Erecovery acer aspireone ZG5
Solved/Closed
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
-
Jan 22, 2012 at 03:37 AM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Feb 11, 2012 at 03:34 PM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Feb 11, 2012 at 03:34 PM
Related:
- Erecovery acer aspireone ZG5
- Acer aspire 3 keyboard light - Guide
- Acer erecovery management download - Guide
- Acer bluetooth driver - Download - Drivers
- Acer drivers - Download - Drivers
- Acer camera driver - Download - Drivers
41 responses
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 22, 2012 at 04:53 AM
Jan 22, 2012 at 04:53 AM
To help you and precribe a remedy, I must make a diagnostic and to do so, I require a system log.
1. Boot in safemode with networking.
2. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Also clicking on the "hardhat" icon allows to change the language.)
3. Save the file on your Desktop.
4. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
5. Double click on the short cut ZHPDiag on your Destktop.
6. Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
7. Close ZHPDiag.
6. To transmit the report, click on this link :
https://authentification.site
7. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
8. Select the file ZHPDiag.txt.
9. Click on "upload »
10. Copy the url and post it here
Best regards
1. Boot in safemode with networking.
2. Open this link and download ZHPDiag2 :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Also clicking on the "hardhat" icon allows to change the language.)
3. Save the file on your Desktop.
4. Double click on ZHPDiag.exe and follow the installation instructions.
the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).
5. Double click on the short cut ZHPDiag on your Destktop.
6. Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
7. Close ZHPDiag.
6. To transmit the report, click on this link :
https://authentification.site
7. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
8. Select the file ZHPDiag.txt.
9. Click on "upload »
10. Copy the url and post it here
Best regards
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 27, 2012 at 06:09 AM
Jan 27, 2012 at 06:09 AM
Dear khaanam,
Thank you for the log.
Your system is still badly infected by both several Adware and the worm Sality who disabled your system's Security Center and your antiviruses.
Here is what I would like you to do:
1. On your desktop, ZHP Diag created 3 icons: ZHP Diag, MRB Check and ZHP Fix. Open ZHP Fix.
2. In ZHP Fix click on the big "H" as in Hospital.
3. Copy the following lines and paste them in ZHP Fix
[HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusOverride: Modified [HKLM\SOFTWARE\Microsoft\Security Center] FirewallOverride: Modified [HKLM\SOFTWARE\Microsoft\Security Center\Svc] AntiVirusDisableNotify: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] FirewallOverride: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] UpdatesDisableNotify: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] UacDisableNotify: Modified
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} . (...) -- C:\Program Files\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} . (...) -- C:\Program Files\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
[HKCU\Software\DataMngr]
[HKCU\Software\Elwofdd]
[HKCU\Software\Ilivid]
[HKCU\Software\PriceGong]
[HKLM\Software\DataMngr]
O43 - CFD: 12/30/2011 - 1:17:50 PM - [34.213] ----D- C:\Program Files\iLivid
O43 - CFD: 10/25/2011 - 12:36:32 PM - [1.114] ----D- C:\Documents and Settings\Ayesha\Application Data\OpenCandy
O43 - CFD: 1/20/2011 - 1:00:16 PM - [0.002] ----D- C:\Documents and Settings\Ayesha\Application Data\PriceGong
O43 - CFD: 12/19/2011 - 3:41:24 PM - [0.014] ----D- C:\Documents and Settings\Ayesha\Local Settings\Application Data\Ilivid Player
O43 - CFD: 10/25/2011 - 7:32:48 PM - [0] ----D- C:\Documents and Settings\Ayesha\Local Settings\Application Data\OpenCandy
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winduexx.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winduexx.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winklhe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winklhe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvymwn.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvymwn.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winfpjuxv.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winfpjuxv.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winjfxdmr.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winjfxdmr.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyog.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyog.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxmpsf.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxmpsf.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhjfuw.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhjfuw.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winekxc.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winekxc.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\windicx.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\windicx.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winidek.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winidek.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqpjbu.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqpjbu.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxfce.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxfce.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winphxe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winphxe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqwiqt.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqwiqt.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybubaj.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybubaj.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingdiwl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingdiwl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winlawroa.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winlawroa.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyeuwk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyeuwk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnmmobe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnmmobe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmqlyh.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmqlyh.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winupphpw.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winupphpw.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingnigkl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingnigkl.exe (.not file.) O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxcwl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxcwl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winkhbhl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winkhbhl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvyny.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvyny.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyyruv.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyyruv.exe (.not file.)
