Help please, Cannot run logs following FAQ

[Wendigo X]

Attached, thanks.

Things seem to be running okay. Desktop picture dissapeared, went to customize and cannot.

These are little things, but just sharing what I am seeing.

[Wendigo X]

Not sure why your last post did not show up, but here are the logs. the fixme.reg did not work. I am getting message again that registry editing is not allowed.

Here are the logs.

[TimW]

Please download and install on your desktop combofix.exe

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\wp3.dat
C:\WINDOWS\wp4.dat      
C:\WINDOWS\system32\wwp.htm
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\3639913142.exe
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\dio5.tmp      
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\dio6.tmp   
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\dio8.tmp    
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\dio9.tmp      
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\dioa.tmp    
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\diob.tmp    
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\jisfije9fjoiee.tmp
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mar4.tmp    
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mar8.tmp     
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon000~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon001~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon002~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon003~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon004~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon005~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon006~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\mon007~1.log 
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\nvsvc32.exe  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\setup.exe     
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\setupa~1.log  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\system.exe  
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\WPDNSE
C:\Documents and Settings\All Users\Application Data\53841930
C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
C:\DOCUMENTS AND SETTINGS\Jason and Pat\LOCAL Settings\Temp\nvsvc32.exe
Folder::
C:\Documents and Settings\Jason and Pat\Local Settings\Temp\WPDNSE
C:\Documents and Settings\All Users\Application Data\53841930
C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yjafosi8kdf98winmdkmnkmfnwe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wopojehow"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

[Wendigo X]

Thank you.

Here are the logs:

[TimW]

Juntion.exe is not in the C:\Windows folder and Inherit.exe is nowhere to be found on your desktop.

Please correct that now.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
WDefend

File::
C:\WINDOWS\Ewahine.dat
C:\WINDOWS\Hlupuqiyaloqe.bin
c:\windows\uwafigor.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ynonajazeti"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now if you have put juntion.exe in the C:\Windows folder and Inherit.exe is on you desktop, then double click the C:\MGTools\FixPerm.bat

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

[Wendigo X]

Sorry, IE is down again, working now, not sure for how long.

[TimW]

Use windows explorer to find and delete:
c:\windows\ulilobomagif.dll


Now double click on C:\MGTools\analyse.exe and telll me what happens.

Are you having difficulty putting junction.exe in the C:\Windows folder???

[Wendigo X]

Deleted the file.

When I try to run analyse.exe, I get a message that windows cannot find the specified file, path or device.

Junction was there right before I ran Combofix, and it is in the directory now.

[TimW]

It was not there in your latest MGLogs.zip. So now if everything is where it should be, run the C:\MGTools\Fixperm.bat.

Tell me what problems you still have and also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

[TimW]

Edit: Please drag the analyse.exe on top of inherit.exe. THEN run the getlogs.bat!

[Wendigo X]

Here are the logs

[TimW]

Please use windows explorer to find and delete:
C:\Program Files\AVG
C:\Documents and Settings\All Users\Application Data\AVG8
C:\Documents and Settings\Jason and Pat\Application Data\AVG8

If you are having difficulties doing that, you can use the AVG Removal Tool.

Again you log indicates that junction.exe is not here: C:\Window\junction.exe.

What issues are you still having?

[Wendigo X]

Thanks, deleted those files.

Can't explain the junction.exe issue. I look in the Windows directory and it is there.

Everytime I open a window in IE, my task manager opens and I see a second or third IE open under processes, even if I only have one open.

Norton keeps finding viruses. Itunes will not download.

[TimW]

Tell me what Norton is finding. The exact path.

[Wendigo X]

C:Windows\mgctrd.dll

[TimW]

Are you unable to delete it?

If not, then:
Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:Windows\mgctrd.dll

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Is it still reporting anything?

[Wendigo X]

Here are the logs. Why when I open IE are there one or two other IE processes running? I had not seen that before this thing originally hit.

[TimW]

Please download the latest version of ComboFix. And I want you to make sure you have updated your Norton program.

Once you have downloaded Combo to your desktop, and have shut down your AV and AS programs:

* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\mgctrd.dll
c:\windows\Hlupuqiyaloqe.bin
c:\windows\Ewahine.dat
c:\windows\owozizazi.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ynonajazeti"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

[Wendigo X]

Here are the logs. The Combofix icon is no longer on the desktop, and it did not seem to run, or froze once it got to the creating log file point.

There does not seem to be a log for that, but here is the MG log.

Thank you multiple times over for continuing to help.

[TimW]

The files and the registry key are gone. The only remaining file is C:\WINDOWS\Hlupuqiyaloqe.bin which is empty. You may as well delete the C:\ComboFix folder. I am not seeing any other issues in those logs. Tell me what issues you are still having.