System Instability due to Worm.locksky.ao

Well I've exhausted most of my resources trying to fix this problem... I currently have a job that requires me to be online and needless to say this problem (now on the 7th day of problems...) has been hurting me bad... I ended up getting an error when trying to fix some problems, a previous thread had similar problems, about my Worm.Locksky.ao problem and it came up with this log



Now I tried downloading some windows security programs and those only gave me more errors... my Windows OneCare Live always pops up with errors saying it has to shut down or when it doesnt, it wont allow me to enable my windows firewall nor the Windows Defender firewall cause the defender says, "Application failed to create windows"

Now, I try to goto my windows Firewall and initialize it but it says, "cant blah blah blah try changing settings manually" but when I goto my control panel and doubleclick on my firewall icon it says.. "Due to an Unidentified problem, Windows cannot display firewall settings"

I am hoping this log report will clean up all those firewall problems..

Also something that might be related, my computer gives me an error for my CLI.exe, this has to deal with my ATI Catalyst and my most recent attempts to clean it up (uninstalling and installing with proper shutdown and startup methods have failed, AKA I loaded on the most recent Catalyst from the ATI website and it didnt seem to fix it)

I've done some of the steps but that log is the most recent so I hope all this can be sorted out quickly as my brain hurts from all the work I've tried to do...

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.


Disable Windows Defender

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

1. Download combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply (logfile is located at C:\ComboFix.txt).


Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.


Please provide:

- a combofix log




SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items, if found present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe,vhqjwqk.exe

O2 - BHO: (no name) - {39FE4873-B647-1592-835F-6D557BD37A1F} - blank (file missing)
O2 - BHO: SA - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - blank (file missing)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - blank (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nss29.dll
O2 - BHO: {CEAC6778-3856-45E1-B670-AC837993AFA2} - {CEAC6778-3856-45E1-B670-AC837993AFA2} - blank (file missing)
O2 - BHO: Loadtypeflap - {D8E24FDC-4D9C-CE70-0E33-45FDBCBA4582} - blank (file missing)
O3 - Toolbar: free anti hole - {AC9C82DE-FC16-020C-5D87-85873DD9F73C} - blank (file missing)

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - blank (file missing)

O15 - TRUSTED Zone: *.elitemediagroup.net

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/1.../bridge-c18.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab

O21 - SSODL: System - {0A50FD6B-68ED-4749-8A4F-76D69350B61F} - blank (file missing)
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - blank (file missing)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



1) Please download the Killbox.
Unzip it to the desktop and run it.

2) Select "Delete on Reboot".
3) Then Click the "All Files" button.

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.





POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

BTW, THANK YOU!!! It definately "seems" *knocks on wood* like its going to work, the true test is if my WoW will connect to the internet..

Okay.. Unfortunately my World of Warcraft wont log online, it says...

Now I did some of my own research and it said it might be a router setting, but I set up my router to allow the ports that this game uses... so it had to have been changed by something... I cant seem to get into my windows firewall settings this is the error, so something must be preventing it from working or whatnot...

Well that's never good when it displays that, but I think the firewall is interfereing with my World of Warcraft game from connecting to the internet, is there any way to see EXACTLY what is using my connectons and whatnot and not hidden?

Try fixing this line again in HJT (and report back if it is now gone):

O2 - BHO: {CEAC6778-3856-45E1-B670-AC837993AFA2} - {CEAC6778-3856-45E1-B670-AC837993AFA2} - blank (file missing)



Do you have an available combofix log, as requested.



Do you know what has caused the following Internet Explorer restriction lines in HJT?:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present




How long has WoW been out of commission - before or after those cleaned-up infections.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Sorry bout that.. I thought I CTRL+C that part in heh... anyhow.. there it is.. and It stopped working as soon as I got the infection, same with my Firewall.

An currently I dont know what those specific restrictions are, I've not put any on for IE to my knowledge, nor do I have any programs that would.. atleast I think... I've got

Windows Defender (disabled for now)
Windows Live OneCare (Its Unable to start up my windows firewall as well)
Lavasoft Ad-Aware SE Personal
Registry Mechanic
PC Tools Antivirus
Ewido Anti-spyware 4.0

I might look up my Router Settings to see if I cant find the ports and see if they are being used. I recently got a new linksys router but I can rule that out as the game ran perfectly (better the my old router) before my game crashed, Imma fix that problem in the Hijackthis and see if it goes away

Happily awaiting your words of infinite wisdom! *worships* hehe, seriously tho asides the WoW problem and Firewall problem, Im glad I got some things cleaned up finally.. also if you want I can put up a log of what Ewido found before all the fixes we did..