47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybxhq.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybxhq.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhdrk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhdrk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winitagio.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winitagio.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmgjk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmgjk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnbbtq.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnbbtq.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingtjff.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingtjff.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxwpkf.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxwpkf.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnpxun.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnpxun.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winktfyk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winktfyk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyxbdrb.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyxbdrb.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winrnms.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winrnms.exe (.not file.) [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4}]
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKCU\Software\ilivid] C:\Documents and Settings\Ayesha\Application Data\OpenCandy
C:\Documents and Settings\Ayesha\Application Data\PriceGong C:\Documents and Settings\Ayesha\Local Settings\Application Data\OpenCandy
4. Now click on "GO"! All the lines should dissapear.
5. Close ZHP Fix
6. Delete the log that ZHP Diag produced.
7. Restart your system and send me another ZHP Diag log.
Catch you later
Thank you for the log.
Your system is still badly infected by both several Adware and the worm Sality who disabled your system's Security Center and your antiviruses.
Here is what I would like you to do:
1. On your desktop, ZHP Diag created 3 icons: ZHP Diag, MRB Check and ZHP Fix. Open ZHP Fix.
2. In ZHP Fix click on the big "H" as in Hospital.
3. Copy the following lines and paste them in ZHP Fix
[HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusOverride: Modified [HKLM\SOFTWARE\Microsoft\Security Center] FirewallOverride: Modified [HKLM\SOFTWARE\Microsoft\Security Center\Svc] AntiVirusDisableNotify: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] FirewallOverride: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] UpdatesDisableNotify: Modified
[HKLM\SOFTWARE\Microsoft\Security Center\Svc] UacDisableNotify: Modified
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} . (...) -- C:\Program Files\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} . (...) -- C:\Program Files\WI371A~1\Datamngr\ToolBar\searchqudtx.dll
[HKCU\Software\DataMngr]
[HKCU\Software\Elwofdd]
[HKCU\Software\Ilivid]
[HKCU\Software\PriceGong]
[HKLM\Software\DataMngr]
O43 - CFD: 12/30/2011 - 1:17:50 PM - [34.213] ----D- C:\Program Files\iLivid
O43 - CFD: 10/25/2011 - 12:36:32 PM - [1.114] ----D- C:\Documents and Settings\Ayesha\Application Data\OpenCandy
O43 - CFD: 1/20/2011 - 1:00:16 PM - [0.002] ----D- C:\Documents and Settings\Ayesha\Application Data\PriceGong
O43 - CFD: 12/19/2011 - 3:41:24 PM - [0.014] ----D- C:\Documents and Settings\Ayesha\Local Settings\Application Data\Ilivid Player
O43 - CFD: 10/25/2011 - 7:32:48 PM - [0] ----D- C:\Documents and Settings\Ayesha\Local Settings\Application Data\OpenCandy
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winduexx.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winduexx.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winklhe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winklhe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvymwn.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvymwn.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winfpjuxv.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winfpjuxv.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winjfxdmr.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winjfxdmr.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyog.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyog.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxmpsf.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxmpsf.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhjfuw.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhjfuw.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winekxc.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winekxc.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\windicx.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\windicx.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winidek.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winidek.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqpjbu.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqpjbu.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxfce.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxfce.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winphxe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winphxe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqwiqt.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqwiqt.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybubaj.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybubaj.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingdiwl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingdiwl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winlawroa.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winlawroa.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyeuwk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winqyeuwk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnmmobe.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnmmobe.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmqlyh.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmqlyh.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winupphpw.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winupphpw.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingnigkl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingnigkl.exe (.not file.) O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxcwl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmxcwl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winkhbhl.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winkhbhl.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvyny.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winvyny.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyyruv.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyyruv.exe (.not file.)
47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybxhq.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winybxhq.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhdrk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winhdrk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winitagio.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winitagio.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmgjk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winmgjk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnbbtq.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnbbtq.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingtjff.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\wingtjff.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxwpkf.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winxwpkf.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnpxun.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winnpxun.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winktfyk.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winktfyk.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyxbdrb.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winyxbdrb.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winrnms.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winrnms.exe (.not file.) [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4}]
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
[HKCU\Software\ilivid] C:\Documents and Settings\Ayesha\Application Data\OpenCandy
C:\Documents and Settings\Ayesha\Application Data\PriceGong C:\Documents and Settings\Ayesha\Local Settings\Application Data\OpenCandy
4. Now click on "GO"! All the lines should dissapear.
5. Close ZHP Fix
6. Delete the log that ZHP Diag produced.
7. Restart your system and send me another ZHP Diag log.
Catch you later
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 28, 2012 at 05:02 AM
Jan 28, 2012 at 05:02 AM
Dear Tania,
Thank you for the log and pardon me for my total ignorance of Urdu.
Somehow, between yesterday and now, your system got infected by another worm virus called Mabutu.
We will try to remove it and I pretty sure that the other problems which you mentioned will go away. I have a good idea of the source of those multiple infections.
Until we restablish your machine's healthy state, please ensure you do not use or open UTorrent and Bearshare.
You have a program to put emoticons in your correspondance called Bandoo, it hides Adware and Spyware. I suggest you delete it.
1. Again, open ZHP Fix, click on the big H, copy and paste the following lines and then click on GO:
[HKCU\Software\DataMngr] => Infection PUP (Adware.Bandoo)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file.) [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4}]
2. Download and run this tool:
http://www.secuser.com/telechargement/desinfection/AntiMabutu-EN.exe
3. Download, install and run Malwarebyte which you can find on this site:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware
Ensure you make an update.
Boot your computer in safemode
Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.
If Malwarebyte restarts your system, launch it again to finish the Full scan.
When the scan is completed, delete all items found.
4. Go to your control panel
a) Click on Security Center
b) If your firewall is disabled, ensure to enable it.
5. Tell me how is your system is performing.
IMPORTANT ADVICE
Do not download any .Exe files (programmes or applications) from UTorrent and Bearshare, most often they are infected with all kinds of viruses.
Jules
Thank you for the log and pardon me for my total ignorance of Urdu.
Somehow, between yesterday and now, your system got infected by another worm virus called Mabutu.
We will try to remove it and I pretty sure that the other problems which you mentioned will go away. I have a good idea of the source of those multiple infections.
Until we restablish your machine's healthy state, please ensure you do not use or open UTorrent and Bearshare.
You have a program to put emoticons in your correspondance called Bandoo, it hides Adware and Spyware. I suggest you delete it.
1. Again, open ZHP Fix, click on the big H, copy and paste the following lines and then click on GO:
[HKCU\Software\DataMngr] => Infection PUP (Adware.Bandoo)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file.)
O47 - AAKE:Key Export SP - "C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe" [Enabled] .(...) -- C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file.) [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4}]
2. Download and run this tool:
http://www.secuser.com/telechargement/desinfection/AntiMabutu-EN.exe
3. Download, install and run Malwarebyte which you can find on this site:
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware
Ensure you make an update.
Boot your computer in safemode
Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.
If Malwarebyte restarts your system, launch it again to finish the Full scan.
When the scan is completed, delete all items found.
4. Go to your control panel
a) Click on Security Center
b) If your firewall is disabled, ensure to enable it.
5. Tell me how is your system is performing.
IMPORTANT ADVICE
Do not download any .Exe files (programmes or applications) from UTorrent and Bearshare, most often they are infected with all kinds of viruses.
Jules
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
16
Jan 30, 2012 at 12:51 AM
Jan 30, 2012 at 12:51 AM
i m not able to submit my answer....yyyyyyyyyyy:(:(:(:(
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
16
Jan 30, 2012 at 01:00 AM
Jan 30, 2012 at 01:00 AM
plz give me ur mail id so that i can send u my answer...its important.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Feb 1, 2012 at 05:29 AM
Feb 1, 2012 at 05:29 AM
Hello Tania,
Yes, unfortunately, there is a slight communications problem.
McAfee does not come with Windows. It was installed by your computer's manufacturer. As I mentioned before, I repeat, to remove it, click on start, click on control panel, click on add/remove program, wait for the list to populate, find McAfee and click on remove.
I don't know what you did so far because you have not confirmed (told me) if you followed all of my instructions such as deleting the registry items I have asked you to delete and the following files:
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file)
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file)
Here is what we will do today.
1. Remove McAfee as I instructed.
2. Clixk on start, right click on My Computer and click on the System restore tab.
3. Check disable system restore and click ok.
4. I shall prescribe to you a very powerfull antidote that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.
To keep your system safe, you must follow the instructions hereunder to the letter:
1. Download Combofix to your desktop.
http://www.combofix.org/download.php
2.Close all open Windows including this one.
Close or disable Microsoft Security Essentials and Windows Defender, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows will issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
Once you are done, report to me on how your system is behaving.
Good luck
Yes, unfortunately, there is a slight communications problem.
McAfee does not come with Windows. It was installed by your computer's manufacturer. As I mentioned before, I repeat, to remove it, click on start, click on control panel, click on add/remove program, wait for the list to populate, find McAfee and click on remove.
I don't know what you did so far because you have not confirmed (told me) if you followed all of my instructions such as deleting the registry items I have asked you to delete and the following files:
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file)
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file)
Here is what we will do today.
1. Remove McAfee as I instructed.
2. Clixk on start, right click on My Computer and click on the System restore tab.
3. Check disable system restore and click ok.
4. I shall prescribe to you a very powerfull antidote that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.
To keep your system safe, you must follow the instructions hereunder to the letter:
1. Download Combofix to your desktop.
http://www.combofix.org/download.php
2.Close all open Windows including this one.
Close or disable Microsoft Security Essentials and Windows Defender, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows will issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
Once you are done, report to me on how your system is behaving.
Good luck
Didn't find the answer you are looking for?
Ask a question
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
16
Jan 22, 2012 at 05:22 AM
Jan 22, 2012 at 05:22 AM
thanx for helping me but bro u didnt tell me abt the error, what it is? every time i run erecovery it happend always. i delete old one n install it again from acer support site. but this time i isnt working :( . ur procedure is hard enogh for me to do, can u guid me some easyone.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 22, 2012 at 05:40 AM
Jan 22, 2012 at 05:40 AM
Hi again
No I can't guide you further as I can't make my instructions more clear and easier to followé
The error D2D as a setting in the BIOS that needs to be on in order to use the recovery partition:
"Enable disk-to-disk recovery
To enable disk-to-disk recovery (hard disk recovery), activate the BIOS utility,
then select Main from the categories listed at the top of the screen. Find D2D
Recovery at the bottom of the screen and use the <F5> and <F6> keys to set this
value to Enabled."
The R6002 means that the application is infected by a malware, or one of your Windows registry records related to this application is corrupted.
No I can't guide you further as I can't make my instructions more clear and easier to followé
The error D2D as a setting in the BIOS that needs to be on in order to use the recovery partition:
"Enable disk-to-disk recovery
To enable disk-to-disk recovery (hard disk recovery), activate the BIOS utility,
then select Main from the categories listed at the top of the screen. Find D2D
Recovery at the bottom of the screen and use the <F5> and <F6> keys to set this
value to Enabled."
The R6002 means that the application is infected by a malware, or one of your Windows registry records related to this application is corrupted.
Hi, wow u sounds master in computer science, i like it :). i m woman but i always try to get information about computer and i know little bit.. i checked out BIOS for Enabling D2D its already Enable :( now wats rong with it, and what will help ur first remedy about downloading ZHPDig2.
how can i goto on safemoade i thing precing f8???? first i have to copy ur lines then i can follow procedure, isnt it? but one question is unansewrd, y this time new instalation of eRecovery program doesnt work while always it does. many many thanx for giving me ur time. God bless u. May Allah increase ur knowledge Ameen.
Tania
how can i goto on safemoade i thing precing f8???? first i have to copy ur lines then i can follow procedure, isnt it? but one question is unansewrd, y this time new instalation of eRecovery program doesnt work while always it does. many many thanx for giving me ur time. God bless u. May Allah increase ur knowledge Ameen.
Tania
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 24, 2012 at 04:40 AM
Jan 24, 2012 at 04:40 AM
Salam,
I need to know if there is a virus and the log produced by ZHP Diag will tell me. Depending on the virus, if there is one, I may be able to tell you what to do (remedy).
