computertooter Posted May 24, 2011 A virus has prohibited my ability to turn off system restore. The virus is this: System.BrokenFileAssociation HKCR\.exe HKCR\.com HKCR\exefile\shell\open\command I have the very latest version of SAS (as of 10:45 am May 24, 2011) and even though SAS picks it up, it does not quarantine/remove. Please note that this same virus was addressed in a forum beginning 10-Feb-2009, and was addressed as unfixed up until 10-May 2010, when the thread drops. I am getting the exact same location references as was discussed back then. In the original forum threads, all references was to this being a false positive. I have to disagree. Please advise? Thank you! Share this post Link to post Share on other sites
TechGeek2 Posted May 27, 2011 Please add me to the list of those receiving this detection at the conclusion of every scan. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/27/2011 at 07:02 PM Application Version : 4.53.1000 Core Rules Database Version : 7152 Trace Rules Database Version: 4964 Scan type : Complete Scan Total Scan Time : 00:30:00 Memory items scanned : 419 Memory threats detected : 0 Registry items scanned : 6154 Registry threats detected : 1 File items scanned : 22417 File threats detected : 0 System.BrokenFileAssociation HKCR\.exe Share this post Link to post Share on other sites
Seth Posted May 27, 2011 For those having this issue, please do the following: 1) Run the SAS .exe fix from here: https://www.superantispyware.com/downloads/SAS_FixEXEfile.com 2) Fully update SAS by right clicking on the SAS bug in the System Tray/Notification area and choosing "Check For Updates". 3) Run a scan. If that item appears again, then Trust/Allow it. Share this post Link to post Share on other sites
TechGeek2 Posted May 27, 2011 For those having this issue, please do the following: 1) Run the SAS .exe from here: https://www.superantispyware.com/downloads/SAS_FixEXEfile.com 2) Fully update SAS by right clicking on the SAS bug in the System Tray/Notification area. 3) Run a scan. If that item appears again, then Trust/Allow it. Hi Seth and thanks for the reply. I don't intend to question your instructions to run FixExeFile but, should let you know there are not any problems with the file association executable or otherwise. Additionally, I would rather have a fix to the alleged false positive aside from adding an exception. Having to add the exception would call into question my malware removal skills when dealing with clients. Share this post Link to post Share on other sites
SAS Customer Service Posted May 27, 2011 Hi Seth and thanks for the reply. I don't intend to question your instructions to run FixExeFile but, should let you know there are not any problems with the file association executable or otherwise. Additionally, I would rather have a fix to the alleged false positive aside from adding an exception. Having to add the exception would call into question my malware removal skills when dealing with clients. The rule that deals with that detection according to the developers; does more good that it does harm. Every once in a while we will see the "broken file association" which is detected somehow on the pc. As far as that is concerned Seth's instructions were spot on! Please let us know if you have any additional concerns! Share this post Link to post Share on other sites
TechGeek2 Posted May 27, 2011 which is detected somehow on the pc Therein lies the problem. IMHO, adding an exception which could potentially cause SAS to miss a detection in the future isn't "Spot on". Share this post Link to post Share on other sites
SAS Customer Service Posted May 27, 2011 Therein lies the problem. IMHO, adding an exception which could potentially cause SAS to miss a detection in the future isn't "Spot on". It would not miss any detection based on the trusting of that detection. Have you run the file association fix provided? Then ran the scan again to see if it is detected? Share this post Link to post Share on other sites
TechGeek2 Posted May 28, 2011 I have conveyed the instructions and am awaiting the results. I will post back with the same. Thanks. Share this post Link to post Share on other sites
TechGeek2 Posted May 30, 2011 I have conveyed the instructions and am awaiting the results. I will post back with the same. Thanks. Update: I had the client run ExeFileFix.com then perform another scan with SAS. I am happy to report the detection was not present at the conclusion. Although the main concern is the clients computer and that issue has been resolved thanks to Seth's advice, I am a little perplexed by this. The client had already run ExeFix.reg by DougKnox in the beginning of my assistance which seemed to have resolved the issue with executable files. Any help in understanding the later issue with the broken file association detected by SAS would be much appreciated. Share this post Link to post Share on other sites
rredbird Posted June 3, 2011 Update: I had the client run ExeFileFix.com then perform another scan with SAS. I am happy to report the detection was not present at the conclusion. Although the main concern is the clients computer and that issue has been resolved thanks to Seth's advice, I am a little perplexed by this. The client had already run ExeFix.reg by DougKnox in the beginning of my assistance which seemed to have resolved the issue with executable files. Any help in understanding the later issue with the broken file association detected by SAS would be much appreciated. I too am having the same problem . Was wondering what fix to use for my system. Running XP HOME EDITION. with Avg Free malwarebytes free SAS free and windows firewall. Having some brief freezing issues, delays in start ups. Please note this is a used notebook I purchased and I do not have any back up disk or way to create up...and have no access to system restore ...when trying to access system restore I received a >>no access contact domain administrator<< message. I can access all programs and all seem to be pretty good. Newbie to much of this. Don't want to crash system with no way of recovery I would greatly appreciate your help in this matter.. log:enclosed SUPERAntiSpyware Scan Log - 06-03-2011 - scan after #1quartantine.txt Share this post Link to post Share on other sites
Seth Posted June 3, 2011 I too am having the same problem . Was wondering what fix to use for my system. Running XP HOME EDITION. with Avg Free malwarebytes free SAS free and windows firewall. Having some brief freezing issues, delays in start ups. Please note this is a used notebook I purchased and I do not have any back up disk or way to create up...and have no access to system restore ...when trying to access system restore I received a >>no access contact domain administrator<< message. I can access all programs and all seem to be pretty good. Newbie to much of this. Don't want to crash system with no way of recovery I would greatly appreciate your help in this matter.. log:enclosed Welcome to the SAS forum. Please follow the instructions in post #3. Share this post Link to post Share on other sites
rredbird Posted June 3, 2011 Welcome to the SAS forum. Please follow the instructions in post #3. someone just brought it to my attention while looking at a earlier sas log that I also have Norton install on notebook it was in C:\Documents and Settings\All Users\Application Data did find it while looking through program, add and remove, or downloads it was hidden to me...they had avg free and Norton on puter already maybe why it have the problems when i got it ..so i loaded sas and mbam to locate and fix . this may be over my head to take care of. i haven't followed instructions yet in post #3 what to do now..or should i take it in some where. looks like there may be possible shareware in there as well not sure not familiar...enclosed is the first scan done with sas. these items are in quarantine all except cookies which i deleted. if u need me to do some kinda total system log or something i would have to know how to do so..thanks SUPERAntiSpyware Scan Log - 06-02-2011 - scan#1.txt Share this post Link to post Share on other sites
Seth Posted June 4, 2011 someone just brought it to my attention while looking at a earlier sas log that I also have Norton install on notebook it was in C:\Documents and Settings\All Users\Application Data did find it while looking through program, add and remove, or downloads it was hidden to me...they had avg free and Norton on puter already maybe why it have the problems when i got it ..so i loaded sas and mbam to locate and fix . this may be over my head to take care of. i haven't followed instructions yet in post #3 what to do now..or should i take it in some where. looks like there may be possible shareware in there as well not sure not familiar...enclosed is the first scan done with sas. these items are in quarantine all except cookies which i deleted. if u need me to do some kinda total system log or something i would have to know how to do so..thanks 1) Once again...follow the simple instructions in post #3. 2) Run the Norton Removal Tool to completely get rid of Norton: http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html 3) Run a scan with the Eset online scanner. When you run it, put a check in "Remove Found Threats" and "Scan Archives": http://www.eset.com/us/online-scanner Share this post Link to post Share on other sites
rredbird Posted June 4, 2011 1) Once again...follow the simple instructions in post #3. 2) Run the Norton Removal Tool to completely get rid of Norton: http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html 3) Run a scan with the Eset online scanner. When you run it, put a check in "Remove Found Threats" and "Scan Archives": http://www.eset.com/us/online-scanner will do ...I have also enclosed the avg scan...results avg scan 6-4-2011 # 1.zip Share this post Link to post Share on other sites
rredbird Posted June 4, 2011 will do ...I have also enclosed the avg scan...results I ran fix in post #3 results after scan 0 threats detected Ran the Norton removal tool then a ran a search no Norton files but removal tool Ran Eset Scan 13 total infected files 10 files infected variant of Java/Trojan Downloader.openstream.nice trojan 3 file infected Js/Esploxit.Pdfka.OWU.GEN Trojan 1 file infected WINDOWS32/Adware.Litze.H application All infected files cleaned deleted and quarantined restarted computer and then ran Scans Mbam 0 found SAS 0 found Avg same items was picked up again that was in above post attachments with the rXJ trojan horse in it. ran a search for those infected files not found the wins/32svchost.exe.1228 trojan horse agent rXJ and the wins/explore.exe 1558 trojan horse agent rXJ keep returning every time I run a AVG scan and the rootkit scan IRP hook\Driver\iastor DriverStartIo ox870A48F3 was still there and returns upon each scan I have