Solved Virus is causing a SHDOCWV error?

[djackson84]

Reatogo is telling me there's not enough memory to open the attachment in B: and you open in another. It also won't allow me to open my flash drive, so I dont' know for sure if the txt or the attachment are on it. I get the same message about there not being enough room.

 

[Broni]

Did you put my file on USB stick?

Tell me what exactly you're doing.

 

[djackson84]

I dragged both your file and the txt file onto the icon for my flash drive. I just can't open my flash drive to confirm that they're on there because I get an error messages saying there's no room. So if I reboot, I can't access them to upload. I tried copying the attachment to the desktop and again I get the error that there is no room. When I try to open it it says "there is not enough room on the disk to save B:\YFFN5a4J.zip.part."

 

[Broni]

You're not reading my instruction well.
Unzip shdocvw.zip on working computer. Copy UNZIPPED shdocvw.dll file into USB flash drive. Put nothing else there.

Boot bad computer with OTLPE and transfer shdocvw.dll file from your USB flash drive to C:\WINDOWS\System32 folder.

 

[djackson84]

Oh ok. I got confused because when I first made the CD it didn't matter what computer I used. I've been on the bad one still. I'll have to borrow a laptop. I know what to do now.

 

[Broni]

Very well

 

[djackson84]

Almost have everything done. When you say "reboot the PC when it is done" Am I restarting it with the CD or without?

 

[Broni]

Remove CD, start Windows normally and let me know what are the current issues.

 

[djackson84]

Here's the log. I also saved in to my usb. Restarting without the CD now and I've added the dll to the system32 like you said as well. Here goes nothing.


========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DFC1A8D5-F5A4-453D-BB54-0A886678B9B0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFC1A8D5-F5A4-453D-BB54-0A886678B9B0}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\Administrator_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\LocalService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\Mom_2_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\Mom_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\NetworkService_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_USERS\systemprofile_ON_C\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
E:\LaunchU3.exe moved successfully.
C:\Documents and Settings\Mom_2\Local Settings\Application Data\prvlcl.dat moved successfully.
C:\Documents and Settings\Mom\Local Settings\Application Data\prvlcl.dat moved successfully.
C:\WINDOWS\tasks\nyihntpn.job moved successfully.
File C:\Documents and Settings\Mom_2\Local Settings\Application Data\prvlcl.dat not found.
File C:\Documents and Settings\Mom\Local Settings\Application Data\prvlcl.dat not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 346865 bytes
->Temporary Internet Files folder emptied: 402 bytes
->FireFox cache emptied: 92979561 bytes
->Flash cache emptied: 53583 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32969 bytes
->FireFox cache emptied: 4171663 bytes

User: Mom
->Temp folder emptied: 526562534 bytes
->Temporary Internet Files folder emptied: 263853 bytes
->FireFox cache emptied: 200095377 bytes
->Flash cache emptied: 179290 bytes

User: Mom_2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 92697392 bytes
->Flash cache emptied: 45645 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 89050844 bytes
->Flash cache emptied: 19014 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2471431 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 64672602 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 1,026.00 mb


OTLPE by OldTimer - Version 3.1.39.0 log created on 07072010_202106

 

[djackson84]

Ok....there's a new error now. It says that 325 could not be found on the link SHDOCVW.dll. There's still no desktop.

 

[Broni]

It says that 325 could not be found on the link SHDOCVW.dll

Please post exact error, word by word.

Will CTRL+ALT+DEL bring Task Manager up?

 

[djackson84]

"the original 325 could not be located in the dynamic link library Shdocvw.dll" is what it says. But after I logged off and back on again to replicate the problem the desktop showed up. Everything seems to be working fine now except for the virus that lead me to to the system recovery which led to the desktop problem. Now I can just focus on the virus. Thank you for everything

 

[Broni]

Great news
Let me go through our thread, so we can figure out next step.

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[djackson84]

Ok...I'm going through the list. My particular virus seems to redirect websites, and cause popups. Does this sound like anything you know personally? Just checking.

 

[Broni]

Your computer seems to be stable enough for us to get rid of whatever got there.
If you can't perform some steps, for whatever reason, simply let me know.

 

[djackson84]

I do have a quick question. My desktop toolbar on the bottom of the screen, is going from blue to gray randomly. Should I be concerned?

 

[Broni]

Not yet
We'll worry about all other issues, when we get closer to having your computer clean.

 

[djackson84]

Okay. We'd spoken before about me removing either AVG or Norton. Should I do that before I begin these steps?

 

[Broni]

That would be very good idea. Yes.

 

[djackson84]

I'm having some trouble with the GMER program. It keeps either freezing up itself, or freezing my computer. Is there an alternative?

 

[Broni]

Did you?

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

If still no go, skip it.

 

[djackson84]

I'm still having trouble with the GMER, it crashed the desktop and I had to restart.

here's the log for malwarebytes, and I've attached the last two.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4290

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/7/2010 8:17:42 PM
mbam-log-2010-07-07 (20-17-42).txt

Scan type: Quick scan
Objects scanned: 137913
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\components (Spyware.MarketScore) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)



I've attacked the last two.

 

[Broni]

I still see AVG and Norton running.
Please, refer to my post #20 and remove one of them.
When done, post fresh DDS log (new Attach.txt not needed).

 

[djackson84]

Got rid of AVG, sorry about that. I've attached all the logs minus GMER.