Jump to content
Sign in to follow this  
Serg812

"Bad Image" error message.(resolved)

Recommended Posts

Hi, I ran MalwareBytes to fix my computer that had a bunch of infections but was left with some side effects it seems. This error comes up with every program I open and especially when I start my computer. I saw a thread just like this one with the same problems and I downloaded HiJackThis and ran the scan and saved the log, here it is..

 

 

Logfile of HijackThis v1.99.1

Scan saved at 5:12:01 PM, on 12/16/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe

C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe

C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/us/en/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://desktop.google.com/uninstall-feedback.html?hl=en

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent

O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [NAV] "C:\Documents and Settings\Student\Local Settings\Temp\IXP000.TMP\NAV09EN.exe" /RELAUNCH /RUNONCE /NOPROMPT

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O11 - Options group: [JAVA_IBM] Java (IBM)

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/

O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab

O20 - AppInit_DLLs: ogjhcm.dll ycgytx.dll djrzyk.dll hrobui.dll

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll

O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe

O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

 

 

Can anyone tell me what to get rid of? Thanks for your help in advance guys.

 

*EDIT* If it helps, the only bad image errors that come up are

C:\Windows\system32\ogjhcm.dll

C:\Windows\system32\ycgtx.dll

C:\Windows\system32\djrzyk.dll

C:\Windows\system32\hrobui.dll

But it happens to every program.

Edited by Serg812

Share this post


Link to post
Share on other sites

OK lets have a go shall we

 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

 

O20 - AppInit_DLLs: ogjhcm.dll ycgytx.dll djrzyk.dll hrobui.dll

 

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

 

THEN

 

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    :Files
    C:\Windows\system32\ogjhcm.dll 
    C:\Windows\system32\ycgtx.dll 
    C:\Windows\system32\djrzyk.dll 
    C:\Windows\system32\hrobui.dll
    
    :Commands
    [purity]
    [emptytemp]
    
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

FINALLY FOR NOW

 

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

 

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Share this post


Link to post
Share on other sites

Ok, thanks for the quick response. I did everything right I think. Here is the log for "OTMoveIt3"

 

========== FILES ==========

LoadLibrary failed for C:\Windows\system32\ogjhcm.dll

C:\Windows\system32\ogjhcm.dll NOT unregistered.

C:\Windows\system32\ogjhcm.dll moved successfully.

File/Folder C:\Windows\system32\ycgtx.dll not found.

LoadLibrary failed for C:\Windows\system32\djrzyk.dll

C:\Windows\system32\djrzyk.dll NOT unregistered.

C:\Windows\system32\djrzyk.dll moved successfully.

LoadLibrary failed for C:\Windows\system32\hrobui.dll

C:\Windows\system32\hrobui.dll NOT unregistered.

C:\Windows\system32\hrobui.dll moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Student\LOCALS~1\Temp\etilqs_xoyRwOt4iFD9YlFrAKIA scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_200.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

Temp folders emptied.

 

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_180722

 

Files moved on Reboot...

File C:\DOCUME~1\Student\LOCALS~1\Temp\etilqs_xoyRwOt4iFD9YlFrAKIA not found!

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

C:\WINDOWS\temp\Perflib_Perfdata_200.dat moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\XUL.mfl moved successfully.

 

 

 

And here is the log for the "OTScanIt2" you told me to upload.

http://www.mediafire.com/?sharekey=ab6e7dd...37d994738c67a69

 

Again, thanks for the help man I appreciate it. The error doesn't come up anymore.

Share this post


Link to post
Share on other sites

Still a few to remove though

 

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

 

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "NAV" -> %UserProfile%\Local Settings\Temp\IXP000.TMP\NAV09EN.exe ["C:\Documents and Settings\Student\Local Settings\Temp\IXP000.TMP\NAV09EN.exe" /RELAUNCH /RUNONCE /NOPROMPT]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{5600363C-B1A7-464C-9D48-B57A901A74FA}" [HKLM] -> Reg Error: Key does not exist or could not be opened. []
[Files/Folders - Created Within 30 Days]
NY -> jzita.sys -> %SystemRoot%\System32\drivers\jzita.sys
NY -> uelypeco.dll -> %SystemRoot%\System32\uelypeco.dll
NY -> tumjcqfy.dll -> %SystemRoot%\System32\tumjcqfy.dll
NY -> fzduom.dll -> %SystemRoot%\System32\fzduom.dll
NY -> odevclnw.exe -> %SystemRoot%\System32\odevclnw.exe
NY -> ycgytx.dll -> %SystemRoot%\System32\ycgytx.dll
NY -> semfoybw.ini -> %SystemRoot%\System32\semfoybw.ini
NY -> ilVycccf.ini2 -> %SystemRoot%\System32\ilVycccf.ini2
NY -> ilVycccf.ini -> %SystemRoot%\System32\ilVycccf.ini
NY -> iadqziwq.job -> %SystemRoot%\tasks\iadqziwq.job
NY -> -263714966 -> %SystemDrive%\-263714966
[Files/Folders - Modified Within 30 Days]
NY -> iadqziwq.job -> %SystemRoot%\tasks\iadqziwq.job
NY -> jzita.sys -> %SystemRoot%\System32\drivers\jzita.sys
NY -> uelypeco.dll -> %SystemRoot%\System32\uelypeco.dll
NY -> tumjcqfy.dll -> %SystemRoot%\System32\tumjcqfy.dll
NY -> fzduom.dll -> %SystemRoot%\System32\fzduom.dll
NY -> odevclnw.exe -> %SystemRoot%\System32\odevclnw.exe
NY -> ycgytx.dll -> %SystemRoot%\System32\ycgytx.dll
NY -> semfoybw.ini -> %SystemRoot%\System32\semfoybw.ini
NY -> ilVycccf.ini -> %SystemRoot%\System32\ilVycccf.ini
NY -> ilVycccf.ini2 -> %SystemRoot%\System32\ilVycccf.ini2
NY -> flvtoavi.ini -> %UserProfile%\Desktop\flvtoavi.ini
NY -> -263714966 -> %SystemDrive%\-263714966
[File - Lop Check]
NY -> iadqziwq.job -> C:\WINDOWS\Tasks\iadqziwq.job
[Purity]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

