WiredWX Hobby Weather ToolsLog in

 


Condition Critical

3 posters

descriptionCondition Critical EmptyCondition Critical8th September 2009, 9:21 pm

more_horiz
I emailed you all a few weeks ago about a virus that would not allow me to save my Combo Fix or Hijack This logs, and once you run the programs then you can not run them again.
I can no longer open my run function, and it is becoming harder to find a way to connect to the internet.

I did find this bug log on my c drive. I am not sure where it came from or what it has documented.

I am now getting this desot.exe has encountered a problem and needs to close. We are sorry for the inconvenience. It tells me to send an error report or debug.

Please help!!!! school started yesterday! This is my lifeline, and all I have!
Here is the "BUG LOG"...again, not sure what it is reporting.

32788R22FWJFW\swreg.exe import 32788R22FWJFW\EXE.reg

32788R22FWJFW\PEV.exe UZIP 32788R22FWJFW\License\pv_5_2_2.zip 32788R22FWJFW\

MOVE /Y 32788R22FWJFW\PV.exe 32788R22FWJFW\PV.cfxxe

32788R22FWJFW\PV.cfxxe -kf *.pif nircmd.* ANDRE.EXE TOLO.exe Merlin.scr jalang.exe jalangkung.exe jantungan.exe DOSEN.exe C3W3K4MPUS.exe cmd.exe
Killing '*.pif'
Killing 'nircmd.*'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
Killing 'cmd.exe'
pv: No matching processes found

PUSHD "C:\32788R22FWJFW"

IF NOT EXIST pev.cfxxe COPY /Y pev.exe pev.cfxxe
1 file(s) copied.

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

IF EXIST OsVer EXIT

VER 1>OsVer

GREP.cfxxe -F "5.2." OsVer

IF 1 == 0 GOTO Not_NT

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SED.cfxxe "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV.EXE -rtf -s+901 .\OriPath00 && (
SED.cfxxe -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)

CALL :MDCheck
Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md573FF0546C6C03834F58C5B90D18A77E4 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail
.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=73FF0546C6C03834F58C5B90D18A77E4
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USER-429B14235C
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
KMD=CF17216.exe
LOGONSERVER=\\USER-429B14235C
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\ComboFix[1].exe"
sfxname=C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\ComboFix[1].exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=USER-429B14235C
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

CALL LANG.bat
Active code page: 1252

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content.IE5\\R9QL9XTY\\ComboFix[1].exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\ComboFix[1].exe"
Access is denied.
@SET SfxCmd="C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\ComboFix[1].exe"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
Access is denied.

IF NOT EXIST AvBlack00 GREP -Fisf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""
)
grep: resident.txt: No such file or directory

DEL /A/F/Q AVChk? AvWhite AvBlack AvBlack0?

SET AVCount=

IF EXIST vista.mac CALL :Vista

GREP -Fx "REGEDIT4" Fin.dat || (
ECHO.1>"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tdsstdss"
PEV -rtf "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tdsstdss" || (
ECHO.1>wtf_tdssserv
CALL c.bat
GOTO END
)

GOTO AbortD
)
REGEDIT4

IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" DEL /A/F "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log"

COPY /Y /B "C:\WINDOWS\system32\cmd.execf" "C:\WINDOWS\system32\CF17216.exe"
1 file(s) copied.

SET "COMSPEC=C:\WINDOWS\system32\CF17216.exe"

FOR /F "TOKENS=*" %G IN ("C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\ComboFix[1].exe") DO (
SET "FileName=%~NG"
SET "FilePath=%~DPG"
)

(
SET "FileName=ComboFix[1]"
SET "FilePath=C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R9QL9XTY\"
)

SET FileName 1>FileName

GREP -ix "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB

DEL /A/F/Q DirName0?
Could Not Find C:\32788R22FWJFW\DirName0?

CALL NircmdB.exe INFOBOX "You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""

GOTO END

IF EXIST "C:\WINDOWS\system32\cmd.execf" MOVE /Y "C:\WINDOWS\system32\cmd.execf" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp"

CD ..

IF DEFINED cfldr RD /S/Q "32788R22FWJFW"
The system cannot find the path specified.

descriptionCondition Critical EmptyRe: Condition Critical8th September 2009, 10:01 pm

more_horiz
What's wrong with me??? I can't get a response! Is my computer dead? Please help. I have the Police Virus, the Antispyware Virus, the Protection 2010 Virus! HELLLLPPPP me pleasssssseeeeee

descriptionCondition Critical EmptyRe: Condition Critical8th September 2009, 10:58 pm

more_horiz
Why is there a note to stop watching this topic? Did I do something wrong?

descriptionCondition Critical EmptyRe: Condition Critical9th September 2009, 12:12 am

more_horiz
Please delete this file in red:
C:\Windows\system32\desot.exe

Next, download this file.

Download it to your Desktop.
Double click it to run it; select yes to the registry merge prompt.

Are you able to run programs now?

descriptionCondition Critical EmptyRe: Condition Critical9th September 2009, 2:04 am

more_horiz
I tried to access the desot file, to delete it but it says access denied.
I was able to download the file, but it says that Registry editing has been disabled by your admin.

I tried to go into my registry from the Admin login in safe mode, but cant access the program from the start panel.

UGH!!! Sad tearing

descriptionCondition Critical EmptyRe: Condition Critical9th September 2009, 7:30 pm

more_horiz
Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then try to delete desot from there.

descriptionCondition Critical EmptyRe: Condition Critical9th September 2009, 7:51 pm

more_horiz
I have been operating in Safe Mode w/Networking. That is the only way that I can use my computer. I tried to delete the desot file by running a search, but I couldn't locate it and its still there. I think it may be in a hidden file; and I don't know how to access it.

descriptionCondition Critical EmptyRe: Condition Critical9th September 2009, 9:54 pm

more_horiz
Hello.
Will Hijack This work in Safe Mode?
Download it and see if it will run.
http://www.sendspace.com/pro/dl/fpzz64

descriptionCondition Critical EmptyRe: Condition Critical16th September 2009, 8:54 pm

more_horiz
Due to lack of response, this topic is now closed.

If you need the topic reopened, PM an administrator or moderator.

descriptionCondition Critical EmptyRe: Condition Critical

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum