Solved trojan / "Object is inaccessible."

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool.

• Type combofix in the dialog box.
• Let it run and after a few minutes, a prompt will appear.
• Click OK to write the results to Notepad and post them here.
• Repeat for 19866

 

hi here is results for combox
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "combofix" 7/31/2010 10:17:21 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe]
@= "C:\\Documents and Settings\\Dave\\Desktop\\ComboFix.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonceex\1428]
"rdghixrd "= "\ "C:\\ComboFix\\CF19866.cfxxe\" /c \ "C:\\ComboFix\\Combobatch.bat\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\swearware]
"combofix_wow "= "10-07-28.01 "

[HKEY_LOCAL_MACHINE\SOFTWARE\swearware]
"LastDir "= "C:\\ComboFix "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Dave\\Desktop\\ComboFix.exe "= "ComboFix "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\NircmdB.exe "= "NirCmd "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\ERUNT.cfxxe "= "ERUNT "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\NirCmd.cfxxe "= "NirCmd "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF587.cfxxe "= "Windows Command Processor "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF21256.cfxxe "= "Windows Command Processor "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF6388.cfxxe "= "Windows Command Processor "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF14871.cfxxe "= "Windows Command Processor "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF6576.cfxxe "= "Windows Command Processor "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\NirCmdC.cfxxe "= "NirCmd "

[HKEY_USERS\S-1-5-21-1004336348-1677128483-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\ComboFix\\CF11156.cfxxe "= "Windows Command Processor "

 

and here is results for 19866
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "19866" 7/31/2010 10:19:37 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\runonceex\1428]
"rdghixrd "= "\ "C:\\ComboFix\\CF19866.cfxxe\" /c \ "C:\\ComboFix\\Combobatch.bat\" "

 

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and check if the problem remains.
View attachment fixme.zip


Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

 

hi crunchie sorry to say still the same error still comes up on reboot C:\ComboFix\Cf19866.cfxxe and still get random redirected in opera browser and random tabs open cheers .

 

Hi crunchie the redirecting problem appears to be in my opera browser as just now i thought i would try IE to see if same problem occurs but after open ing various tabs all linked to where there suppose to be and with no randon tabs opening . hope this may be of some help as it only appears to be while opersting opera i get theses redirected links ...

 

That is really strange. I have used opera for 10 years and have never seen it get hijacked.

Can you un-install Combofix again following the instructions I gave earlier.

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

=========

Download and Install
Please download SUPERAntiSypware Free for Home Users...to your desktop.

1. Double-click SUPERAntiSypware.exe... use the default settings for installation.
2. Double-click the icon...created on your desktop... to launch the program.
3. Click "Yes" ... if asked to update definitions. If not...press the "Check for Updates "...button.
   If you encounter any problems while downloading the updates, manually download and unzip them from Here.
4. Once the updates have been applied... STOP!
5. Close and exit SUPERAntiSypware.

Boot to Safe Mode
Make sure you have downloaded anything you need... print these instructions as well, you will not have Internet access!

1. Restart your computer. During start up... repeatedly tap the F8 key... When the menu appears...
2. Use up-arrow key to select "Safe Mode " and press Enter.
   • If you have a multiple boot system (more than 1 OS installed) or you have Recovery Console installed...
     you will be shown a multi boot screen. Highlight the OS you want to start... Press Enter.
3. Once the system starts ...it displays various files/drivers being loaded, it may pause, that's normal.
4. When your desktop is loaded... reply "Yes " to the Safe Mode startup, if prompted.

SUPERAntiSpyware scan:

1. Double-click the SUPERAntiSypware icon...on your desktop... to launch the program.
2. Under "Configuration and Preferences ", click the Preferences button.
3. Click the Scanning Control tab.
4. Under Scanner Options make sure the following are checked (leave all others unchecked):
   • Close browsers before scanning.
   • Scan for tracking cookies.
   • Terminate memory threats before quarantining.
5. Click the "Close" button to leave the control center screen.
6. Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
7. On the left, make sure you check C:\Fixed Drive.
8. On the right, under "Complete Scan ", choose Perform Complete Scan.
9. Click "Next" to start the scan. Please be patient while it scans your computer.
10. After the scan is complete, a Scan Summary box will appear with... any items detected. Click "OK ".
11. Make sure everything has a checkmark next to it and click "Next ".
    A notification will appear that "Quarantine and Removal is Complete ".
12. Click "OK" and then click the "Finish" button to return to the main menu.
13. Reply "Yes " to the reboot prompt.
14. Launch SUPERAntispyware again....
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      Save the log file to your desktop...name it: saslog.txt
15. Click Close to exit the program.

If you have not rebooted your system... from the previous instructions...please do so now.
Please copy/paste entire contents of saslog.txt... in your next reply.

========

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

 

hi crunchie i uninstalled combo fix and ran delete domains . just a ? i already have superanti spyware so should i just follow steps as after downloaded ???

 

Yes please.

 

ok scan finally finished her it is now will do gmer one ty for everything so far

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2010 at 07:24 PM

Application Version : 4.41.1000

Core Rules Database Version : 5294
Trace Rules Database Version: 3106

Scan type : Complete Scan
Total Scan Time : 03:24:07

Memory items scanned : 230
Memory threats detected : 0
Registry items scanned : 6702
Registry threats detected : 2
File items scanned : 52804
File threats detected : 2

Adware.Flash Tracking Cookie
C:\Documents and Settings\Dave\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\WTBMECGZ\MEDIA.FOXSPORTS.COM.AU

Malware.Trace
HKU\.DEFAULT\SOFTWARE\AVSolution
HKU\S-1-5-18\SOFTWARE\AVSolution

Adware.Tracking Cookie
media.foxsports.com.au [ C:\Documents and Settings\Dave\Application Data\Macromedia\Flash Player\#SharedObjects\WTBMECGZ ]

 

hi crunchie just tried running gmer and pc just shut down and rebooted with a message . "The syatem has just recovered from a serious error , alog of this error has been created. i clicked on the report, it read, error signature B C code :4 e bcp100000007 Bcp2 : 0003BF7E BCP3 000000001 BCP4 0000000-osver 5_1 2600 SP 3_0 product 256_1 and also this report error report contents C:\DOCUM~1\Dave\LOCALS~1\TEMPWERe3f7.dir00\mini073110-01.dmp C:\DOCUM~1\Dave\LOCALS~1\temp\were3f7.dir001sysdata.xml hope this is to some help cheers

 

Curiouser and curiouser.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

==

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

​

 

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

That is ok. This is getting to be a bit of a puzzle .

Let's see what the ESET scan turns up.

You can delete the Bootkit remover now.

 

hi here Eset log
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e0be550a5149ff4cb7f8555ac2f6e878
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-31 11:46:40
# local_time=2010-07-31 09:46:40 (+1000, AUS Eastern Standard Time)
# country= "United States "
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 22180759 22180759 0 0
# compatibility_mode=1792 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 4017 4017 0 0
# scanned=54329
# found=0
# cleaned=0
# scan_time=2013

 

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

============

Download the attached zip file and unzip fixme.reg. Close all browser windows. Double click the file to run it and when asked if you want to merge with your registry, answer yes.
Reboot when done and check if the problem error message remains.
View attachment fixme.zip

 

here is drweb log

 

the log dosent want to send so here is stats
Scan statistics
-----------------------------------------------------------------------------
Scanned: 474670
Infected: 2
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 1
Cured: 0
Deleted: 2
Renamed: 0
Moved: 1
Ignored: 0
Scan speed: 21 Kb/s
Scan time: 14:57:36
-----------------------------------------------------------------------------

=============================================================================
Total session statistics
=============================================================================
Scanned: 484513
Infected: 2
Modifications: 0
Suspicious: 0
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 1
Cured: 0
Deleted: 2
Renamed: 0
Moved: 1
Ignored: 0
Scan speed: 5 Kb/s
Scan time: 15:18:22
=============================================================================

 

i do have a log on desktop that i saved when scan was done but it saved as an excel file can i post that for you ??? that has a description of the files detected

 

i saved the excel file in notepad here it is cheers thnx
RegUBP2b-Dave.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
UnZoone.exe\___\Process.exe;C:\Documents and Settings\Dave\My Documents\apps\UnZoone.exe;Tool.Killproc.3;;
UnZoone.exe;C:\Documents and Settings\Dave\My Documents\apps;Container contains infected objects;Moved.;
A0001021.reg;C:\System Volume Information\_restore{335F2805-C50C-48F9-B7C4-5062DE3843A5}\RP1;Trojan.StartPage.1505;Deleted.;