WOOT!! I got WoW working and I dunno how... I still cant get my windows firewall to start up (aka look at the settings) tho.. I looked into it on the windows live onecare and microsoft support and did what they recommended, so who knows... I dun member what exactly I did to get it working but Im not gonna go questioning hehe

Okay.. I figgered it out... its..

Net start MSFWDRV if I want to get the WoW to stop, not connecting, is there any way to change some settings so that It automatically starts?

The combofix log shows other items that need to be removed. However, lets first do a rootkit scan. The first suggested scan might still be working - worth a try:


Please print out these instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop and select ‘Run’.
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked (if asked)
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan


- When the animated graphics, in the bottom right-hand corner disappears, click "Close" – VERY IMPORTANT: Do not proceed beyond this point on the initial first assessment – need to proceed carefully


- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (i.e.: fsbl-20051017165931.log)
- Paste the contents of that log back here.





Alternatively, try:

Please download this file:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to its own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Well unfortunately.. my system has become unstable again... this tme I think it might be part of the damage the virus did... It crashes after it loads a certain driver because it tends to hang, I removed windows live onecare and that fixed my WoW problem, but it seems that my comp just likes to crash willy nilly... I was fine earlier and its fine in Safemode (that Im in right now) but unfortunately I dunno what it could be that's causing the errors...

Is there any way to check on that error report? I havent beenable to find it nor did the windows error report help much...

The Blacklight also said there was nothing to report, I can try running it again if yea wish but it didnt show a log for its work... Im starting to really worry considering my computer is my first and only love.. and if she's about to die, I wana kill whoever is responsible!

Please help me Obi-Wan Vopthis!!!

Delete the following files in SAFE MODE (leave them in your Recycle Bin for now)

2006-09-15 12:22 79,872 --a------ C:\WINDOWS\system32\nsd7.dll - AdWare.ToolBar.HotSearchBar.i

2006-09-08 15:33 9,906 --a------ C:\WINDOWS\system32\sachostp.exe - looksky
2006-09-08 15:33 26,152 --a------ C:\WINDOWS\sachostx.exe - looksky
2006-09-08 15:32 3,749 --a------ C:\WINDOWS\sysldr32.exe - Trojan.Agent.AF.J

2006-09-08 12:43 136 --a------ C:\WINDOWS\file.bat
2006-09-08 12:42 929 --a------ C:\WINDOWS\system32\winpfg32.sys - Polymorphic.File.Exploit
2006-09-08 12:42 267,228 --a------ C:\WINDOWS\popupwithcast.exe - Polymorphic.File.Exploit
2006-09-08 12:42 186,219 --a------ C:\WINDOWS\srvlnjyapk.exe
2006-09-08 12:42 1,233 --a------ C:\WINDOWS\system32\zej32c5f.sys

2006-09-06 15:34 4,096 --a------ C:\WINDOWS\system32\ntsystem.exe - Covert.Sys.Exec




REBOOT.


[Note: Try not to browse the Internet in SAFE MODE because most security tools are not operational there (eg - firewall and antivirus)]

It would next be wise to make backups of critical user files and your registry (and a new restore point) before trying to fix a possible underlying rootkit infection:

http://www.google.ca/search?hl=en&q=...soft.com&meta=


It is quite likely your have the 'Rootkit driver pe386'. RootkitRevealer may find it or the following directions may address it:

http://swatrant.blogspot.com/2006/08...a-rootkit.html

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

nsd7.dll was not found in the search but the rest were and moved promptly to my recycle bin, yet it still crashed, Imma check out the rootkit revealer from AVG and follow all the actions I thought I fixed that problem but apparently I left it half completed it seems...

well.. now the AVG rootkit finder is continually popping up with, "Please restart your computer before using AVG Rootkit Finder" but I've restarded atleast 3 times, Im only able to work in safemode tho because my normal mode continually crashes on startup (even tho I removed everything from the startup with MSconfig) so Im at a loss... It has to be a problem with a certain driver loading or something because I wouldnt beable to load in safe mode if it was heat related or whatnot..

Im gonna include a Hijackthis Report just to make sure everything looks peachy..