DOJ ransom virus - cannot use Safe Mode with Networking - Win XP

[Highcountryrider]

Trying to help a friend remove the DOJ ransom trojan from his Compaq laptop running Win XP SP 2. Attempted to enter Safe Mode with Networking upon startup in order to download, install and run removal tools. PC booted into Safe Mode but within 10 seconds the DOJ lock screen came up.

I understand from some research I've done that removing this malware from an XP machine is different from the recommendations for Win Vista, Win 7, etc.

Would appreciate assistance on how to proceed to remove DOJ if I cannot enter Safe Mode.

[MrCharlie]

Welcome to the forum.

For XP please follow the instructions in the link below to create and scan the system with an OTLPE disk:

http://forums.malwar...ndpost&p=627789

MrC

[Highcountryrider]

Welcome to the forum.

For XP please follow the instructions in the link below to create and scan the system with an OTLPE disk:

http://forums.malwar...ndpost&p=627789

MrC

OK, assume the link you provided was to another topic and gives instructions on how to make and use a OTPLE disk. Assuming I can get it to work on the infected computer will it be safe to use a USB drive on that computer to copy the report so I can use on my computer to post the report?

[MrCharlie]

If you think nobody cares about you, try missing a couple of payments.

First...I like your quote!

That is my post and yes you can use a usb flash drive to copy .

MrC

[Highcountryrider]

OK, will do and then post the results.

[Highcountryrider]

Here are the results of the OTLPE scan:

OTL logfile created on: 1/23/2013 1:46:32 PM - Run

OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

382.00 Mb Total Physical Memory | 192.00 Mb Available Physical Memory | 50.00% Memory free

326.00 Mb Paging File | 210.00 Mb Available in Paging File | 64.00% Paging File free

Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 57.29 Gb Free Space | 76.88% Space Free | Partition Type: NTFS

Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled] -- -- (HidServ)

SRV - [2013/01/12 18:14:46 | 000,245,248 | ---- | M] () [Auto] -- C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll -- (winmgmt)

SRV - [2013/01/08 22:46:10 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2006/10/06 15:49:00 | 000,044,224 | R--- | M] (BVRP Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2005/04/11 08:33:52 | 001,035,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/03/16 07:43:06 | 000,159,488 | ---- | M] (Texas Instruments) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)

DRV - [2005/03/10 04:41:52 | 000,371,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2005/03/03 14:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2005/02/18 10:42:02 | 000,349,696 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)

DRV - [2005/02/18 10:41:18 | 000,038,016 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)

DRV - [2005/01/18 11:52:16 | 000,055,320 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)

DRV - [2004/12/15 10:18:30 | 000,200,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWATI.sys -- (HSFHWATI)

DRV - [2004/12/15 10:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2004/12/15 10:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

DRV - [2004/08/11 18:30:00 | 000,039,424 | ---- | M] (Advanced Micro Devices) [Kernel | System] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)

DRV - [2004/04/14 09:36:50 | 000,007,432 | ---- | M] (Hewlett-Packard Company) [Kernel | System] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)

DRV - [2003/06/06 13:46:16 | 000,005,220 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)

DRV - [2001/08/17 14:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie'>http://www.google.com/ie

IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" =

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Victor_Guerrero_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\Victor_Guerrero_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\Victor_Guerrero_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\Victor_Guerrero_ON_C\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

IE - HKU\Victor_Guerrero_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Victor_Guerrero_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

O1 HOSTS File: ([2009/11/06 13:14:26 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()

O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Searchqu Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll ()

O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.

O3 - HKU\Victor_Guerrero_ON_C\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\Victor_Guerrero_ON_C\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [Auto EPSON Stylus Photo RX500 on VICTOR-PC] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)

O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()

O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Searchqu Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)

O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )

O4 - HKLM..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [LSBWatcher] C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\Victor Guerrero\Start Menu\Programs\Startup\runctf.lnk = X:\I386\SYSTEM32\RUNDLL32.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Victor_Guerrero_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\NPJPI150_02.dll (Sun Microsystems, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.116.2.50 24.116.2.34

O20 - AppInit_DLLs: (C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll) - C:\Program Files\Searchqu Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)

O20 - AppInit_DLLs: (C:\PROGRA~1\SEARCH~1\Datamngr\IEBHO.dll) - C:\Program Files\Searchqu Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\WINDOWS\Amber Migration.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Amber Migration.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: HidServ - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: winmgmt - C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll ()

