Cannot even see Control Panel...Loaded with restrictions

[evilfantasy]

Combofix disconnects the computer from the internet while it is running. It may be reconnecting the internet connection. restarting the computer will do dthis also if combofix has any problems doing it.

Did it run? You can find the log in C:\combofix.txt

[db10]

Hi,
Had to get a R/W CD-ROM working on this computer and finally got ComboFix installed on her system.  Started it about an hour and half ago, clicked the agreement etc and it did save and started "scanning."  Its been sitting there in "Auto" scan with the msg
Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double.
Blinking cursor (-)

("Windows Security Alert box"...click here to download spyware remover.) keeps popping up about every 5 minutes (like it usually does) and the cursor in the Auto scan Box disappears until I check "NO" in the "Alert Box."

Did not have an option to Enter 1 from the kybd.  Do you think this is running?  7:40 PM now EST.  Been seeing that window (Auto Scan) since 6:10 PM....DB
   

[evilfantasy]

Go ahead and exit out of it and try something else. If it doesn't work like this we will move to something else.

• Make sure combofix is located on your desktop.
• Now STOP all your monitoring programs
  
• Click this link to see a list of security programs that should be disabled and how to disable them.
  
• Click on your START button and choose Run.  Then copy/paste the entire content of the following Codebox (Including the "" marks and the Symbols) into the run box.
                                   
  Code: [Select]
  "%userprofile%\desktop\ComboFix.exe" /KillAll[/B]

• Click OK and this will start combofix in a special way.
  
• When finished, it will produce a log.
• Please save that log to a Notepad File and include it in your next reply.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* ComboFix will automatically Restart your machine when the KillAll switch is used.

Combofix (CF) disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[db10]

Hi...We had a pwr outage briefly (Flux) and "ComboFix" started again and this time, deleted a bunch of files but did stop again.  Do you want me to follow your last or restart again to see if it may finish? Dan

[evilfantasy]

Did combofix finish? I need the log, look in C:\combofix.txt to see if it is there.

If not then run it again and try to get the log.

[db10]

Hi evilfantasy,

Finally got the logs you wanted.  Had to use the /KillAll to get the ComboFix report to complete.  Sorry I couldn't get back sooner...take care of my 85 yr Mom here and had to do some hardware maint on my sys to be able to transfer files back and forth.  Hardware is my area since 1978 (before the PC.)

I really appreciate your help here and am actually enjoying learning this area.

Will check for your reply later...Dan


[recovering space - attachment deleted by admin]

[evilfantasy]

Good to know you have some computer experience, together we should be able to get through this. Things should start going smoother after these steps (I hope  )

Don't worry about a quick reply, I understand.....

Go to add/remove programs and uninstall.

WildTangent GameChannel (remove only)
WildTangent Web Driver

---------------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/Ywt/2xYhTlJWsTa T2qe9hmytdAJoE25pY3WIUBWZ7vhxCle3JobzTa ZoNa3dbzZtyamo5qZEQXR7oJEjrweFibNOENq5+tV vesgY5ULM7jxUI=
- R3 - URLSearchHook: (no name) - - (no file)
- O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm41430

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Files to delete:
C:\WINDOWS\system32\jzoiszad.dllbox
C:\Documents and Settings\All Users\Application Data\TEMP
C:\WINDOWS\system32\ansjdsqv.ini
C:\WINDOWS\system32\juhmrlgf.ini
C:\Program Files\tmp11251218.exe
C:\Program Files\tmp11239515.exe
C:\Program Files\11053328.exe
C:\Program Files\11067703.exe
C:\WINDOWS\system32\wvuspmn.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1613FC40-73BD-43E3-3CAB-54FBBC3227B1}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e60e56e-4f29-4448-b76c-38947546a4df}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ABA9A9C-8791-4d61-8D5B-BCC9448EA573}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94D4C983-7FF6-4626-AB3A-56F0587F94A4}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B02C0C3D-752C-4905-82E2-E2EED48F06A1}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1DDFD59-6070-4FB1-92C1-E285DC8B3FBA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Services
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plite731
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78d2b5e2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jzoiszad
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnlkji

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

• Please add the Avenger log in your next post.

.
---------------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

.
Important: Restart the computer before continuing.


---------------

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.

• Link 1
  
• Link 2

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad.
• Please  copy and paste the log into your next reply

Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

• Launch Malwarebytes' Anti-Malware.
• Click the Logs tab.
  
• Double-click log-mm.dd.yyyy [xxxxxx].txt

.
---------------

Now run a new Hijackthis scan and post that log also.

Items needed in next post:
Avenger log
MBAM log
New Hijackthis log


Let me know how things are now.

[db10]

Hi,
Things are looking a lotttt better!  Have Ctrl Panel and display settings back.  All on your list went smooth (Justs take extra time working from two computers and making disks back and forth etc.  After sending this, I will try to go on-line with Keri's system and see what happens.  I'll send a separate note.

All logs are attached and here is what I am getting on start-up:

Windows can't open MWSOEMON.EXE.vir...Search on-line? or elsewhere?  That comes up twice during startup (same file)

RUNDLL
Error loading
C:\Windows\System32\spbuqqxi.dll  and
C:\Windows\System32\pfhvlxjr.dll

Both "Specified Modual could not be found."

Will try going on-line with keri's sys now and drop another Post.