Yes to get into safemode, you must restart the system while tapping F8 hoping you can still do that.
Once you downloaded ZHP Diag, click twice on the icon to install it. Once installed, click twice on the ZHP Diag exe to open it. Click on the magnifying glass to run it. Once finished the log will be on your desktop. Follow the procedure I gave to post it.
If your recovery program no longer works, as I mentioned, there are two reasons:
1. There may be a virus or...
2. You registry which is the soul of your operation system is corrupted.
God bless you too.
(So you are a woman. Makes no difference to me, I'm a human being)
I need to know if there is a virus and the log produced by ZHP Diag will tell me. Depending on the virus, if there is one, I may be able to tell you what to do (remedy).
Yes to get into safemode, you must restart the system while tapping F8 hoping you can still do that.
Once you downloaded ZHP Diag, click twice on the icon to install it. Once installed, click twice on the ZHP Diag exe to open it. Click on the magnifying glass to run it. Once finished the log will be on your desktop. Follow the procedure I gave to post it.
If your recovery program no longer works, as I mentioned, there are two reasons:
1. There may be a virus or...
2. You registry which is the soul of your operation system is corrupted.
God bless you too.
(So you are a woman. Makes no difference to me, I'm a human being)
I dont know may i answer ur Salam or not....anyway, Good evening sir :)
i appologise, i tried many time to log on safemode and networking but it load many files and restart and restart and restart until i choose restart normally. so...wats this. i scan my netbook by Microsofr Security Essintial it showed 2 virus:
1. Win32/sality.AM
2. Trojan:Win32/rimecud.A
these r removed by antivirus but i mentiond u ok. now tell me wat to do now. i have 1 idea, can u access my netbook by Team Viewer? can u check by urself? i trust u. :)
Regards
Tani@ Kh@n
i appologise, i tried many time to log on safemode and networking but it load many files and restart and restart and restart until i choose restart normally. so...wats this. i scan my netbook by Microsofr Security Essintial it showed 2 virus:
1. Win32/sality.AM
2. Trojan:Win32/rimecud.A
these r removed by antivirus but i mentiond u ok. now tell me wat to do now. i have 1 idea, can u access my netbook by Team Viewer? can u check by urself? i trust u. :)
Regards
Tani@ Kh@n
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 24, 2012 at 03:53 PM
Jan 24, 2012 at 03:53 PM
Dear Tania,
Sality.AM is infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
The Trojan Horse rimecudA may perform a number of actions of an attacker's choice.
You may also have other malware because the virus disabled your firewall.
From what I see you can get boot in normal mode. That's great.
Please follow my instructions about downloading, installing and producing a log with ZHP Diag. You will not need to go into safemode.
With the log, I will be able to give you instructions not only to clean your system but make it safer and more efficient.
Take good care of yourself
Sality.AM is infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.
The Trojan Horse rimecudA may perform a number of actions of an attacker's choice.
You may also have other malware because the virus disabled your firewall.
From what I see you can get boot in normal mode. That's great.
Please follow my instructions about downloading, installing and producing a log with ZHP Diag. You will not need to go into safemode.
With the log, I will be able to give you instructions not only to clean your system but make it safer and more efficient.
Take good care of yourself
sir,
i opend URL u mentiond, it was in french so i closed it n scan my netbook by Malwarebytes Anti-Malware it found a Trojan, i m sending u log file plz check it out.
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.26.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ACER-6E40E97492 [administrator]
1/26/2012 11:25:27 AM
mbam-log-2012-01-26 (11-25-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196650
Time elapsed: 46 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\Ayesha\Local Settings\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
i opend URL u mentiond, it was in french so i closed it n scan my netbook by Malwarebytes Anti-Malware it found a Trojan, i m sending u log file plz check it out.
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.26.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ACER-6E40E97492 [administrator]
1/26/2012 11:25:27 AM
mbam-log-2012-01-26 (11-25-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196650
Time elapsed: 46 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\Ayesha\Local Settings\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 26, 2012 at 05:07 AM
Jan 26, 2012 at 05:07 AM
In my message, I mentioned that the site could be in French but not to be alarmed and to download ZHP Diag anyway as the application is multilanguage.
Several times I have insisted to have the log but in vain.
Without the log I can no longer be of any assistance to you.
Good luck
Several times I have insisted to have the log but in vain.
Without the log I can no longer be of any assistance to you.
Good luck
Sir,
How r u? i m sorry for delay but every time i download link, i delete it to see it in french but finally i do the same as u said and now i m successfully done it. now see there r 3 links on speedy share i mention it all line by line u see wat u need..
Download Link: http://speedy.sh/dk2mA/ZHPDiag.txt
Forum Link: [code]http://speedy.sh/dk2mA/ZHPDiag.txt/code
HTML Link: <a href="http://speedy.sh/dk2mA/ZHPDiag.txt">Download at SpeedyShare</a>
Delete Key: zonezuvaluxu
is it done as u want sir?
Many Thanx & Many Prayers for u to take ur time for me.
Tani@ Kh@n
How r u? i m sorry for delay but every time i download link, i delete it to see it in french but finally i do the same as u said and now i m successfully done it. now see there r 3 links on speedy share i mention it all line by line u see wat u need..
Download Link: http://speedy.sh/dk2mA/ZHPDiag.txt
Forum Link: [code]http://speedy.sh/dk2mA/ZHPDiag.txt/code
HTML Link: <a href="http://speedy.sh/dk2mA/ZHPDiag.txt">Download at SpeedyShare</a>
Delete Key: zonezuvaluxu
is it done as u want sir?
Many Thanx & Many Prayers for u to take ur time for me.
Tani@ Kh@n
links r here
http://speedy.sh/yJ4pz/ZHPFixReport.txt
[code]http://speedy.sh/yJ4pz/ZHPFixReport.txt/code
<a href="http://speedy.sh/yJ4pz/ZHPFixReport.txt">Download at SpeedyShare</a>
xikazemutaha
all file did not disapeard but deleted. some files showed not found in dhpfix.
Regards
Tania
http://speedy.sh/yJ4pz/ZHPFixReport.txt
[code]http://speedy.sh/yJ4pz/ZHPFixReport.txt/code
<a href="http://speedy.sh/yJ4pz/ZHPFixReport.txt">Download at SpeedyShare</a>
xikazemutaha
all file did not disapeard but deleted. some files showed not found in dhpfix.
Regards
Tania
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 27, 2012 at 04:01 PM
Jan 27, 2012 at 04:01 PM
Hello Tania,
We are almost there. ZHPFix did a good job. But the ZHPFix report is not what I asked for. I want to make sure there is no malware left, not a trace.
Please delete the logs, ZHP Diag and ZHP Fix. Restart your system and generate a new ZHP Diag log and post it on Speedyshare.
Thanks
P.S. Great job!
We are almost there. ZHPFix did a good job. But the ZHPFix report is not what I asked for. I want to make sure there is no malware left, not a trace.
Please delete the logs, ZHP Diag and ZHP Fix. Restart your system and generate a new ZHP Diag log and post it on Speedyshare.
Thanks
P.S. Great job!
Respected Sir,
All credit goes to U sir, u discribe me very easily & clearly that i cud follow and did the job correctly. (sorry for my week english as i m not native)
Now URLs...
http://speedy.sh/xY4Jp/ZHPDiag.txt
[code]http://speedy.sh/xY4Jp/ZHPDiag.txt/code
<a href="http://speedy.sh/xY4Jp/ZHPDiag.txt">Download at SpeedyShare</a>
fumetufoxixo
i wana tell u more problems that i face, my Defregment program does not run, my windows used to start quick and so shutdown but nw it takes long time to start n shutdown. y? how can i light it up,means i wana my netbook quick work, thats y i install very few programs in it. one thing more whenever i start windows when Volume loads my antivirus shows a virus always and its still apear, it means virus is still in pc. many many thanx
Regards
Tani@ Kh@n
All credit goes to U sir, u discribe me very easily & clearly that i cud follow and did the job correctly. (sorry for my week english as i m not native)
Now URLs...
http://speedy.sh/xY4Jp/ZHPDiag.txt
[code]http://speedy.sh/xY4Jp/ZHPDiag.txt/code
<a href="http://speedy.sh/xY4Jp/ZHPDiag.txt">Download at SpeedyShare</a>
fumetufoxixo
i wana tell u more problems that i face, my Defregment program does not run, my windows used to start quick and so shutdown but nw it takes long time to start n shutdown. y? how can i light it up,means i wana my netbook quick work, thats y i install very few programs in it. one thing more whenever i start windows when Volume loads my antivirus shows a virus always and its still apear, it means virus is still in pc. many many thanx
Regards
Tani@ Kh@n
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 30, 2012 at 04:24 AM
Jan 30, 2012 at 04:24 AM
Sorry but it's contrary to the Charter to give email on the forum and all e-mail adresses are automatically deleted.
