How to renamed files infected by virus MALAS?

[doublexaa]

Dear All,

My computer was recently infected by virus MALAS that renamed all of my files with extension exe from <orig_name>.exe into <orig_name>lib.exe and create a shortcut based on original file's name.

I have removed the virus with kapersky antivirus.

How do I renamed/ changed my files' name back into its original name? (around 2500+ files on drive c:\ and e:\)

Any help will be appreciated...

[evilfantasy]

If the files are still renamed then I wouldn't think that all of the malware is gone.

Download and rename TrendMicro HijackThis.exe (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
  
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  
• Upon install, HijackThis should open for you.

• Close HijackThis and rename it.
  
• Go to C:\Program Files\Trend Micro\HijackThis.exe
  
• Right click on HijackThis.exe and select Rename.
  
• Type in sniper.exe and press Enter.
  
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)

• From the desktop open HijackThis.
• Important! If using Windows Vista, Right-click and Run As Administrator
  
• Click on the Do a system scan and save a log file button
  
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
  
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

[doublexaa]

This is a copy of the log file, Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:05 PM, on 7/31/2008
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal

Running processes:
C:\Documents and Settings\anton\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\r_server.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskmgr.exe
e:\Program\Solomon\AR\0826000.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://royal2/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Documents and Settings\Administrator\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Karen's Replicator.lnk = C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Office Update.lnk = C:\WINDOWS\Web\OfficeUpdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\anton\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://www.sijiwae.net
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://172.20.20.254
O15 - ESC Trusted IP range: http://192.168.0.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = djm.local
O17 - HKLM\Software\..\Telephony: DomainName = djm.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B193DBD-1BC2-4AC0-B99B-5522A567F26A}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FFE5A69-055C-458D-9ACD-D481A72E732F}: NameServer = 192.168.8.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE90BA15-9B3A-4E3C-A21C-E26E7904F1DA}: NameServer = 172.20.20.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = djm.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = djm.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

--
End of file - 5967 bytes

[evilfantasy]

Scan Suspicious File(s)

Use the VirusTotal.com - Multi engine on-line virus scanner
(If more than one file needs scanned they must be done separately and logs posted for each one)

• Copy the file path in the below Code box:

Code: [Select]

C:\Documents and Settings\anton\WINDOWS\System32\smss.exe

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
  
• Next click Send File
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
  
• Copy and then Paste the link to the results in the next reply.

[doublexaa]

I copied and paste
C:\Documents and Settings\anton\WINDOWS\System32\smss.exe
then I click on the upload button, the next browser window was telling me this:
0 bytes size received / Se ha recibido un archivo vacio

So, I copied smss.exe into my E:\ drive and re-tried to upload it. The next browser window had the result with this link address:
http://www.virustotal.com/reanalisis.html?ef7ea982fd2a4456e6933770d3c7b918

I hope this is okay...



http://www.virustotal.com/reanalisis.html?ef7ea982fd2a4456e6933770d3c7b918

[evilfantasy]

I am curious to know why that file is a running process.

In the HijackThis log it shows:
Running processes:
C:\Documents and Settings\anton\WINDOWS\System32\smss.exe

See if running this tool helps with the .exe files.

Download Deckard's Association File Tool (DAFT) and save it to your desktop.

• Double-click the daft.exe icon. Read the disclaimer and click OK
  
• Click on the Scan button.
  
• If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
• Click the Fix button.
  
• Re-scan and save a logfile.
• By default, it will save as daft.txt
  
• Post the contents of that logfile in your next reply.

.
----------

Please run this online scan and post the log.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

[doublexaa]

This is a copy content of daft:

DAFT Log saved on 2008-07-31 16:20:29
-----------------------------------------------------------------------
All associations okay!


