depair Posted August 13, 2010 ID:299958 Share Posted August 13, 2010 I have a very bad virus. My computer only runs in safe mode w/o networking. I have been trying to install malware on the computer via flash drive. I did get it on and it did start to scan briefly, however the virus got to it and won't let it open. The message about the administrator will not "let you run the program" comes up. I thought that if I could rename the .exe file I might be able to get around this. The problem is when I do it on the infected computer, as soon as I go to type the new name, the virus shuts down my keyboard and I can't type or navigate. The mouse is shut down also. The only option is to reboot in safe mode. Any suggestions??? I want to try and rename the .exe on my flash drive and then run from that location if that is possible. Link to post Share on other sites More sharing options...
Elise Posted August 13, 2010 ID:300049 Share Posted August 13, 2010 Hello , And My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. -----------------------------------------------------------Note: If using Firefox right-click on any download links and choose Save AsPlease download OTH to your desktopPlease download OTL to your desktopDouble click the OTH file to run it and click Kill All Processes, your desktop will go blank.Then select Start OTL. OTL will now runClick the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.[*]Click the Internet Explorer button, post these logs in your Virus Removal topic. Link to post Share on other sites More sharing options...
depair Posted August 14, 2010 Author ID:300315 Share Posted August 14, 2010 thanks for responding. I have a difficult problem. I cannot download anything on my infected computer because it will only run in safe mode WITHOUT NETWORKING. I can use another computer to download and must use a flash drive to attempt to install on the infected computer. If the infected computer recognizes the new install as an anti virus program, it freezes my computer keyboard and mouse. The only thing I can do next is a hard re-boot to safe mode again and try another remedy. I was trying to rename the malwarebytes .exe file to trick the virus into thinking it was not harmful to it....any ideas? It will not allow me to rename because when I attempt to rename, it shuts down the keyboard! Can I re-name the .exe file on the flash drive and run the program right off the falsh drive? Link to post Share on other sites More sharing options...
Elise Posted August 14, 2010 ID:300316 Share Posted August 14, 2010 Save the OTH and OTL files both on a flashdrive, plug that into your infected computer and then run them as instructed. Link to post Share on other sites More sharing options...
depair Posted August 16, 2010 Author ID:301160 Share Posted August 16, 2010 Save the OTH and OTL files both on a flashdrive, plug that into your infected computer and then run them as instructed.OTL.Txt Link to post Share on other sites More sharing options...
Elise Posted August 16, 2010 ID:301170 Share Posted August 16, 2010 Hello there,We are dealing here with a nasty infection, lets see how we can get rid of it best.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Link to post Share on other sites More sharing options...
depair Posted August 17, 2010 Author ID:301480 Share Posted August 17, 2010 Hello there,We are dealing here with a nasty infection, lets see how we can get rid of it best.COMBOFIX---------------Please download ComboFix from one of these locations:BleepingcomputerForoSpywareDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)Double click on Combofix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Remember, I can't run in anything but safe mode w/o networking...I put Combofix on a flash drive and tried to run it from there. It tried to load according to the load bar, however it would not run....tried multiple times, reboots, etc. Link to post Share on other sites More sharing options...
Elise Posted August 17, 2010 ID:301500 Share Posted August 17, 2010 Try to rename it to random.exe and see if it will run that way. Link to post Share on other sites More sharing options...
depair Posted August 17, 2010 Author ID:301562 Share Posted August 17, 2010 Try to rename it to random.exe and see if it will run that way.[/quoteWhen I try to rename the file it freezes my mouse and keyboard and I have to re-boot to un-freeze.....can't do it.... Link to post Share on other sites More sharing options...