However, a member can correspond with another member through private messages. If you wish to submit a file, you can use speedyshare.
I don't understand that you can't submit your answer for you did write the above. Please explain.
However, a member can correspond with another member through private messages. If you wish to submit a file, you can use speedyshare.
I don't understand that you can't submit your answer for you did write the above. Please explain.
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
16
Jan 31, 2012 at 12:28 AM
Jan 31, 2012 at 12:28 AM
http://speedy.sh/TVE6C/answer.txt
Sir...i dont understand too.when i copy my answer here it just show loading and nothig. but when i add comment it submited...i dont know y but as u said i share on speedyshare n above is link plz see. thank u very much u r so kind.
Tania
Sir...i dont understand too.when i copy my answer here it just show loading and nothig. but when i add comment it submited...i dont know y but as u said i share on speedyshare n above is link plz see. thank u very much u r so kind.
Tania
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 31, 2012 at 04:56 AM
Jan 31, 2012 at 04:56 AM
Hi Tania,
Bizarre indeed. Here is the message that you wrote and failed to insert:
Sir,
I follow all ur instructions and the result is...
i dont use Beashare, uTorrent and bandoo,its long time ago...bandoo i uninstalled same tiem of instalation but i think due to deactivation of Defregment program its files r still remain in memory. i used to open only 2 things 1.skype 2. hotmail.
how can i delete Bearshare,some time i open browser it shows thsi web site. i dont know where it comes from.
1. ZHPDiag log file is here:
http://speedy.sh/cgwN2/ZHPDiag.txt
2. AntiMabutu did not find any thing rong.
3. Malwarebytes log file is here:
http://speedy.sh/mz2Gt/mbam-log-2012-01-29-10-28-04.txt
it didnot find anything to delete and i tried many time to login safemode but fail so i had to login normal and did full scan.
4. My netbooks Firewall is Active and Enable as before.
i didnot download any file recently except urs files u said. i told u before that always i start windows it alerts these virus but today it showed one virus more
i m copying here:
VirTool:INF/Autorun.gen
Virus:Win32/Sality.AM
i remove it everytime but its still in pc. just once i run eRecovery all problems will solve :(:( but question is How?
I m SORY for give u no positive result
Tani@ kh@n
Bizarre indeed. Here is the message that you wrote and failed to insert:
Sir,
I follow all ur instructions and the result is...
i dont use Beashare, uTorrent and bandoo,its long time ago...bandoo i uninstalled same tiem of instalation but i think due to deactivation of Defregment program its files r still remain in memory. i used to open only 2 things 1.skype 2. hotmail.
how can i delete Bearshare,some time i open browser it shows thsi web site. i dont know where it comes from.
1. ZHPDiag log file is here:
http://speedy.sh/cgwN2/ZHPDiag.txt
2. AntiMabutu did not find any thing rong.
3. Malwarebytes log file is here:
http://speedy.sh/mz2Gt/mbam-log-2012-01-29-10-28-04.txt
it didnot find anything to delete and i tried many time to login safemode but fail so i had to login normal and did full scan.
4. My netbooks Firewall is Active and Enable as before.
i didnot download any file recently except urs files u said. i told u before that always i start windows it alerts these virus but today it showed one virus more
i m copying here:
VirTool:INF/Autorun.gen
Virus:Win32/Sality.AM
i remove it everytime but its still in pc. just once i run eRecovery all problems will solve :(:( but question is How?
I m SORY for give u no positive result
Tani@ kh@n
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 31, 2012 at 04:57 AM
Jan 31, 2012 at 04:57 AM
Amazing! Please stand-by for my reply while I analyse the logs.
