wgsdgsdgdsgsd LOCKING VISTA HOME 64bit

Discussion in 'Malware Help (A Specialist Will Reply)' started by Giant Jenga, Jan 26, 2013.

  1. Giant Jenga

    Giant Jenga Private E-2

    My system runs Vista Home 64bit. I originally had a cybercrime virus that locked the system immediately after logging in as a user. Taskmanager would not display and I could only change user or shutdown.

    I downloaded mbam-setup=1.70.0.1100.exe (malware bytes) on another computer and saved to a cd. I started the infected system in safe mode with command prompt and ran the file and found infections that i deleted.

    The Vista system then allowed me to login as either user then displays the same message:
    Error loading c:\users\toews\wgsdgsdgdsgsd.exe --- Rundll* error

    I get a black screen (no icons at all on desktop) when I login normally, in safe mode or in safe mode with networking. The task manager will not display in any of the login modes when selected from invoking the ctrl alt del screen.

    I login in safe mode with command prompt (have done so as both users)
    I have deleted all the TEMP folder files.
    I edited REGEDIT and deleted all lines with wgsdgsdgdsgsd.exe. (I read on a bulletin to delete 'random.exe' entries in the REGEDIT but could not find it on a search)
    I re-ran mbam-setup=1.70.0.1100.exe (WITHOUT AN UPDATE due to the fact that I cannot access the internet). First time it found 8 infections and I deleted. Second time I re-ran it found 1 infection and I deleted it and third time no infections were found.
    I downloaded MGTOOLS.exe and created a log file.
    I tried running ccleanersdm but it doesn't run, I am assuming it requires access to the internet.
    After downloading on another computer to a CD I tried running SpyHunter, PCTools but all require access to the internet and abort installation.

    I tried logging in normally virtually everytime after I invoked each item listed above but the same Rundll error appeared causing the same lockup,

    NOW After all this The Vista system still does the same thing - allows me to login as both users then displays the mesage:
    Error loading c:\users\toews\wgsdgsdgdsgsd.exe --- Rundll* error

    WHAT NOW?
     

    Attached Files:

    Giant Jenga, Jan 26, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Throught the command panel, change the directory to C:\ProgramData.

    Then delete these:
    C:\ProgramData\dsgsdgdsgdsgw.bat
    C:\ProgramData\dsgsdgdsgdsgw.js
    C:\ProgramData\dsgsdgdsgdsgw.pad
    C:\ProgramData\dsgsdgdsgdsgw.reg

    See if you can now boot into normal mode.
     
    TimW, Jan 26, 2013
    #2
  3. Giant Jenga

    Giant Jenga Private E-2

    Thank you for the quick reply. I deleted the 4 files, rebooted into normal, logged in as the primary user and a black screen appears. (NO icons at all)! Ctrl Alt Del allows me to invoke Task Manager, etc.

    What's next?
     
    Giant Jenga, Jan 26, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    With Task Manager, can you invoke a new process like explorer?
     
    TimW, Jan 26, 2013
    #4
  5. Giant Jenga

    Giant Jenga Private E-2

    I just invoked explorer.exe and I have the Computer window on my screen.
     
    Giant Jenga, Jan 26, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you now run RogueKiller and Hitman? How about MBAM?
     
    TimW, Jan 27, 2013
    #6
  7. Giant Jenga

    Giant Jenga Private E-2

    I have ran a MBAM full scan yesterday and it didn't find any problems. I was able to run CCleanerSDM for the first time yesterday and had it repair all problems it found. I rebooted the system but still get a black, blank screen logging in as both users. I tried to run a Scan in RogueKiller today and a 'Microsoft Windows' message appears:
    "RogueKiller.exe has stopped working - A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available"
    Before the message appeared RogueKiller was searching for Policy Hijacks in the Registry tab showing it found four 'Key Type' - HJPOL; 'Global' - HKLM; 'Key- - SOFTWARE\Microsoft\Windows\Cur... (truncates the column); 'Value' - DisableTa OR Disable Re; 'Data' - 0
    I can only select 'Close Program' and I do not get any solution from Microsoft as expected!