Elise Posted August 17, 2010 ID:301578 Share Posted August 17, 2010 In that case, lets do it with OTL. Please copy the script to a text file and save it to your flashdrive.Put the flashdrive in the infected computer, open the script, copy the contents, then run OTH and start OTL.Now paste the script into the "custom scan/fix" field and click Run Fix. The computer will need to reboot. When done, it will produce a log, please post that in your next reply.:reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,":otlIE - HKCU\..\URLSearchHook: *{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - Reg Error: Key error. File not foundO4 - HKLM..\Run: [vwyuqbmx] C:\Documents and Settings\NetworkService\Local Settings\Application Data\fxbosiids\texvrcmtssd.exe ()O4 - HKCU..\Run: [{89994A9E-7FA8-65FF-840E-84CB5C32F55B}] C:\Documents and Settings\Don De Pol\Application Data\Yntu\xaqea.exe (rqipbu)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrv.exe (SOFTWIN S.R.L.)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrv.exe (SOFTWIN S.R.L.)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrvSrv.exe (SOFTWIN S.R.L.):filesC:\WINDOWS\System32\rundll32Srv*.exeC:\WINDOWS\System32\verclsidSrv*.exeC:\WINDOWS\System32\drwtsn32Srv*.exeC:\WINDOWS\System32\WgaTraySrv*.exeC:\WINDOWS\System32\msiexecSrv*.exeC:\WINDOWS\System32\logonSrv*.exeC:\WINDOWS\System32\dwwinSrv*.exeC:\WINDOWS\System32\dumprepSrv*.exeC:\WINDOWS\System32\taskmgrSrv*.exeC:\WINDOWS\System32\igfxsrvcSrv*.exeC:\WINDOWS\System32\wuaucltSrv*.exeC:\WINDOWS\ExplorerSrv*.exeC:\WINDOWS\MXOALDRSrv*.exeC:\WINDOWS\System32\hkcmdSrv*.exeC:\WINDOWS\System32\LVCOMSXSrv*.exeC:\WINDOWS\System32\ElkCtrlSrv*.exeC:\WINDOWS\System32\userinitSrv*.exeC:\WINDOWS\System32\wscntfySrv*.exeC:\WINDOWS\System32\dwwinSrv*.exeC:\WINDOWS\System32\ctfmonSrv*.exeC:\WINDOWS\System32\hpoipm07Srv*.exe:commands[emptytemp][resethosts] Link to post Share on other sites More sharing options...
depair Posted August 17, 2010 Author ID:301605 Share Posted August 17, 2010 In that case, lets do it with OTL. Please copy the script to a text file and save it to your flashdrive.Put the flashdrive in the infected computer, open the script, copy the contents, then run OTH and start OTL.Now paste the script into the "custom scan/fix" field and click Run Fix. The computer will need to reboot. When done, it will produce a log, please post that in your next reply.:reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,":otlIE - HKCU\..\URLSearchHook: *{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - Reg Error: Key error. File not foundIE - HKCU\..\URLSearchHook: *{f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - Reg Error: Key error. File not foundO4 - HKLM..\Run: [vwyuqbmx] C:\Documents and Settings\NetworkService\Local Settings\Application Data\fxbosiids\texvrcmtssd.exe ()O4 - HKCU..\Run: [{89994A9E-7FA8-65FF-840E-84CB5C32F55B}] C:\Documents and Settings\Don De Pol\Application Data\Yntu\xaqea.exe (rqipbu)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrv.exe (SOFTWIN S.R.L.)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrv.exe (SOFTWIN S.R.L.)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrvSrv.exe (SOFTWIN S.R.L.):filesC:\WINDOWS\System32\rundll32Srv*.exeC:\WINDOWS\System32\verclsidSrv*.exeC:\WINDOWS\System32\drwtsn32Srv*.exeC:\WINDOWS\System32\WgaTraySrv*.exeC:\WINDOWS\System32\msiexecSrv*.exeC:\WINDOWS\System32\logonSrv*.exeC:\WINDOWS\System32\dwwinSrv*.exeC:\WINDOWS\System32\dumprepSrv*.exeC:\WINDOWS\System32\taskmgrSrv*.exeC:\WINDOWS\System32\igfxsrvcSrv*.exeC:\WINDOWS\System32\wuaucltSrv*.exeC:\WINDOWS\ExplorerSrv*.exeC:\WINDOWS\MXOALDRSrv*.exeC:\WINDOWS\System32\hkcmdSrv*.exeC:\WINDOWS\System32\LVCOMSXSrv*.exeC:\WINDOWS\System32\ElkCtrlSrv*.exeC:\WINDOWS\System32\userinitSrv*.exeC:\WINDOWS\System32\wscntfySrv*.exeC:\WINDOWS\System32\dwwinSrv*.exeC:\WINDOWS\System32\ctfmonSrv*.exeC:\WINDOWS\System32\hpoipm07Srv*.exe:commands[emptytemp][resethosts]Elsie,I can't upload the log...it says I am not permitted to upload this type of file... Link to post Share on other sites More sharing options...
Elise Posted August 17, 2010 ID:301632 Share Posted August 17, 2010 I suspect it was also pretty long. Please see if you can run Combofix now. Are things running better now? Link to post Share on other sites More sharing options...
depair Posted August 17, 2010 Author ID:301691 Share Posted August 17, 2010 I suspect it was also pretty long. Please see if you can run Combofix now. Are things running better now?No, still the same.... Link to post Share on other sites More sharing options...
Elise Posted August 18, 2010 ID:301816 Share Posted August 18, 2010 Please post me a new OTL log. Link to post Share on other sites More sharing options...
depair Posted August 18, 2010 Author ID:301915 Share Posted August 18, 2010 OK, here is the latest.DonOTL.Txt Link to post Share on other sites More sharing options...