 

I will review the information when it comes back in.

 

THEN

 

Please download Malwarebytes' Anti-Malware from Here or Here

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Share this post


Link to post
Share on other sites

Ok here are the results for the OTScanIt

 

[Registry - Safe List]

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NAV deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{5600363C-B1A7-464C-9D48-B57A901A74FA} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5600363C-B1A7-464C-9D48-B57A901A74FA}\ not found.

[Files/Folders - Created Within 30 Days]

C:\WINDOWS\System32\drivers\jzita.sys moved successfully.

LoadLibrary failed for C:\WINDOWS\System32\uelypeco.dll

C:\WINDOWS\System32\uelypeco.dll NOT unregistered.

C:\WINDOWS\System32\uelypeco.dll moved successfully.

LoadLibrary failed for C:\WINDOWS\System32\tumjcqfy.dll

C:\WINDOWS\System32\tumjcqfy.dll NOT unregistered.

C:\WINDOWS\System32\tumjcqfy.dll moved successfully.

LoadLibrary failed for C:\WINDOWS\System32\fzduom.dll

C:\WINDOWS\System32\fzduom.dll NOT unregistered.

C:\WINDOWS\System32\fzduom.dll moved successfully.

C:\WINDOWS\System32\odevclnw.exe moved successfully.

LoadLibrary failed for C:\WINDOWS\System32\ycgytx.dll

C:\WINDOWS\System32\ycgytx.dll NOT unregistered.

C:\WINDOWS\System32\ycgytx.dll moved successfully.

C:\WINDOWS\System32\semfoybw.ini moved successfully.

C:\WINDOWS\System32\ilVycccf.ini2 moved successfully.

C:\WINDOWS\System32\ilVycccf.ini moved successfully.

C:\WINDOWS\tasks\iadqziwq.job moved successfully.

C:\-263714966 moved successfully.

[Files/Folders - Modified Within 30 Days]

File C:\WINDOWS\tasks\iadqziwq.job not found!

File C:\WINDOWS\System32\drivers\jzita.sys not found!

File C:\WINDOWS\System32\uelypeco.dll not found!

File C:\WINDOWS\System32\tumjcqfy.dll not found!

File C:\WINDOWS\System32\fzduom.dll not found!

File C:\WINDOWS\System32\odevclnw.exe not found!

File C:\WINDOWS\System32\ycgytx.dll not found!

File C:\WINDOWS\System32\semfoybw.ini not found!

File C:\WINDOWS\System32\ilVycccf.ini not found!

File C:\WINDOWS\System32\ilVycccf.ini2 not found!

C:\Documents and Settings\Student\Desktop\flvtoavi.ini moved successfully.

File C:\-263714966 not found!

[File - Lop Check]

File C:\WINDOWS\Tasks\iadqziwq.job not found!

[Purity]

Purity scan complete.

[Empty Temp Folders]

File delete failed. C:\Documents and Settings\Student\Local Settings\Temp\etilqs_4C7z0t9qFpsd7XL5E8ZW scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M80MB9M\control[1].htm scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f0.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\XUL.mfl scheduled to be deleted on reboot.

FireFox cache emptied.

RecycleBin -> emptied.

< End of fix log >

OTScanIt2 by OldTimer - Version 1.0.3.1 fix logfile created on 12182008_060117

 

Files moved on Reboot...

File C:\Documents and Settings\Student\Local Settings\Temp\etilqs_4C7z0t9qFpsd7XL5E8ZW not found!

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6M80MB9M\control[1].htm moved successfully.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\WINDOWS\temp\Perflib_Perfdata_7f0.dat scheduled to be moved on reboot.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_001_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_002_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_003_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\Cache\_CACHE_MAP_ moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\urlclassifier3.sqlite moved successfully.

C:\Documents and Settings\Student\Local Settings\Application Data\Mozilla\Firefox\Profiles\oik4qady.default\XUL.mfl moved successfully.

 

Registry entries deleted on Reboot...

 

And here's the log for Malwarebytes.

 

Malwarebytes' Anti-Malware 1.31

Database version: 1502

Windows 5.1.2600 Service Pack 3

 

12/18/2008 6:19:50 AM

mbam-log-2008-12-18 (06-19-50).txt

 

Scan type: Quick Scan

Objects scanned: 49997

Time elapsed: 8 minute(s), 29 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

Share this post


Link to post
Share on other sites

Looks good - now the big question How is your computer running ?

 

Better than ever. Thank you for doing what companies charge hundreds for. I really appreciate it. Keep up the good work.

Share this post


Link to post
Share on other sites

Now the best part of the day ----- Your log now appears clean :thumbsup:

 

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
XP

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

 

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...