Ambucias
Posts
47356
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,169
Jan 31, 2012 at 06:23 AM
Jan 31, 2012 at 06:23 AM
Please, for today
1. Click on start, control panel, add/remove program.
2. Wait for the list to populate.
3. Find Bearshare and remove it.
While you are there, remove U Torrent and Bandoo. You may also remove Net.Framework which you don't need unless you wish to develop new software.
4. You have three antiviruses : McAfee, Windows Defender and Microsoft Security Essential. All three have scanning engines which may come in conflict and once there is a conflict viruses may not be detected to give fake alert. Please keep only McAfee for which you paid for.
5. See if you can deboot in safe mode. If not continue any way but I would prefer safemode.
6. Click right on start and left on Explorer to open Explorer. Click on tool and file option. Second tab, go down and click on show hidden files and okay.
7. In Explorer, left pane, click on "documents and settings"
Find and delete the following files:
%Documents and Settings%\[UserName]\Start Menu\ Update.lnk
%Documents and Settings%\[UserName]\Start Menu\ Settings.lnk
8. Click on start and then on Run.
9. In the field type regedit and clik okay
10. Press F3, this will open a search window, copy each of the following lines exactly in the search Window and click okay or search. Once the item is found, click on delete and proceed with the next one.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 'DisableTaskMgr' = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall?1
HKEY_CLASSES_ROOT\secfile
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '[random string]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments 'SaveZoneInformation' = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 'ProxyServer' = 'http=127.0.0.1:5555'
11. Close the registry editor.
12. Click on start and on search. Search for files containing the word "Ayesha". Is that word familiar to you? Examine individual files
Delete the files:
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file)
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file)
13. Make sure to clean all of your temporary files and cookies. The original virus carrier may be hiding in there.
14. Let me know how your system is performing
Good luck
1. Click on start, control panel, add/remove program.
2. Wait for the list to populate.
3. Find Bearshare and remove it.
While you are there, remove U Torrent and Bandoo. You may also remove Net.Framework which you don't need unless you wish to develop new software.
4. You have three antiviruses : McAfee, Windows Defender and Microsoft Security Essential. All three have scanning engines which may come in conflict and once there is a conflict viruses may not be detected to give fake alert. Please keep only McAfee for which you paid for.
5. See if you can deboot in safe mode. If not continue any way but I would prefer safemode.
6. Click right on start and left on Explorer to open Explorer. Click on tool and file option. Second tab, go down and click on show hidden files and okay.
7. In Explorer, left pane, click on "documents and settings"
Find and delete the following files:
%Documents and Settings%\[UserName]\Start Menu\ Update.lnk
%Documents and Settings%\[UserName]\Start Menu\ Settings.lnk
8. Click on start and then on Run.
9. In the field type regedit and clik okay
10. Press F3, this will open a search window, copy each of the following lines exactly in the search Window and click okay or search. Once the item is found, click on delete and proceed with the next one.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System 'DisableTaskMgr' = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall?1
HKEY_CLASSES_ROOT\secfile
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run '[random string]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments 'SaveZoneInformation' = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings 'ProxyServer' = 'http=127.0.0.1:5555'
11. Close the registry editor.
12. Click on start and on search. Search for files containing the word "Ayesha". Is that word familiar to you? Examine individual files
Delete the files:
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winiriqi.exe (.not file)
C:\DOCUME~1\Ayesha\LOCALS~1\Temp\winugis.exe (.not file)
13. Make sure to clean all of your temporary files and cookies. The original virus carrier may be hiding in there.
14. Let me know how your system is performing
Good luck
khaanam
Posts
35
Registration date
Friday November 6, 2009
Status
Member
Last seen
May 16, 2014
16
Jan 31, 2012 at 12:18 PM
Jan 31, 2012 at 12:18 PM
sir, i have already uninstall utorent, bearshare. my mcafee is disabled due to not pay thats y i have to install Microsoft Essential n othe one i dont know. Ayesha is my home name. i m trying to search files u mentiond still searching i will tell u the result tomoro Insha Allah. its too late now going to sleep. plz must tell me wat to do with the files containing name "ayesha". u didnot tell me about the virus in Volume driver, its located in D2D.32 i always remove it but it apear again when win starts. plz take care of urself and good bye.
