Search:

You're very welcome.
Glad we could help.
It was a bit of a rough trip but hey, We made it. :eek:

Always a good thing when one can learn something good from a bad experience.

Happy Holidays to...

HI,

Good to hear that worked well.
Keep in mind that if you ever update your BIOS (not something to do unless really needed & you know what you are doing) you will need to disable the BIOS virus...

You're welcome,

Glad to have helped.

Take care :)

You still have the install CD for your motherboard?

hmmmm


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe"

Hi,

I recommend you keep the recovery console installed.
ComboFix is what installed it and it only adds 2 seconds to your boot time.
If you want it gone -- let me know & we'll remove it.

If...

Hi,

Log looks good.
You can empty out your Quarantine from within Trend Micro.

If all is still well please do the following:
Click start> run> type combofix /u then hit enter.
Follow the...

Thanks for the file Colin,

I'll watch for your reply when you get the Kaspersky scan done.

Thanks :)

Hi,

See if you can uninstall the mouse & let windows re-install it at boot.
Right click "my computer" then "properties"
Click "hardware" tab.
Click "device manager"
Expand "mouse & other...

Hi,

Good to hear that worked well.
You uninstall IE7?

c:\qoobox\quarantine\c\windows\system32\drivers\OsaFsLocc.sys.vir

Can you upload the above file to this site please:
...

Hi,

Good to hear things went well.
May want to check manufacturer of the mouse to check for driver/software updates.

Let me know in a couple days if everything is still OK & we'll clean up our...

Hi,

That would be my choice as well.
At least you will be sure of a secure safe system.

Don't forget to change passwords on sensitive sites/services you belong to or used with that system.
...

Hi and welcome,

Is this computer used for work? If so -- do you have permission from supervisor/IT department to do whatever it takes to fix it?

This system is severely infected. :(
Alot more...

Hello again,

Please copy the following text to a new notepad file:


file::
c:\windows\system32\drivers\OsaFsLocc.sys

dirlook::
c:\temp\FT62

Hi and welcome,

I'm looking over your log & will reply shortly with further instructions.

Good to hear it is going well :)

Wanna try SP3? I think its safe to try it.
Make a restore point> reboot then try SP3. (SP3 will make its own restore point but I want our own first lol)
When I...

Good to hear things are working well.

Start Hijackthis
Run system scan only & check ths following: (none are bad -- just housecleaning leftovers)

R0 - HKCU\Software\Microsoft\Internet...

Hi,

I can't see SP2 doing anything with the BIOS... odd.

You have an ASUS motherboard which explains the splash screen you are seeing.
Sounds like the settings in bios were changed a bit to...

Thanks for the logs.
That was indeed the KAV log. :)

Looks like everything it detected is contained in quarantine.
We'll clean those up last. They are not a threat to you at the moment.
Only...

Going well indeed.
That was I think 83 rogue services we nuked. :eek:
I don't wanna jinx it but I think we're on the road to recovery :)

I missed a service.

Click start> run> type cmd and hit...

Before I forget -- we should restore those support.com files DrWeb removed.
Program was installed by the PC manufacturer & is OK.

Look in here:
C:\documents &...

OK.. :spider:

Delete current version of ComboFix & grab a new one:

Link 1
Link 2
Link 3

Save to desktop.

Got the file.
Thanks :)

It's going to take me a bit to go through it.
I want to make sure the legit services are not dependant on the funkey ones before we remove em.
Man -- I would love to...

Hi,



Good :)

I'm kinda stumped on what all those funny looking services are.
I would like to have a look at an export of that key.
Actually what might be easier...

Hi,

Please don't leave machine connected to net unless doing stuff here. You have no AV and no decent firewall so your risk of more infections are high.

See if you can get Windows firewall...

Hi,

Sorry for the late reply..
Leme look over your logs and see what is left of the battle. :D

Hi,

Sorry for delay. Power outages today cus hydro company was doing repairs.

Since you repair installed windows this left you without XP firewall enabled.
We need to turn that on especially...

Hi :)

Good to see something is working out for you.

Ok.. looks like you did repair install of windows.
So basic windows is there at least after Threatfire/TeaTimer fight.

Download ComboFix...

Hi,

Sorry for delay.
You get IE/FF working to get those logs yet? Can you get to safe mode with network support? If so try & post those logs please.
How about IE or FF without add-ons?

start>...

Hi,

Some of Spybot exe files are hidden.
How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when we are finished...

What exactly happens when you try to start Spybot?

Can you get OTViewIt to run? Post logs from it if you can please.

Thanks :)

You have some method to transfer logs?
What was listed in the daft log? You can run it again and see what is listed.
I wanna see if we got all the extensions fixed.

Some of the infections is...

OK. So .com files give same message?

Does explorer start? Meaning you get the desktop loaded, see your icons, task bar and so on?

C:\program files\Spybot - Search & Destroy <-- go to this...

Kewl!!

We're logged in == progress

Ok --- you get TeaTimer disabled and reset? Leave it off till I say. OK?

Make sure you can see all your file extensions.
Open your control panel & then...

Hi,

Sorry for delay. Something is wrong with my notifications.

Good to hear everything is in the clear. :)

I must agree. That joke page really is annoying.
Process explorer is a kewl...

OK... My bad again. Lack of coffee moment.
I guess I cant remember as much stuff by heart as I thought. :oops:

Instead of ERDNT.con command do this:

BATCH ERDNT.con

The rest is all the...

Sorry my bad ..
Only mistake made here was typing in the directory wrong.
I should have seen that (duh on me) even after looking in my own erdnt folder. :red:

Once in the ERDNT directory & you...

Sorry.. uptown business took longer than expected.

Ok...

One thing to understand here is the recovery console is all commands. Kinda like "DOS". No pretty pics here & no mouse.

Insert XP CD...

OK. Good on the XP disk. Yes it does have RC on it. We're going to boot with it.
I'll be back in a few with further instructions. :)

I think I see what happened.

When you saw all these changes happening that TeaTimer (TT) was warning you about (when ThreatFire (TF) was running) you denied alot of these changes. TF was making...

Hi,

Thanks for the info :)

One of 2 things happend & both are recoverable.
1. Userinit.exe was deleted/replaced by something
2. Registry entry that loads userinit.exe is broken/missing.
...

Also...
When CF was running... see any error messages?
CF reboot the machine then finish or was it at this point log-in failed so CF did not complete?

Try tell me as much details as you can...

Sorry for delay.
For some reason I am not getting notified of replies.

What exactly happens when you try?
At which point does login fail please?

Did you run anything else before running...

Hi and welcome,

About that site --

Highly annoying, yes. Not nice language -- true.
Dangerous -- no.
It is a javascript causing the window to bounce back & forth.
I suspended the iexplore...

Hi,

Ok.. TeaTimer is really going to interfere bad with ComboFix.
Combofix is doing alot of repairs the malware trashed.
Combofix deletes known bad registry entries and files and does repairs to...

Hi,

Thanks for the logs.
Thanks also for reporting erdnt folder size. Good deal.

At least one of your system files is infected and partly responsible for re-downloading alot of the junk.
It...

Hello,

You remember the site that may have attacked you like this?
Or what file you ran before everything went crazy?

Something really odd going on with those services.
I want to get more...

Hello & welcome :)

I am looking over your log & will return shortly with instructions.

Please do not run any removal/fixit apps till I tell you as they may interfere with our work.

Thanks
...

Hi,

Thanks for the logs.

Unfortunately I cannot help you any further.
I cannot put myself at risk for "aiding and abetting a crime"
It appears your Product key has been blocked because it is...

Hi,

Good to hear everything is OK.

Did you run any other tools besides your antivirus & Spybot?

For Spybot -- before we re-enable TeaTimer..
The file we normally use To reset TeaTimer seems...

Hi,

Any other programs doing that error besides AIM?

Please do what I asked here:

http://forums.spybot.info/showpost.php?p=230373&postcount=78

Also upload that aim.exe to this site & tell...