This is a copy content of kapersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Friday, August 1, 2008
 Operating System: Microsoft Windows Server 2003, Standard Edition Service Pack 1 (build 3790)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Thursday, July 31, 2008 10:50:35
 Records in database: 1033507
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan statistics:
   Files scanned: 107385
   Threat name: 5
   Infected objects: 38
   Suspicious objects: 0
   Duration of the scan: 01:40:09


File name / Threat name / Threats count
C:\WINDOWS\system32\r_server.exe/C:\WINDOWS\system32\r_server.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   1
r_server.exe\ADMDLL.dll/r_server.exe\ADMDLL.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\WINDOWS\system32\ADMDLL.dll/C:\WINDOWS\system32\ADMDLL.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\Program Files\Radmin\AdmDll.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\Program Files\Radmin\raddrv.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\Program Files\Radmin\radmin.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   1
C:\Program Files\Radmin\r_server.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   1
C:\WINDOWS\system32\admdll.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\WINDOWS\system32\raddrv.dll   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   1
C:\WINDOWS\system32\r_server.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   1
E:\EDP\RAdmin\RADMIN21.EXE   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   2
E:\EDP\RAdmin\RADMIN21.EXE   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   2
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoft CD-Audio Extractor\Rosoftaudioconverter.exe   Infected: not-a-virus:AdWare.Win32.MyWay.ac   1
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoftaudioconverter.exe   Infected: not-a-virus:AdWare.Win32.MyWay.ac   1
E:\Program\EDP\RAdmin\RADMIN21.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   2
E:\Program\EDP\RAdmin\RADMIN21.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   2
E:\Program\EDP\Radmin 2.1\RADMIN21.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   2
E:\Program\EDP\Radmin 2.1\RADMIN21.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   2
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20   2
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21   2
E:\Program\EDP\Radmin 2.1\Spin\radmin22.zip   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22   3
E:\Program\EDP\Radmin 2.1\Spin\RADMIN22lib.exe   Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22   3
E:\Program\EDP\vnc-4_1_2-x86_win32.exe   Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4   4

The selected area was scanned.

[evilfantasy]

Download OTMoveIt2 by OldTimer

• Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\r_server.exe/C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\ADMDLL.dll/C:\WINDOWS\system32\ADMDLL.dll
C:\Program Files\Radmin\AdmDll.dll
C:\Program Files\Radmin\raddrv.dll
C:\Program Files\Radmin\radmin.exe
C:\Program Files\Radmin\r_server.exe
C:\WINDOWS\system32\admdll.dll
C:\WINDOWS\system32\raddrv.dll
C:\WINDOWS\system32\r_server.exe
E:\EDP\RAdmin\RADMIN21.EXE
E:\EDP\RAdmin\RADMIN21.EXE
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoft CD-Audio Extractor\Rosoftaudioconverter.exe
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoftaudioconverter.exe
E:\Program\EDP\RAdmin\RADMIN21.exe
E:\Program\EDP\RAdmin\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe
E:\Program\EDP\Radmin 2.1\Spin\radmin22.zip
E:\Program\EDP\Radmin 2.1\Spin\RADMIN22lib.exe
E:\Program\EDP\vnc-4_1_2-x86_win32.exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

[doublexaa]

After I click on the moveit button, there is a pop up message:

Invalid time flag.! [C:\WINDOWS\system32\r_server.exe ]
Must be numerical.

Then, on the result window only has 1 entry:

< C:\WINDOWS\system32\r_server.exe/C:\WINDOWS\system32\r_server.exe >

[evilfantasy]

Copy and paste this instead please.

Code: [Select]

[kill explorer]
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\system32\ADMDLL.dll
C:\Program Files\Radmin\AdmDll.dll
C:\Program Files\Radmin\raddrv.dll
C:\Program Files\Radmin\radmin.exe
C:\Program Files\Radmin\r_server.exe
C:\WINDOWS\system32\admdll.dll
C:\WINDOWS\system32\raddrv.dll
C:\WINDOWS\system32\r_server.exe
E:\EDP\RAdmin\RADMIN21.EXE
E:\EDP\RAdmin\RADMIN21.EXE
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoft CD-Audio Extractor\Rosoftaudioconverter.exe
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoftaudioconverter.exe
E:\Program\EDP\RAdmin\RADMIN21.exe
E:\Program\EDP\RAdmin\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\RADMIN21.exe
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe
E:\Program\EDP\Radmin 2.1\Spin\radmin22.zip
E:\Program\EDP\Radmin 2.1\Spin\RADMIN22lib.exe
E:\Program\EDP\vnc-4_1_2-x86_win32.exe
EmptyTemp
[start explorer]

[doublexaa]

Now, it gives me this message on the result window:


Unable to kill explorer.exe
C:\WINDOWS\system32\r_server.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ADMDLL.dll
C:\WINDOWS\system32\ADMDLL.dll NOT unregistered.
C:\WINDOWS\system32\ADMDLL.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Radmin\AdmDll.dll
C:\Program Files\Radmin\AdmDll.dll NOT unregistered.
C:\Program Files\Radmin\AdmDll.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Radmin\raddrv.dll
C:\Program Files\Radmin\raddrv.dll NOT unregistered.
C:\Program Files\Radmin\raddrv.dll moved successfully.
C:\Program Files\Radmin\radmin.exe moved successfully.
C:\Program Files\Radmin\r_server.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\admdll.dll
C:\WINDOWS\system32\admdll.dll NOT unregistered.
C:\WINDOWS\system32\admdll.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\raddrv.dll
C:\WINDOWS\system32\raddrv.dll NOT unregistered.
C:\WINDOWS\system32\raddrv.dll moved successfully.
C:\WINDOWS\system32\r_server.exe moved successfully.
E:\EDP\RAdmin\RADMIN21.EXE moved successfully.
File/Folder E:\EDP\RAdmin\RADMIN21.EXE not found.
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoft CD-Audio Extractor\Rosoftaudioconverter.exe moved successfully.
E:\Program\EDP\Office&News\ud titip\Master\New Folder\Rippers - Encoders\Rosoftaudioconverter.exe moved successfully.
E:\Program\EDP\RAdmin\RADMIN21.exe moved successfully.
File/Folder E:\Program\EDP\RAdmin\RADMIN21.exe not found.
E:\Program\EDP\Radmin 2.1\RADMIN21.exe moved successfully.
File/Folder E:\Program\EDP\Radmin 2.1\RADMIN21.exe not found.
E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe moved successfully.
File/Folder E:\Program\EDP\Radmin 2.1\Spin\RADMIN21lib.exe not found.
E:\Program\EDP\Radmin 2.1\Spin\radmin22.zip moved successfully.
E:\Program\EDP\Radmin 2.1\Spin\RADMIN22lib.exe moved successfully.
E:\Program\EDP\vnc-4_1_2-x86_win32.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\~DFA774.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\hsperfdata_anton\4500 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\Arj.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\avlib.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\Avp1.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\AvpMgr.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\btimages.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\CAB.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\dmap.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\dtreg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\FSSync.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\HashCont.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\HashMD5.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\HCCMP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\ichk2.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\iChkSA.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\Inflate.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\IWGen.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\kave.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\kosglue-7.0.25.0.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\lha.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\L_llio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\mdb.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\MDMAP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\MemModSc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\MemScan.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\minizip.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\MKavIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\msoe.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\msvcp80.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\msvcr80.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\nfio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\NTFSstrm.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\prKernel.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\prLoader.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\prseqio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\PrUtil.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\Quantum.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\rar.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\ScanningProcess.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\sfdb.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\TempFile.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\thpimpl.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\UniArc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\UnLZX.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\UnStored.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\anton\LOCALS~1\Temp\1\jkos-anton\binaries\WDiskIO.ppl scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_132744

[evilfantasy]

Thats good, it moved all of them.

Be sure to restart the computer to register the changes made by OTMoveIt2.

Once back online please run Combofix and post the log.

Download Combofix by sUBs from one of the below links.

• Link #1
  
• Link #2

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.

• Important! Temporarily disable your antivirus, and any antispyware real time protection before performing a scan.

• Click this link to see a list of security programs that should be disabled and how to disable them.

• Double click combofix.exe & follow the prompts.