not experienced the freezing up so far and I can not access system restore still and I have only experienced one start up delay so far (which I give a reboot and then it starts up right away) Other than that all seems to be working fine and thank you with your patience with me Seth Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 I ran fix in post #3 results after scan 0 threats detected Ran the Norton removal tool then a ran a search no Norton files but removal tool Ran Eset Scan 13 total infected files 10 files infected variant of Java/Trojan Downloader.openstream.nice trojan 3 file infected Js/Esploxit.Pdfka.OWU.GEN Trojan 1 file infected WINDOWS32/Adware.Litze.H application All infected files cleaned deleted and quarantined restarted computer and then ran Scans Mbam 0 found SAS 0 found Avg same items was picked up again that was in above post attachments with the rXJ trojan horse in it. ran a search for those infected files not found the wins/32svchost.exe.1228 trojan horse agent rXJ and the wins/explore.exe 1558 trojan horse agent rXJ keep returning every time I run a AVG scan and the rootkit scan IRP hook\Driver\iastor DriverStartIo ox870A48F3 was still there and returns upon each scan I have not experienced the freezing up so far and I can not access system restore still and I have only experienced one start up delay so far (which I give a reboot and then it starts up right away) Other than that all seems to be working fine and thank you with your patience with me Seth updating above post ...still having freezing up issues ... Share this post Link to post Share on other sites
rise Posted June 5, 2011 updating above post ...still having freezing up issues ... 1.Download & save aswMBR to your Destkop from here -> http://public.avast.com/%7Egmerek/aswMBR.exe Double click the aswMBR.exe to run it Click the Scan button to start scan On completion of the scan click Save log, save it to your desktop and post in your next reply On your Desktop should also be MBR.dat zip it up & attach Next Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop. Double click on the icon to run it check All users Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post both logs in your reply. Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 1.Download & save aswMBR to your Destkop from here -> http://public.avast.com/%7Egmerek/aswMBR.exe Double click the aswMBR.exe to run it Click the Scan button to start scan On completion of the scan click Save log, save it to your desktop and post in your next reply On your Desktop should also be MBR.dat zip it up & attach Next Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop. Double click on the icon to run it check All users Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post both logs in your reply. I downloaded and ran both scans .. regarding the otl scan ..when I ran the scan I only received otl.txt notepad so I reran Otl in safe mode then received both notepads. thank you aswMBR.zip OTL.zip Extras.zip Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 I downloaded and ran both scans .. regarding the otl scan ..when I ran the scan I only received otl.txt notepad so I reran Otl in safe mode then received both notepads. thank you sent txt files just in case zip are not readable Extras.Txt OTL.Txt aswMBR.txt Share this post Link to post Share on other sites
rise Posted June 5, 2011 Let's try to fix this, it's not going to be easy =) Download TDSSKiller and save it to your Desktop. Unzip the folder (Right Click > Extract to your Desktop). Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan. If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. It may ask you to reboot the computer to complete the process. Click on Reboot Now. Click the Report button and copy/paste the contents of it into your next reply Note:It will also create a log in the C:\ directory. Next Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL SRV - File not found [On_Demand | Stopped] -- -- (WefiEngSvc) SRV - File not found [Auto | Stopped] -- -- (STacSV) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} - File not found O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [Nwibavon] C:\WINDOWS\ipukadevi.dll () O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [sajomatuj] File not found O4 - HKLM..\Run: [snp2uvc] File not found O4 - HKLM..\Run: [synTPEnh] File not found O4 - HKLM..\Run: [sysTrayApp] File not found O4 - HKU\S-1-5-20..\Run: [suriludese] File not found O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype] File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O20 - AppInit_DLLs: (fetokuze.dll) - File not found O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} - File not found O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus - File not found O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O33 - MountPoints2\D\Shell - "" = AutoRun O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683 [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060 [2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060 [2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154 [2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209 [2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l [2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL [2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH [2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4 [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4 [2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j [2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j [2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu :Files C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe :Commands [purity] [emptytemp] [emptyflash] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done It will boot slower so be patient Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 Let's try to fix this, it's not going to be easy =) Download TDSSKiller and save it to your Desktop. Unzip the folder (Right Click > Extract to your Desktop). Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan. If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. It may ask you to reboot the computer to complete the process. Click on Reboot Now. Click the Report button and copy/paste the contents of it into your next reply Note:It will also create a log in the C:\ directory. since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much Next Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL SRV - File not found [On_Demand | Stopped] -- -- (WefiEngSvc) SRV - File not found [Auto | Stopped] -- -- (STacSV) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} - File not found O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [sajomatuj] File not found O4 - HKLM..\Run: [snp2uvc] File not found O4 - HKLM..\Run: [synTPEnh] File not found O4 - HKLM..\Run: [sysTrayApp] File not found O4 - HKU\S-1-5-20..\Run: [suriludese] File not found O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype] File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O20 - AppInit_DLLs: (fetokuze.dll) - File not found O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} - File not found O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus - File not found O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O33 - MountPoints2\D\Shell - "" = AutoRun O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683 [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060 [2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060 [2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154 [2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209 [2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l [2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL [2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH [2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4 [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4 [2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j [2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j [2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu :Files C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe :Commands [purity] [emptytemp] [emptyflash] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done It will boot slower so be patient Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 Let's try to fix this, it's not going to be easy =) Download TDSSKiller and save it to your Desktop. Unzip the folder (Right Click > Extract to your Desktop). Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan. If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. It may ask you to reboot the computer to complete the process. Click on Reboot Now. Click the Report button and copy/paste the contents of it into your next reply Note:It will also create a log in the C:\ directory. since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much Next Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL SRV - File not found [On_Demand | Stopped] -- -- (WefiEngSvc) SRV - File not found [Auto | Stopped] -- -- (STacSV) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} - File not found O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [sajomatuj] File not found O4 - HKLM..\Run: [snp2uvc] File not found O4 - HKLM..\Run: [synTPEnh] File not found O4 - HKLM..\Run: [sysTrayApp] File not found O4 - HKU\S-1-5-20..\Run: [suriludese] File not found O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype] File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O20 - AppInit_DLLs: (fetokuze.dll) - File not found O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} - File not found O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus - File not found O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O33 - MountPoints2\D\Shell - "" = AutoRun O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683 [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060 [2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060 [2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154 [2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209 [2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l [2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL [2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH [2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4 [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4 [2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j [2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j [2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu :Files C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe :Commands [purity] [emptytemp] [emptyflash] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done It will boot slower so be patient Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 Let's try to fix this, it's not going to be easy =) Download TDSSKiller and save it to your Desktop. Unzip the folder (Right Click > Extract to your Desktop). Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan. If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue. It may ask you to reboot the computer to complete the process. Click on Reboot Now. Click the Report button and copy/paste the contents of it into your next reply Note:It will also create a log in the C:\ directory. since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much Next Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following :OTL SRV - File not found [On_Demand | Stopped] -- -- (WefiEngSvc) SRV - File not found [Auto | Stopped] -- -- (STacSV) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) O2 - BHO: (no name) - {d5e49e5a-dfb1-4866-a705-223b94ec1b00} - File not found O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [sajomatuj] File not found O4 - HKLM..\Run: [snp2uvc] File not found O4 - HKLM..\Run: [synTPEnh] File not found O4 - HKLM..\Run: [sysTrayApp] File not found O4 - HKU\S-1-5-20..\Run: [suriludese] File not found O4 - HKU\S-1-5-21-867624957-1142715932-3990699764-1007..\Run: [skype] File not found O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14) O20 - AppInit_DLLs: (fetokuze.dll) - File not found O21 - SSODL: vudosobob - {93600df6-873a-4c11-829f-24fe9e2dbcce} - File not found O22 - SharedTaskScheduler: {93600df6-873a-4c11-829f-24fe9e2dbcce} - kupuhivus - File not found O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{4284636c-1060-11df-99ee-18a90591d232}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{a1c4ae7a-7db6-11e0-83d4-18a90591d232}\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell - "" = AutoRun O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{cedb4ca5-dbd6-11de-9405-18a90591d232}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a O33 - MountPoints2\D\Shell - "" = AutoRun O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\VZAccess_Manager.exe -- [2010/03/29 05:09:32 | 002,312,312 | R--- | M] (Macrovision Corporation) [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2011/05/16 00:15:19 | 000,013,412 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\75bd3tfr3in6ixa60571p2m5j0l7822jtsp683 [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 11:51:09 | 000,014,088 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b6rkrv8a73spxby2vvgdh23go6k2up6vsdslct8n34k05yp [2011/05/15 01:28:46 | 000,013,336 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\217479060 [2011/05/15 01:22:49 | 000,013,372 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2311008431 [2011/05/15 01:20:09 | 000,013,328 | -HS- | M] () -- C:\Documents and Settings\freedie\Local Settings\Application Data\217479060 [2010/04/27 21:31:00 | 000,016,474 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3957937154 [2010/04/27 11:15:03 | 000,017,358 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1167664209 [2010/04/27 08:53:14 | 000,017,434 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KLry0l [2010/04/27 08:39:16 | 000,016,454 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\nFWUk4hL [2010/04/20 07:25:37 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d3lH [2010/04/20 07:25:36 | 000,001,324 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3lH [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\GSk38k4 [2010/04/19 21:33:51 | 000,001,068 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GSk38k4 [2010/04/02 11:20:41 | 000,017,820 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\LK2mfPE2j [2010/04/02 11:20:41 | 000,015,206 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\LK2mfPE2j [2010/03/21 10:29:25 | 000,001,172 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3N4Om @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe" -a "%1" %* O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\zovigepu :Files C:\Documents and Settings\NetworkService\Local Settings\Application Data\aco.exe :Commands [purity] [emptytemp] [emptyflash] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done It will boot slower so be patient Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles Share this post Link to post Share on other sites
rise Posted June 5, 2011 I don't know what you posting Use Share this post Link to post Share on other sites
rredbird Posted June 5, 2011 I don't know what you posting Use sorry about that my post got into the body of your post while trying to reply ...just realized why it wasnt post ....i need to pay attention to go to bottom before replying....lets try again... since i cannot access system restore and the rootkit hook appears to be attached to the start up...also i do not have have any of the disk or anything that comes with the notebook being that it is a used one and i inherited the majority of the problems.....was just wondering what are the chances that it will not be accessible any longer to me..I dont have my laptop with me right now to get back to you in case ...dont mean to question you and your skills at all ..just was concerned about the risk ...especially with you telling me this is not going to be easy ...if you think I should proceed....I will WRITE down all your instructions so that I may follow them to the T. Sorry Rise I just have to ask considering the circumstance and my ignorance concerning these matters. and pls advise if these procedures need to be done in safe mode or not. Rise Thank you very much Share this post Link to post Share on other sites