Windows XP Virus Help

Welcome to Major Geeks!

Please download the latest version of FRST the below link.
Farbar Recovery Scan Tool and save it to your Desktop.

Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

FYI: This PC does not have enough memory to properly run Windows XP SP3 and even worse, there is way too little free diskspace on drive I to run just about anything properly. You need to free up space on drive I immediately. You need to free up at least 5 to 10 GB.

Then rerun Malwarebytes and this time fix what it finds. You previous log shows that you did not fix anything.

 

As what's running?

You need to free up diskspace first before doing anything. The hard drive is out of space and this can cause all kinds of problems.

 

See what I posted in message # 3. I already asked you to run that. ALso you are not supposed to be doing anything on your own! See what we was request in the READ & RUN ME FIRST. Once you start, you must only do what we request.

Not 6 MB of free space is not enough. You need 1000 times that. 6 GB.

 

I also noticed that you had and may still have a CryptoWall infection! If you still have this, you really need to just erase everything on this PC and reinstall. Your security is at risk and these encrypted files cannot be decrypted.

 

Yes reboot and then continue with the below.

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

Download this >> View attachment fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.
Also at this point, I want to double check the status of Poweliks by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.

 

I'm not sure why you are getting this error but let's try running this differently.

Just reboot your PC up in safe boot mode. Then Don't use right click to run FRST. Simply double click on it to run it. See if it runs this way.

 

You forgot the final part of my last instructions which stated the below

But just get the FRST.txt log.

After attaching the new FRST.txt log, continue on with the below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKUS\S-1-5-18\..\Run: [XobeDsuz] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\XobeDsuz\XobeDsuz.dat" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WoypEkep] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\WoypEkep\WoypEkep.dat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [XobeDsuz] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\XobeDsuz\XobeDsuz.dat" (User 'Default user')


After clicking Fix, exit HJT.


Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

 
:Files
I:\Documents and Settings\All Users\Application Data\XobeDsuz
I:\Documents and Settings\All Users\Application Data\WoypEkep
I:\Documents and Settings\All Users\Application Data\WararXozna
I:\Documents and Settings\server\Start Menu\Programs\Startup\8718f58.exe
I:\Documents and Settings\server\Start Menu\Programs\Startup\QEXPLORER.EXE
I:\8718f58\8718f58.exe
I:\Documents and Settings\server\Application Data\8718f58.exe
I:\Documents and Settings\server\Application Data\FrameworkUpdate\ChromeUpdate.exe
I:\Documents and Settings\server\Local Settings\Application Data\noblimu.dll


:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"XobeDsuz"=-
"WoypEkep"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"JavaQuickStarterService"=-
"gupdatem"=-
"gupdate"=-
"avast! Antivirus"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\I:^Documents and Settings^server^Start Menu^Programs^Startup^8718f58.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\I:^Documents and Settings^server^Start Menu^Programs^Startup^QEXPLORER.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\8718f5]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\8718f58]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ChromeUpdate]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\noblimu]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WararXozna]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now rerun Hitman Pro like you did the first time but this time allow it to fix all malware items and Potentially Unwanted Programs if it still reports them.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXT log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay it appears that a few things did not get fixed. In my last instructions the first part had a fix with analyse.exe that asked you to fix the below

O4 - HKUS\S-1-5-18\..\Run: [XobeDsuz] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\XobeDsuz\XobeDsuz.dat" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WoypEkep] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\WoypEkep\WoypEkep.dat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [XobeDsuz] regsvr32.exe "I:\Documents and Settings\All Users\Application Data\XobeDsuz\XobeDsuz.dat" (User 'Default user')


Did you not find them? Try again. If you find them and have analyse.exe fix them then reboot your PC and scan again to see if they are really gone. Let me know. Maybe that error you had with analyse.exe ( really hijackthis.exe ) cause them not to get fixed. Did you still get that error while running the fix in message # 21?

 

Yes you want to remove all the Malware and Potentially Unwanted Programs which of course does not inclued FRST.

 

Seems your trial periode has already expired. Too bad. Your PC is having lots of problems. Some of them may be due to the way it is configured with drive I being the Windows boot drive. It seems to becausing issues for quite a few of the tools. Problems are showing up in your logs on drive I bu when we go to fix them, it keeps reporting that they are not found or you have those crashes in the applications. These all indicates issues with your Windows installation. It is getting difficult to work around these problems because many of the tools are not able to run properly.

Please run RogueKiller and have it fix any of the Powerlik items if they still show up. Then immediately reboot and after reboot, run a new scan with RogueKiller and attach the new log.

 

Okay that is looking much better than the original log. Just have it fix the below which you will find on the Registry tab

[Suspicious.Path] HKEY_USERS\S-1-5-21-1409082233-616249376-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Run | XobeDsuz : regsvr32.exe "I:\Documents and Settings\All Users\Application Data\XobeDsuz\XobeDsuz.dat" -> Found

After fixing this, reboot and run a new scan. Attach the new log.

 

Also do the below.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

You're welcome.

No not right now. Let's run Hitman Pro now and just perform a scan and save a new log to attach.

Also how are things running at this point?

 

Sounding pretty good. Let's delete a few items manually and then run one last check with MGtools.

Please delete the below. The one in purple is a folder name. The rest are files.

I:\Documents and Settings\server\Desktop\FRST-OlderVersion\FRST.exe
I:\Documents and Settings\server\Desktop\FRST-OlderVersion
I:\Documents and Settings\server\Desktop\FRST.exe
I:\Documents and Settings\server\My Documents\NETWORK SHARE\PC Help\FRST.exe


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

When? While trying to delete those files and folder? Or only when trying to delet the last one that has the NETWORK SHARE folder in the path? Why is this a network share????? All these error you keep having arel indicating issues with your Windows Installation.

• Is drive I accessible to you?
• Can you find and open the I:\Documents and Settings\server folder?
• What can you tell me about the setup of this PC? Is it configured in some strange way?
• Is it really being used as a server?
• Does the other user account ( the adan account ) on this PC work properly or does it have strange problems too?

 

Okay thanks for the info. You can see info about that error message in the below link:

http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/windows-no-disk-exception-processing-message/b1a67525-d5e8-46ae-9801-6b169547e656


Your logs are clean. General assessment is that this PC has some problems within Windows itself which is the cause for all of the error messages we have been seeing. If it runs okay for what you need to do then just live with it. Oherwise I suggest getting a new PC with an updated more secure operating system. If you cannot afford a new PC and the problems on this PC are causing you a lot of grief then look into a clean reinstall ( not a topic for this forum ).



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
8. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely and enjoy your gift.