Elise Posted August 18, 2010 ID:301946 Share Posted August 18, 2010 Please run the following OTL fix (just like last time).:otlDRV - [2008/04/13 15:15:53 | 000,295,168 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\aAAAaAA.sys -- (aAAAaAA)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\keamir.exe (joifjno)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrvSrvSrv.exe (SOFTWIN S.R.L.):reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,":commands[emptytemp]When done, please try to run Dr. Web. You can download and save this to a flashdrive as well and run from Safe Mode.DR. WEB CUREIT----------------------Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.alternate download linkNote: The file will be randomly named (i.e. 5mkuvc4z.exe).Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.Scan with Dr.Web CureIt as follows:Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current versionRead the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.The Express scan will automatically begin.(This is a short scan of files currently running in memory, boot sectors, and targeted folders).If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.If an infected object is found, you will be prompted to move anything that cannot be cured. Click No to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.Please be patient as this scan could take a long time to complete.When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.Click Select All, then choose Cure (when incurable, choose no action).In the top menu, click file and choose save report list.Save the DrWeb.csv report to your flashdrive.Exit Dr.Web Cureit when done.Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) Link to post Share on other sites More sharing options...
depair Posted August 19, 2010 Author ID:302403 Share Posted August 19, 2010 Please run the following OTL fix (just like last time).:otlDRV - [2008/04/13 15:15:53 | 000,295,168 | ---- | M] () [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\aAAAaAA.sys -- (aAAAaAA)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\keamir.exe (joifjno)O4 - Startup: C:\Documents and Settings\Don De Pol\Start Menu\Programs\Startup\umyzufSrvSrvSrvSrv.exe (SOFTWIN S.R.L.):reg[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,":commands[emptytemp]When done, please try to run Dr. Web. You can download and save this to a flashdrive as well and run from Safe Mode.DR. WEB CUREIT----------------------Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.alternate download linkNote: The file will be randomly named (i.e. 5mkuvc4z.exe).Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.Scan with Dr.Web CureIt as follows:Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current versionRead the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.The Express scan will automatically begin.(This is a short scan of files currently running in memory, boot sectors, and targeted folders).If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.If an infected object is found, you will be prompted to move anything that cannot be cured. Click No to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.Please be patient as this scan could take a long time to complete.When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.Click Select All, then choose Cure (when incurable, choose no action).In the top menu, click file and choose save report list.Save the DrWeb.csv report to your flashdrive.Exit Dr.Web Cureit when done.Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) Link to post Share on other sites More sharing options...
depair Posted August 19, 2010 Author ID:302405 Share Posted August 19, 2010 Dr web helped, but it wont let me upload the cure it file...its large. The computer started in normal mode, however the viris is still present and will not let me run malwarebytes yet. Dr web will not scan completely now either.... Link to post Share on other sites More sharing options...
Elise Posted August 19, 2010 ID:302420 Share Posted August 19, 2010 No problem, it will have taken out at least some stuff. I can well imagine it was long. Could you please try and see if combofix will now run (try both normal and safe mode). Link to post Share on other sites More sharing options...
depair Posted August 21, 2010 Author ID:303428 Share Posted August 21, 2010 Won't run in either mode... Link to post Share on other sites More sharing options...
Elise Posted August 21, 2010 ID:303439 Share Posted August 21, 2010 Please post me a new OTL log. Link to post Share on other sites More sharing options...
depair Posted August 21, 2010 Author ID:303454 Share Posted August 21, 2010 Latest OTL file.OTL.Txt Link to post Share on other sites More sharing options...
Elise Posted August 21, 2010 ID:303459 Share Posted August 21, 2010 Did you try to download a new copy of combofix (delete the old one) and did you try to run it form normal mode? Also try to rename it to random.exe in order to run it. Link to post Share on other sites More sharing options...
depair Posted August 21, 2010 Author ID:303463 Share Posted August 21, 2010 Did you try to download a new copy of combofix (delete the old one) and did you try to run it form normal mode? Also try to rename it to random.exe in order to run it.I just tried that...still won't run. When I try to rename it, the keyboard and mouse freeze... Link to post Share on other sites More sharing options...
Elise Posted August 22, 2010 ID:303601 Share Posted August 22, 2010 Hello again, please try the following and then try again. This time, download combofix on a clean computer, and before transferring it to the infected computer, rename it. Try the same with the MBAM installer. Put the renamed copies of the files on the flashdrive, then try to run them on the infected computer.Please copy/paste the following text into OTL and click Run Fix.:otlDRV - [2010/08/21 15:31:34 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\win32k.sys -- ({79007602-0CDB-4405-9DBF-1257BB3226EE}):commands[emptytemp] Link to post Share on other sites More sharing options...
Recommended Posts