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/23 14:07:11 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache

[2013/01/23 12:30:12 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\Victor Guerrero\My Documents\*.tmp files -> C:\Documents and Settings\Victor Guerrero\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/23 15:29:05 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{707E7030-26EC-4420-917A-BBE6AF960061}.job

[2013/01/23 15:28:54 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013/01/23 15:27:14 | 095,023,320 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\netdislw.pad

[2013/01/23 15:26:54 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013/01/23 15:26:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013/01/23 15:26:28 | 401,133,568 | -HS- | M] () -- C:\hiberfil.sys

[2013/01/23 14:23:02 | 000,003,252 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\netdislw.js

[2013/01/23 14:23:02 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Victor Guerrero\Start Menu\Programs\Startup\runctf.lnk

[2013/01/23 14:21:23 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2013/01/23 14:17:40 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2013/01/12 21:24:55 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Victor Guerrero\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2013/01/12 18:03:02 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2013/01/12 17:54:35 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013/01/12 17:53:38 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

[2013/01/12 17:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome

[2013/01/12 17:45:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2013/01/08 22:46:06 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe

[2013/01/08 22:46:06 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\Documents and Settings\Victor Guerrero\My Documents\*.tmp files -> C:\Documents and Settings\Victor Guerrero\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/23 15:26:28 | 401,133,568 | -HS- | C] () -- C:\hiberfil.sys

[2013/01/23 14:23:02 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Victor Guerrero\Start Menu\Programs\Startup\runctf.lnk

[2013/01/23 14:17:40 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2013/01/12 18:15:10 | 000,003,252 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.js

[2013/01/12 18:14:54 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.pad

[2012/06/10 21:32:16 | 000,045,752 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2010/08/31 08:28:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2010/06/14 13:21:29 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin

[2009/01/13 15:37:43 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI

[2008/11/24 10:53:00 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini

[2008/11/24 10:49:39 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll

[2008/11/24 10:49:39 | 000,003,136 | ---- | C] () -- C:\WINDOWS\Ade001.bin

[2008/11/24 10:49:39 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini

[2008/11/24 10:42:46 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSON RX500 Installer.ini

[2006/03/17 14:36:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Victor Guerrero\Application Data\wklnhst.dat

[2005/09/19 13:15:26 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Victor Guerrero\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2005/09/19 13:06:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/04/29 04:12:48 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2005/04/29 04:12:48 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2005/04/29 04:12:48 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2005/04/29 04:12:48 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2005/04/29 04:12:48 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2005/04/29 04:12:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2005/04/29 04:01:09 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2005/04/29 02:25:46 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

[2005/03/17 08:29:58 | 000,081,342 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat

[2005/02/12 03:33:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/07 08:19:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/08/07 08:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2004/08/07 08:14:52 | 000,441,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/07 08:14:52 | 000,071,462 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/07 08:12:40 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/07 08:07:40 | 000,241,536 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/07 08:02:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/07 07:59:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/04 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 03:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

[2004/08/04 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 03:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2004/08/04 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2002/05/28 03:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2002/05/28 03:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== LOP Check ==========

[2010/07/16 10:12:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\InterVideo

[2008/11/24 10:55:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\Leadertech

[2005/09/18 22:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\MSNInstaller

[2010/06/14 13:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\Research In Motion

[2012/09/22 20:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\searchquband

[2012/09/22 21:01:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\searchqutoolbar

[2009/01/13 15:37:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Victor Guerrero\Application Data\Smart Panel

[2008/11/26 16:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Geek Squad

[2005/04/29 04:28:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies

[2010/06/14 13:19:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion

[2012/05/17 21:38:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2010/06/18 14:45:18 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\Regwork.job

[2013/01/12 18:03:02 | 000,000,254 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

[2013/01/23 15:29:05 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{707E7030-26EC-4420-917A-BBE6AF960061}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2013/01/23 14:21:23 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2009/11/06 13:14:24 | 000,206,862 | ---- | M] () -- C:\coreuninstall.log

[2006/03/17 11:42:39 | 002,807,100 | ---- | M] () -- C:\DNSP1.LOG

[2010/08/13 10:34:22 | 000,000,050 | ---- | M] () -- C:\DVDPATH.TXT

[2013/01/23 15:26:28 | 401,133,568 | -HS- | M] () -- C:\hiberfil.sys

[2006/03/17 11:36:36 | 000,000,171 | ---- | M] () -- C:\HSC.log

[2008/11/24 10:43:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2008/11/24 10:43:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2006/03/17 11:37:31 | 000,012,460 | ---- | M] () -- C:\mszone.log

[2006/03/17 11:37:47 | 000,000,087 | ---- | M] () -- C:\muvee.log

[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com

[2004/08/04 03:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr

[2013/01/23 15:26:26 | 603,979,776 | -HS- | M] () -- C:\pagefile.sys

[2006/03/17 11:40:45 | 000,000,200 | ---- | M] () -- C:\sedinst2.log

[2006/03/17 11:41:23 | 000,000,087 | ---- | M] () -- C:\setup.log

[2006/03/17 11:41:11 | 000,002,880 | ---- | M] () -- C:\sunjava.log

[2006/03/17 11:32:43 | 000,000,191 | ---- | M] () -- C:\syntp.log

[2006/03/17 11:31:10 | 000,000,032 | ---- | M] () -- C:\ticrdbus.log

< MD5 for: EXPLORER.EXE >

[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe

[2004/08/04 03:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe

< MD5 for: SERVICES.EXE >

[2009/02/06 06:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe

[2008/04/13 19:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\services.exe

[2009/02/06 12:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\system32\dllcache\services.exe

[2009/02/06 12:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\system32\services.exe

[2009/02/06 05:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe

[2009/02/06 06:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe

[2004/08/04 03:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe

< MD5 for: USERINIT.EXE >

[2004/08/04 03:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\userinit.exe

< MD5 for: WINLOGON.EXE >

[2004/08/04 03:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe

[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe

< End of report >

[Highcountryrider]

Just as a note I have been able to get into Safe Mode a couple of times long enough to disable the rundll32 option in msconfig>Startup for runctf which is the trigger to run the DOJ trojan on startup but unfortunately it reappears after restarting. I know it resides in his Temp folder.

Unfortunately this person was not very good at routine maintenance and has a ton of files in his temp folder. Is there anything I can do using the boot CD I've made to manually remove files? I mean, it looks like I should be able to delete all the files in the Temp folder and maybe then I could get into Safe Mode long enough to download, install and run a removal tool like MWB or Emsisoft.

Just a thought.

[MrCharlie]

This should get you going....

OK, basically what we want to do is copy the text that's in BOLD into the Custom Scans/Fixes box of OTLPE

Here's how to do that:

Copy the text in BOLD into notepad and save it:

:OTL

SRV - File not found [Disabled] -- -- (HidServ)

SRV - [2013/01/12 18:14:46 | 000,245,248 | ---- | M] () [Auto] -- C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll -- (winmgmt)

NetSvcs: winmgmt - C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll ()

[2013/01/23 14:23:02 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Victor Guerrero\Start Menu\Programs\Startup\runctf.lnk

[2013/01/23 14:17:40 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2013/01/23 14:17:40 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk

[2013/01/12 18:15:10 | 000,003,252 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.js

[2013/01/12 18:14:54 | 095,023,320 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\netdislw.pad

Copy it to your flash drive

Boot the computer up using the OTLPE disk

Run OTLPE

Plug in the flash drive

Drag the notepad text to the desktop

Open it up and copy and paste the text into Custom Scans/Fixes

Then click the Run Fix button at the top

Copy and paste the log back here. MrC

[Highcountryrider]

New log after running Run Fix:

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt deleted successfully.

C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll moved successfully.

winmgmt removed from NetSvcs value successfully!

File C:\Documents and Settings\Victor Guerrero\Local Settings\Temp\wlsidten.dll not found.

C:\Documents and Settings\Victor Guerrero\Start Menu\Programs\Startup\runctf.lnk moved successfully.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk moved successfully.

File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runctf.lnk not found.

C:\Documents and Settings\All Users\Application Data\netdislw.js moved successfully.

C:\Documents and Settings\All Users\Application Data\netdislw.pad moved successfully.

OTLPE by OldTimer - Version 3.1.48.0 log created on 01232013_160629

[Highcountryrider]

Sorry, meant to mention this but I have left the infected computer on and with the REATOGO-X-PE desktop visible and OTLPE running. I just pasted your instructions in and ran the fix.

Don't know if I am to shutdown and reboot with the disk after each of these steps.

[MrCharlie]

Yes reboot and see if it boots normally, MrC

[Highcountryrider]

I removed the boot CD and tried to use the REATOGO-X-PE desktop to restart or turn off but nothing happened so I hard booted the machine off. Started the PC up and am now able to get to normal desktop without the DOJ lockout window opening. Checking out the Security Center in Control Panel and it is not running and cannot be started using services.msc. Also, unable to start Windows Firewall. There does not appear to be any AV program at all on the system.

[Highcountryrider]

Restarted and still no Security Center. Tried services.msc again to start it but receive following error:

Services

Could not start the Security Center on local computer,

Error 1068: The dependency service or group failed to start

If I try and start the Windows Firewall in the Control Panel I get the following error:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

Seem to recall reading something about not running ICS because of security issues. Could be mistaken about this.

[MrCharlie]

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

• Unzip the contents to a folder in a convenient location.
  
• Open the folder where the contents were unzipped and run mbar.exe
  
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  
• Wait while the system shuts down and the cleanup process is performed.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
  

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

[Highcountryrider]

Need to ask this.Don't I need to run either MWB or another malware removal tool to be sure that the DOJ trojan and all associated files and registry entries are removed? Have the previous steps we did removed all traces of this infection?

Also, I still have the issue with both the Security Center and the Windows Firewall/ICS services not running. I don't think I want to connect to the internet on the infected computer unless I have some kind of firewall protection.

Really appreciate all your help and want to make sure that this will clear up the problem. I will immediately install a free AV program temporarily as soon as I know it is safe to connect to the internet.

[MrCharlie]

I gave you instructions to do that:

http://forums.malwarebytes.org/index.php?showtopic=121549&view=findpost&p=638470

MrC

[Highcountryrider]

I gave you instructions to do that:

http://forums.malwar...ndpost&p=638470

MrC

Please know that I'm very appreciative of the time and help you have given but you haven't answered my concerns about the Security Center and Windows Firewall not working or being able to be started. Do you have any recommendations regarding those problems? As stated, I don't want to connect to the internet without a working firewall.

[MrCharlie]

Last time, run MBAR as instructed and read the instructions this time!

MrC

[Highcountryrider]

I will run this tomorrow AM and post the logs then. Thanks for the help and sorry if I appear to be overly paranoid about running the update service of MBAR without a firewall.

[MrCharlie]

Run MBAR and let it clear out any infections, then run the fixdamage tool to fix the firewall problems, etc.

MrC

[Highcountryrider]

Ran MBAR. Logs attached. Later time stamp mbar-log is after running MBAR the second time with no infections found. Ran fixdamage tool. I do have internet access but no Windows Firewall or Security Center access. Cannot start services.

mbar-log-2013-01-24 (11-15-46).txt

system-log.txt

mbar-log-2013-01-24 (11-44-54).txt

[MrCharlie]

OK next...... (I'll be back in the AM)

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Highcountryrider]

Mister Charlie, I think I made a critical error when I ran MBAR. The very first thing that happened was a popup saying that MBAR had discovered possible or potential rootkits identified as Appinit_dlls. I selected Yes for removal and then ran the MBAR program and posted the logs. I had made a restore point prior to running MBAR. The only issue found (from the log) was HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|StartMenuLogoff (PUM.Hijack.StartMenu) which was moved into quarantine.

I don't know if it is related but after finishing MBAR I was trying to unistall some unnecessary toolbars from the Control Panel and the unistall programs did not run. There were messages about Run App as DLL not working. There were also issues when I tried to install a third party firewall since Windows Firewall was not working.

Should I go back to the restore point I made before running MBAR, select No when the popup appears, run MBAR again and see if that problem is corrected?

Computer is working, no DOJ issues but as stated, no access to either Security Center or Windows Firewall. Cannot start the services for either of those.

[MrCharlie]

Yes try the restore point, let me know.

Running ComboFix may fix the firewall or if it doesn't we can fix it.

But since you're running XP, I would suggest you install another firewall instead of using the XP one.

MrC

[Highcountryrider]

OK, I'll do the restore point thing, re-run MBAR, post the logs and await instructions. I'll also recommend, if we get everything working, that my friend install a commercial AV suite including a firewall (she doesn't have anything on the system now) or at the very least a free AV program and firewall.