    I do not have Hitman but I can finally get on the internet with the infected system by running 'iexplore' as a new task in the Task Manager.
     
    Giant Jenga, Jan 27, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Option1: Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Option2: Enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

    Example:
    HKU\drivera\...\Run: [sqa3d797wv] C:\Users\drivera\sqa3d797wv.exe [x]
    HKU\drivera\...\Winlogon: [Shell] C:\Users\drivera\AppData\Local\b6e65b00\X [x]


    Download this >> View attachment 175879 (Fixlist.txt)

    start
    Unlock:
    C:\Windows\System32\services.exe
    Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
    HKLM\...\Run: [Seagull Drivers] ssdal_nc.exe startup [x]
    HKU\Administrator\...\Policies\system: [DisableRegistryTools] 0
    HKU\Administrator\...\Policies\system: [DisableTaskMgr] 0
    HKU\drivera\...\Run: [sqa3d797wv] C:\Users\drivera\sqa3d797wv.exe [x]
    HKU\drivera\...\Winlogon: [Shell] C:\Users\drivera\AppData\Local\b6e65b00\X [x]
    2 Nmea; C:\Windows\System32\{85ccb53b-23d8-4e73-b1b7-9ddb71827d9b}.dll [x]
    2012-03-09 15:14 - 2009-07-13 18:37 - 0000000 ___DC C:\Windows\$NtUninstallKB4633$
    2012-03-05 12:33 - 2012-03-09 10:27 - 0000000 __SHD C:\Users\drivera\AppData\Local\b6e65b00
    c:\windows\$NtUninstallKB4633$\2103559974
    c:\windows\$NtUninstallKB4633$\3068549888
    c:\windows\assembly\GAC_MSIL\desktop.ini
    c:\windows\system32\dds_log_trash.cmd
    c:\windows\$NtUninstallKB4633$
    cmd: bdcedit /enum all /v
    cmd: bootrec /fixmbr
    cmd: bootrec /fixboot
    end
    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now boot into normal Windows can continue with the below.
    Running MGTools.

    We need some additional information so that we can replace an infected system file.
    Boot to System Recovery Options and run FRST again.
    Type the below bolded text in the edit box after "Search:".
    services.exe
    Then click the Search button.
    It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.
     
    TimW, Jan 28, 2013
    #8
  9. Giant Jenga

    Giant Jenga Private E-2

    I have attached the three files as requested. I certainly hope I followed your instructions properly.
     

    Attached Files:

    Giant Jenga, Jan 28, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)
     

    Attached Files:

    TimW, Jan 28, 2013
    #10
  11. Giant Jenga

    Giant Jenga Private E-2

    I copied 'fixlist.txt' file from your previous message to my flashdrive and ran FRST64 on my infected system. I have attached the 'Fixlog.txt' file created by selecting FIX.
     

    Attached Files:

    Giant Jenga, Jan 28, 2013
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to tell me what's happening now.
     
    TimW, Jan 29, 2013
    #12
  13. Giant Jenga

    Giant Jenga Private E-2

    The system still reacts the same as the last description: I am allowed to login as a user then the display is a blank, black screen with no Start bar or icons. The TuneUp360 Notice appears giving me the option to scan the PC. An Apple Software Update window appears giving the option to download an update. I have access to the internet and the task manager.
     
    Giant Jenga, Jan 29, 2013
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use task manager to open notepad. Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    Last edited: Jan 30, 2013
    TimW, Jan 30, 2013
    #14
  15. Giant Jenga

    Giant Jenga Private E-2

    I followed your instructions and the Registry Editor indicated fixMe.reg has been successfully added to the registry. Do I restart the infected system?
     
    Giant Jenga, Jan 30, 2013
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, try to restart. ;)
     
    TimW, Jan 31, 2013
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds