I'm back here again.

Use pocketKill box to delete these:
C:\WINDOWS\TEMP\HSB6D.EXE-> unless you know what this item is!
C:\WINDOWS\ua2.dll

Please download and install: Registrar Lite - be sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINCOM32\0000]

To take ownership of the key do the following:

* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.


Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Now right click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Then reboot your PC!

Now run GetRunKey again and attach a new log!
And a ShowNew log also.

 

Please download the newest version of GetRunKey (you are 4 versions out of date) from the READ & RUN ME link and attach a new log for Tim!

 

You don't need to format the PC but that's your choice. I thought that TIm would be back to help you out but he has not been around.

You will see that the new version of GetRunKey found those other Peacom registry keys. You can fix them using the same type procedure that he gave you with Registrar Lite but just subsitute in these new keys. Do you know how to do that? Or would you like a write up (assuming you still want to fix vs formatting).

 

Not necessarily! Attach a log from CounterSpy if you have it! Anytime you have a malware detection, it is alot more useful to us if you tell us exactly what and where something is being found. And attaching a log that shows it (when possible) is even better. Just saying a backdoor is found is not helpful!

If you run into a problem deleting the registry keys, let me know. Also be sure to attach a new log from GetRunKey after doing the deletions. This way we can be sure that all keys were removed.

 

Part of the problems you are having are due to the fact that some of the Windows OS files on your PC have become infected. Thus each time you shut down or reboot, you become reinfected. How good are you at using a command prompt window and entering commands to copy and delete files? I can give you detail steps but I want to get a feeling for your knowledge level.

 

Okay! Sounds like you are not a DOS expert!

Open a command prompt and try doing the below commands in a command prompt window. If you get an error message basically denying a copy because a file is in use, we will have to do it in safe mode.

copy C:\WINDOWS\system32\drivers\ndis.sys C:\WINDOWS\system32\drivers\ndis.sys.bak

copy C:\WINDOWS\ServicePackFiles\i386\ndis.sys C:\WINDOWS\system32\drivers\ndis.sys


Just try the above and tell me if you get any error messages! becareful to note the spaces! One after the word copy, and one just before the second c:\ on each line!

 

That's what I expected!

Do it in safe mode with NO networking! Make sure the first command actually works before doing the second one. You can check this by either looking in the C:\windows\system32 folder with Windows Explorer or you could just type the below at the command prompt to make sure both ndis.sys and ndis.sys.bak exist.

dir c:\windows\system32\ndis.*

 

Attach a new log from ShowNew!

 

Good job! You got the infected file successfully replaced.

Now try deleting the below files. If they will not delete right now, use safe mode or use Pocket Killbox to delete them.

C:\cp1041.nls
C:\WINDOWS\system32\o.dll

Then either way after a reboot attach new logs from

• GetRunKey
• ShowNew
• HJT

How is everything working now?

 

I don't quite understand what you mean by "which made those two files"?


Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the o.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move o.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

Make sure those two files are deleted. And attach new logs!

 

CounterSpy only found what we removed using Killbox! Our final steps will take care of removing the backups.

Is the O10 line now gone from your HJT log?


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

No! Unless you are really paranoid! Then your only alternative would be to delete your Windows partition and then recreate it and reinstall from scratch.

 

You're welcome. Surf safely!