced one start up delay so far (which I give a reboot and then it starts up right away)

Other than that all seems to be working fine and thank you with your patience with me Seth

updating above post ...still having freezing up issues ...

Share this post


Link to post
Share on other sites

updating above post ...still having freezing up issues ...

1.Download & save aswMBR to your Destkop from here -> http://public.avast.com/%7Egmerek/aswMBR.exe

  • Double click the aswMBR.exe to run it
  • Click the Scan button to start scan
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

On your Desktop should also be MBR.dat zip it up & attach

Next

Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop.

Double click on the icon to run it check All users

Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

Post both logs in your reply.

Share this post


Link to post
Share on other sites

1.Download & save aswMBR to your Destkop from here -> http://public.avast.com/%7Egmerek/aswMBR.exe

  • Double click the aswMBR.exe to run it
  • Click the Scan button to start scan
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

On your Desktop should also be MBR.dat zip it up & attach

Next

Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop.

Double click on the icon to run it check All users

Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

Post both logs in your reply.

I downloaded and ran both scans .. regarding the otl scan ..when I ran the scan I only received otl.txt notepad so I reran Otl in safe mode then received both notepads. thank you

aswMBR.zip

OTL.zip

Extras.zip

Share this post


Link to post
Share on other sites

I downloaded and ran both scans .. regarding the otl scan ..when I ran the scan I only received otl.txt notepad so I reran Otl in safe mode then received both notepads. thank you

sent txt files just in case zip are not readable

Extras.Txt

OTL.Txt

aswMBR.txt

Share this post


Link to post
Share on other sites

Let's try to fix this, it's not going to be easy =)

  • Download TDSSKiller and save it to your Desktop.
  • Unzip the folder (Right Click > Extract to your Desktop).
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Next

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - File not found [On_Demand | Stopped] --  -- (WefiEngSvc)
SRV - File not found [Auto | Stopped] --  -- (STacSV)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} -  File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Nwibavon] C:\WINDOWS\ipukadevi.dll ()
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [sajomatuj]  File not found
O4 - HKLM..\Run: [snp2uvc]  File not found
O4 - HKLM..\Run: [synTPEnh]  File not found
O4 - HKLM..\Run: [sysTrayApp]  File not found
O4 - HKU\S-1-5-20..\Run: [suriludese]  File not found
O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype]  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O20 - AppInit_DLLs: (fetokuze.dll) -  File not found
O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} -  File not found
O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus -  File not found
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060
[2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060
[2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154
[2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209
[2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l
[2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL
[2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH
[2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4
[2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu
:Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • It will boot slower so be patient
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Share this post


Link to post
Share on other sites

Let's try to fix this, it's not going to be easy =)

  • Download TDSSKiller and save it to your Desktop.
  • Unzip the folder (Right Click > Extract to your Desktop).
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much

Next

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - File not found [On_Demand | Stopped] --  -- (WefiEngSvc)
SRV - File not found [Auto | Stopped] --  -- (STacSV)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} -  File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [sajomatuj]  File not found
O4 - HKLM..\Run: [snp2uvc]  File not found
O4 - HKLM..\Run: [synTPEnh]  File not found
O4 - HKLM..\Run: [sysTrayApp]  File not found
O4 - HKU\S-1-5-20..\Run: [suriludese]  File not found
O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype]  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O20 - AppInit_DLLs: (fetokuze.dll) -  File not found
O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} -  File not found
O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus -  File not found
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060
[2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060
[2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154
[2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209
[2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l
[2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL
[2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH
[2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4
[2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu
:Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • It will boot slower so be patient
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Share this post


Link to post
Share on other sites

Let's try to fix this, it's not going to be easy =)

  • Download TDSSKiller and save it to your Desktop.
  • Unzip the folder (Right Click > Extract to your Desktop).
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much

Next

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - File not found [On_Demand | Stopped] --  -- (WefiEngSvc)
SRV - File not found [Auto | Stopped] --  -- (STacSV)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} -  File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [sajomatuj]  File not found
O4 - HKLM..\Run: [snp2uvc]  File not found
O4 - HKLM..\Run: [synTPEnh]  File not found
O4 - HKLM..\Run: [sysTrayApp]  File not found
O4 - HKU\S-1-5-20..\Run: [suriludese]  File not found
O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype]  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O20 - AppInit_DLLs: (fetokuze.dll) -  File not found
O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} -  File not found
O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus -  File not found
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060
[2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060
[2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154
[2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209
[2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l
[2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL
[2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH
[2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4
[2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu
:Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • It will boot slower so be patient
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Share this post


Link to post
Share on other sites

Let's try to fix this, it's not going to be easy =)

  • Download TDSSKiller and save it to your Desktop.
  • Unzip the folder (Right Click > Extract to your Desktop).
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much

Next

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
SRV - File not found [On_Demand | Stopped] --  -- (WefiEngSvc)
SRV - File not found [Auto | Stopped] --  -- (STacSV)
SRV - File not found [On_Demand | Stopped] --  -- (AppMgmt)
O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} -  File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [sajomatuj]  File not found
O4 - HKLM..\Run: [snp2uvc]  File not found
O4 - HKLM..\Run: [synTPEnh]  File not found
O4 - HKLM..\Run: [sysTrayApp]  File not found
O4 - HKU\S-1-5-20..\Run: [suriludese]  File not found
O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype]  File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O20 - AppInit_DLLs: (fetokuze.dll) -  File not found
O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} -  File not found
O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus -  File not found
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation)
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp
[2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060
[2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431
[2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060
[2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154
[2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209
[2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l
[2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL
[2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH
[2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4
[2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4
[2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j
[2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j
[2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %*
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu
:Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe
:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • It will boot slower so be patient
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Share this post


Link to post
Share on other sites

I don't know what you posting

Use Add-Reply.png

sorry about that my post got into the body of your post while trying to reply ...just realized why it wasnt post ....i need to pay attention to go to bottom before replying....lets try again...

since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...