Virus/Trojan That stops Regedit+TM+access to some files

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

NetSvc::
xryjdspwp

File::
C:\Program Files\Smart Virus Remover\Smart Virus Remover.exe

Folder::
c:\program files\Smart Virus Remover
c:\program files\Messenger Plus! Live

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please run this: GMER - running with a random name and attach the log from GMER.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

The only reference is in your HJT log. Let's do it again. Make sure no AS or AV program is running to bloke the fix.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now tell me how confident you feel about going into your registry?

Attach the new HJT log.

 

Please run Defogger as requested in step 6 of the READ & RUN ME to disable your disk emulation software. You need to keep this disable until your problems are resolved.


Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Let's try it again.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\Documents and Settings\Admin\Local Settings\temp\4.TMP

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)
"DisableRegistryTools"= 0 (0x0)

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Let's try something a little different. First go into your user accounts and change one of them so that it has Administrative privileges. Then log into that account and go to start / run / type:
regedit and tell me if your registry opens.

 

You have multiple users on this account, but only the one account that has admin. privileges:

Code:

Users on this computer:
Is Admin? | Username
------------------
   Yes    | Admin
   Yes    | Administrator
          | Guest
          | heave
          | heave1
          | HelpAssistant (Disabled)
          | postgres
          | postgres1
          | postgres2
          | postgress
          | SUPPORT_388945a0 (Disabled)

What I suggested was to change one of the above to have admin. privileges and see if you are still blocked.

 

Bummer.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop
Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now double click C:\MGtools\Regfix.bat

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

 

Crap...sorry, I forgot.

Use windows explorer to find:
C:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe
Right click the regedit.exe and then copy and paste it directly on your C:\ drive ...so you have C:\regedit.exe

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
Driver::
abp470n5

File::
c:\windows\system32\drivers\omhgun.sys

FCopy::
C:\regedit.exe | C:\WINDOWS\system32\dllcache\regedit.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=- 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Did you do this:

?

 

I am going out on a limb with this one, so please create this disc and boot to it when ready:
Kaspersky Rescue Disk.

Tell me if it finds anything.

 

You need to do what I requested in my last message and download and run the version of TDSSKiller exactly as I requested. Running and old/outdated copy is not going to help you. Please follow my instructions and download it from the link I have you in my message. Links are in blue

 

The link works just fine. Either try again or use another PC to download it.

 

Then your other PC must be infected too.

Try the below. Make sure you run it exactly as requested.

View attachment tdsskiller.zip

 

That's okay. Using the current version was important just to be sure you do not have the TDSS infection.

Do you still have your Disk Emulation software (Daemon Tools) disable as requested? Your last logs seem to indicate that you download it but did not run it or renabled it.

Please run this: Resetting Registry and File Permissions


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

After clicking Fix, exit HJT.

Now please run the 32 bit version of AVG's removal tool to cleanup additional items from AVG: http://www.avg.com/us-en/download-tools

Now let's clean up some things including some more left overs from AVG being broken and also some files that you have been saving where they do not belong.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

NOTE: You appear to be missing your c:\boot.ini file which is likely why you are seeing that message saying Boot partition cannot be enumerated Correctly

You will need to fix this in the Software Forum if necessary but the Resolution section in the below link tells you how to do this with your boot CD.

http://support.microsoft.com/kb/330184

 

As stated in the READ & RUN ME, please refrain from doing anything but what we ask you to do. We never asked you to disable system restore. Also you are running and doing other things not requested. You must only do what we ask and nothing else. No repeated runs. No other scans. No other surfing...etc.

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay the below file keeps getting recreated:

c:\windows\system32\drivers\omhgun.sys

Also the below driver keeps being found and deleted by ComboFix

ABP470N5

It looks like you have a Sality infection. And I just noticed you mentioned this earlier in the thread. Did you have a scanner saying anything about this infection? You may have many system files infected. Even one of the keys I just had you delete with ComboFix ( [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] ) is from Sality.

Please run the below removal tool from Kaspersky

http://support.kaspersky.com/faq/?qid=208279889

After running the above, repeat my previous instructions again and attach new logs from ComboFix and MGtools.

 

You need to be able to get to the link to follow the instructions there. It is not legal for us to post them here. Try using another browser or another PC so that you can follow the instructions.

 

That is not the removal tool that I asked you to run and based on your logs I'm guessing you still have a problem?

 

Yes a few infected files probably caused the whole infection to come back which means something addition is hiding or there are still many many infected system files.

Please run : GMER - running with a random name just like you did earlier and attach a new log. Make sure that you have not reenabled your disk emulation sotware otherwise the log will be of no use to me. If I still see Daemon Tools running in this log, I will be asking you to uninstall it and then we will be forcefully removing any leftovers to get it out of our way.

Also see if you can use another browser and run the Kaspersky removal tool for Sailty. The AVG tool was useless as it found nothing.

 

I did not ask you to find another version. I asked you to try running the Kaspersky one again from the link I supplied and I asked you to try using a different browser to access it. For example, if you have been using Internet Explorer, try using FireFox. Or if you had been using FireFox, try Internet Explorer.

There are several different websites that provide tools for attempting to remove Sality, but I want you to run the one from Kaspersky.


Also do the below.

Download the Registry Search Tool from here: http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

• Unzip to your Desktop and double click on regsrch.vbs
  (if you have script protection, please allow this to run)
• In the dialog that opens enter the following:

omhgun

• Press 'OK'
• The search will run for a while then alert you when it is finished.
• Press 'OK' and copy the contents of the WordPad window and post in this thread.

If you still were not able to run the Kaspersky Tool, please try running the below Online Scan from BitDefender and attach the log from it here:

http://www.bitdefender.com/scanner/online/free.html

 

Almost forgot! Some of your system files appears may have been replaced by a bad copies. I want to search for a replacement copies just in case. But did you update your Nvidia drivers in April this year? It could just be that the updated versions have much larger file sizes now.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

Code:

:filefind
nv4_mini.sys
nv4_disp.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Okay that would explain why the Nvidia files have changed.

You need complete what I requested in msg # 47