• Choose Yes to accept the Disclaimers.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix and installing the Recover Console.

Remember to re-enable your antivirus and antispyware protection.

PLease post the Combofix log in the next reply.

[doublexaa]

Below are the result copy of the ComboFix log:



ComboFix 08-08-03.03 - anton 2008-08-04 12:23:01.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition  5.2.3790.1.1252.1.1033.18.1414 [GMT 7:00]
Running from: C:\Documents and Settings\anton\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dns.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DNS
-------\Service_DNS


(((((((((((((((((((((((((   Files Created from 2008-07-04 to 2008-08-04  )))))))))))))))))))))))))))))))
.

2008-07-31 17:08 . 2008-07-31 17:08   <DIR>   d--------   C:\WINDOWS\Sun
2008-07-31 17:05 . 2008-07-31 17:05   <DIR>   d--------   C:\Program Files\Sun
2008-07-31 17:04 . 2008-06-10 02:32   73,728   ---------   C:\WINDOWS\system32\javacpl.cpl
2008-07-31 17:03 . 2008-07-31 17:04   <DIR>   d--------   C:\Program Files\Java
2008-07-31 16:47 . 2008-07-31 16:47   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-07-31 15:17 . 2008-07-31 15:17   <DIR>   d--------   C:\Program Files\SlimBrowser
2008-07-31 15:17 . 2008-07-31 15:33   <DIR>   d--------   C:\Documents and Settings\anton\Application Data\SlimBrowser
2008-07-31 13:25 . 2008-07-31 13:25   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-25 12:08 . 2008-07-25 12:08   34   ---------   C:\null
2008-07-22 19:20 . 2008-07-22 19:20   <DIR>   d--------   C:\Documents and Settings\teddy\Application Data\ESTsoft
2008-07-13 13:00 . 2008-07-13 13:00   69   ---------   C:\WINDOWS\NeroDigital.ini
2008-07-12 09:18 . 2008-07-12 09:18   <DIR>   d--------   C:\Documents and Settings\billy\Application Data\ESTsoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 06:27   ---------   d-----w   C:\Program Files\Radmin
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-04-06 17:14 504080]
"NeroFilterCheck"="C:\Documents and Settings\Administrator\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"openvpn-gui"="C:\Program Files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 15:55 99328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"CPQTEAM"="cpqteam.exe" [2006-07-19 04:43 90214 C:\WINDOWS\system32\cpqteam.exe]

C:\Documents and Settings\anton\Start Menu\Programs\Startup\
Karen's Replicator.lnk - C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe [2005-11-19 16:17:39 976608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