Thanks,
Dan

[recovering space - attachment deleted by admin]

[db10]

Hi evilfantasy,

On-line now with Keri's system and so far, no pop-ups or interference from IE.  Using "Firefox"...just downloaded with this unit and all was good.

Looking forward to your review of the "reports" and "other" comments.

Will get a few Zzzzz now and catch you a little later.

Thanks,
Dan

[evilfantasy]

Glad things are improving!! I sort of thought they may after those steps.

The logs are all blank. Go to the locations they save to and post new ones.

Avenger is in C:\avenger.txt

MBAM can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.

    * Launch Malwarebytes' Anti-Malware.
    * Click the Logs tab.
    * Double-click log-mm.dd.yyyy [xxxxxx].txt

Run a new Hijackthis scan for it's log.

[db10]

Good morning,
Sorry about the logs being blank. I copied them from floppy and the data was on the floppy???

These came right out of her computer.  I hope they in tact.  Will get off line after this post and do another HiJack Scan and they come back and post it

Dan


[recovering space - attachment deleted by admin]

[db10]

Here is the latest HiJack This Log...DB



[recovering space - attachment deleted by admin]

[evilfantasy]

Looking better. I'm glad you are online with the PC now, I know how frustrating transferring everything can be.

Still some work to do.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if still there)

- O2 - BHO: 0 - {1613FC40-73BD-43E3-3CAB-54FBBC3227B1} - C:\Program Files\Windows Media Player\rybi.dll (file missing)
- O2 - BHO: {fd4a6457-4983-c67b-8444-92f4e65e06e6} - {6e60e56e-4f29-4448-b76c-38947546a4df} - C:\WINDOWS\System32\lklnfaim.dll (file missing)
- O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
- O2 - BHO: (no name) - {94D4C983-7FF6-4626-AB3A-56F0587F94A4} - C:\WINDOWS\System32\geedc.dll (file missing)
- O2 - BHO: (no name) - {B02C0C3D-752C-4905-82E2-E2EED48F06A1} - C:\Program Files\ComPlus Applications\nipysado4444.dll (file missing)
- O2 - BHO: (no name) - {F1DDFD59-6070-4FB1-92C1-E285DC8B3FBA} - C:\Program Files\ComPlus Applications\nipysado83122.dll (file missing)
- O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreloa d.ocx
- O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://eshare.hpphoto.com/Download/HPeServicesLocalPrint.CAB
- O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download Vundofix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• When VundoFix opens, click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
  
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post.

----------

Now run another NEW Hijackthis scan and post that log also.

----------

Next post please add
Vundofix log
SDFix log
New Hijackthis log

[db10]

Hi again,
Sheesh...Was out for a while then sat back down at the computer, touched the keyboard and all *censored* broke loose (beeping)...stupid bad kybd connector.  Wouldn't even re-boot. Well 30 yrs in hardware and a little solder and back to you...
Couldn't find a "Vundofix.log" only the "addmorefiles.txt"  If not right, I'll look again.
The rest is there (I will check after post to be sure they contain data.)

FOR INFO: Still getting "Windows can't open MWSOEMEN.EXE.vir" twice on each re-boot.

Still getting RUNDLL "Error loading "C:\Windows\System32\spbuqqxi.dll and pfhvlkjr.dll.  I believe they were both removed.  Would have to read the logs again.

Let me know if I missed anything.
Dan


[recovering space - attachment deleted by admin]

[evilfantasy]

Go to C:\QooBox and delete the entire QooBox folder and empty the recycle bin afterwards.

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Windows Network Management and Security Layer] "C:\WINDOWS\system32\nmsl.exe" *
- O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
- O4 - HKLM\..\Run: [Network Translation Service] "C:\WINDOWS\nts.exe" *
- O4 - HKLM\..\Run: [78d2b5e2] rundll32.exe "C:\WINDOWS\System32\pfhvlxjr.dll",b
- O4 - HKLM\..\Run: [BM7be1867e] Rundll32.exe "C:\WINDOWS\System32\spbuqqxi.dll",s
- O4 - HKCU\..\Run: [System Services] aivbbzlgg.exe
- O4 - HKCU\..\RunServices: [System Services] aivbbzlgg.exe
- O4 - HKUS\S-1-5-18\..\Run: [Windows Network Management and Security Layer] "C:\WINDOWS\system32\nmsl.exe" * (User 'SYSTEM')
- O4 - HKUS\.DEFAULT\..\Run: [Windows Network Management and Security Layer] "C:\WINDOWS\system32\nmsl.exe" * (User 'Default user')
- O4 - Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir
- O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir
- O23 - Service: Windows Network Management and Security Layer (NMSL) - Unknown owner - C:\WINDOWS\system32\nmsl.exe (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]

C:\WINDOWS\system32\nmsl.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\nts.exe
C:\WINDOWS\System32\pfhvlxjr.dll
C:\WINDOWS\System32\spbuqqxi.dll
aivbbzlgg.exe
aivbbzlgg.exe
C:\WINDOWS\system32\nmsl.exe
C:\WINDOWS\system32\nmsl.exe
C:\WINDOWS\system32\nmsl.exe

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
  IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar),  The top panel will not help you.
  Right-click and choose Paste.
  
• Click the red Moveit! button.
  

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start>All Programs>Accessories>Notepad), click File>Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present. Copy and then paste the contents of that document in your next post.

----------

Run ATF Cleaner and then restart the computer.

----------

Next post
OTMoveIt log
NEW Hijackthis log

Let me know how things are now.