R0 cpqcissm;cpqcissm;C:\WINDOWS\system32\drivers\cpqcissm.sys [2006-05-19 12:12]
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys [2006-03-22 19:00]
R2 DHCPServer;DHCP Server;C:\WINDOWS\system32\tcpsvcs.exe [2006-03-22 19:00]
R2 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe [2006-03-22 19:00]
R2 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe [2006-03-22 19:00]
R2 MSSEARCH;Microsoft Search;C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [2004-10-12 22:10]
R2 NtFrs;File Replication Service;C:\WINDOWS\system32\ntfrs.exe [2006-03-22 19:00]
R2 r_server;Remote Administrator Service;C:\WINDOWS\system32\r_server.exe [2001-07-24 03:00]
R2 TermServLicensing;Terminal Server Licensing;C:\WINDOWS\system32\lserver.exe [2006-03-22 19:00]
R3 ati2mpad;ati2mpad;C:\WINDOWS\system32\DRIVERS\ati2mpad.sys [2005-03-25 00:55]
R3 cpqasm2;cpqasm2;C:\WINDOWS\system32\DRIVERS\cpqasm2.sys [2006-07-14 13:57]
R3 CpqCiDrv;HP iLO Management Channel Interface Driver;C:\WINDOWS\system32\DRIVERS\cpqcidrv.sys [2006-03-10 13:40]
R3 CPQCISSE;CPQCISSE;C:\WINDOWS\system32\DRIVERS\CPQCISSE.sys [2006-06-16 12:13]
R3 q57w2k;HP NC7782 Gigabit Server Adapter;C:\WINDOWS\system32\DRIVERS\q57xp32.sys [2006-08-16 00:47]
R3 sysmgmt;HP ProLiant System Management Interface Driver;C:\WINDOWS\system32\DRIVERS\sysmgmt.sys [2006-07-14 13:57]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2004-06-24 08:54]
S3 CPQTeam;HP Network Configuration Utility;C:\WINDOWS\system32\DRIVERS\cpqteam.sys [2006-07-19 04:00]
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe [2006-03-22 19:00]
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe [2006-03-22 19:00]
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys [2006-03-22 19:00]
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys [2006-03-22 19:00]
S4 startdss;HP ProLiant Virtual Install Disk Support Driver;C:\WINDOWS\system32\drivers\startdss.sys []
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe [2006-03-22 19:00]
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe [2006-03-22 19:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WinErr   REG_MULTI_SZ      ERsvc
DcomLaunch   REG_MULTI_SZ      DcomLaunch
tapisrv   REG_MULTI_SZ      Tapisrv
regsvc   REG_MULTI_SZ      RemoteRegistry
swprv   REG_MULTI_SZ      swprv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##200.200.200.32#c$#office2003]
\Shell\AutoRun\command - Z:\SETUP.EXE /AUTORUN
\Shell\configure\command - Z:\SETUP.EXE
\Shell\install\command - Z:\SETUP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://royal2/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{9B193DBD-1BC2-4AC0-B99B-5522A567F26A}: NameServer = 127.0.0.1
O17 -: HKLM\CCS\Interface\{9FFE5A69-055C-458D-9ACD-D481A72E732F}: NameServer = 192.168.8.1
O17 -: HKLM\CCS\Interface\{AE90BA15-9B3A-4E3C-A21C-E26E7904F1DA}: NameServer = 172.20.20.1
O18 -: Handler: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 12:31:35
Windows 5.2.3790 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\dfssvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
.
**************************************************************************
.
Completion time: 2008-08-04 12:32:25 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-04 05:32:22

Pre-Run: 34,497,806,336 bytes free
Post-Run: 34,599,141,376 bytes free

178

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

How is everything now?

[doublexaa]

Thanks for the effort of helping cleaning my computer of virus.

Before I posted this current post, I had posted with headlines "batch files used to rename files".
I was helped by Dias and was given a script :

@echo off
setlocal enabledelayedexpansion
set /a filesfound=0
echo Searching C:\ and subfolders for files named *lib.exe
cd /d c:\
for /f %%F in ('dir /b /s *lib.exe') do (
   set drive=%%~dF
   set folder=%%~pF
   set name=%%~nF
   set oldname=!name!
   set newname=!oldname:lib=!
   echo Renaming !drive!!folder!!name!.exe to !newname!.exe
   ren !drive!!folder!!name!.exe !newname!.exe
   set /a filesfound=!filesfound!+1
   )
echo Renamed !filesfound! files
echo Press any key to exit
pause>nul

This script was basically search in directory's folder and subfolder for <orig_name>lib.exe and renamed it to <orig_name>.exe

However, this script sometimes works on some folder while not on others.
I made a case study by creating a similar situation on other computer (free virus and administrator privilege). What I did was :
1. I created 2 new files, anton01lib.txt and anton02lib.txt
2. I put anton01lib.txt in C:\ and anton02lib.txt in C:\Documents and Settings\user\Desktop
3. I slightly modified the script by changing exe into txt

When I run the script, it renamed the one in C:\ while the one in desktop remain unchanged. 

Now back to my original question. 

How do I renamed/ changed my files' name back into its original name? (around 2500+ files on drive c:\ and e:\)

Those files had exe ekstension and renamed <orig_name>.exe into <orig_name>lib.exe and create a shortcut based on original file's name.
 

[evilfantasy]

Honestly I don't know. Your better off sticking with who was helping you on that.