Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

malware preventing me from opening programs or using system restore.

This is a discussion on malware preventing me from opening programs or using system restore. within the Resolved HJT Threads forums, part of the Tech Support Forum category. I'm having some problems with my computer. I can't open most programs that would help me (spybot, adaware, malwarebytes). When


 
 
Thread Tools Search this Thread
Old 04-08-2011, 04:18 PM   #1
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



I'm having some problems with my computer. I can't open most programs that would help me (spybot, adaware, malwarebytes). When I try to open these I get a notification that "ana.exe" is trying to make changes and needs permission. Of course, I don't let it but the programs won't open. I can't open Firefox or Internet Explorer. I have tried to use system restore but it is shut off or something... I've never seen that before. I tried to use system restore from the boot process but it wouldn't let me.

I also get a fake Windows Security Center popup that tells me to download some security program. Any help would be greatly appreciated.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jordan at 18:55:37.15 on Fri 04/08/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2323 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\lxbkcoms.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\Jordan\AppData\Local\Temp\9E5C.tmp\MBR.DAT
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
G:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://att.my.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:33440
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [W5E7SH31DG] c:\users\jordan\appdata\local\temp\Dkv.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\serviceManager.lnk"
StartupFolder: c:\users\jordan\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jordan\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jordan\appdata\roaming\mozilla\firefox\profiles\ij9gvy71.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.ftp - webproxy.andrews.edu
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - webproxy.andrews.edu
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - webproxy.andrews.edu
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - webproxy.andrews.edu
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - webproxy.andrews.edu
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\jordan\appdata\roaming\mozilla\firefox\profiles\ij9gvy71.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-3-10 21048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-16 369256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b0a9348e6f0f;Google Update Service (gupdate1c9b0a9348e6f0f);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-8 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);c:\windows\system32\drivers\lmvac.sys [2008-5-14 18912]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-8 1343400]
.
=============== Created Last 30 ================
.
2011-04-08 20:47:18 232866 --sha-w- c:\users\jordan\appdata\local\mjg.exe
2011-04-08 20:47:17 232866 --sha-w- c:\users\jordan\appdata\local\ana.exe
2011-04-08 19:52:49 -------- d-----w- c:\users\jordan\appdata\local\javasharedresources
2011-04-08 19:50:11 161792 ----a-w- c:\windows\Dlycoa.exe
2011-04-08 19:50:04 135168 --sha-r- c:\windows\system32\KBDTH3U.dll
2011-04-08 19:41:24 -------- d--h--w- c:\program files\Zero G Registry
2011-04-08 19:41:23 -------- d--h--w- c:\users\jordan\InstallAnywhere
2011-04-08 19:39:02 -------- d-----w- c:\program files\common files\IBM
2011-04-08 19:38:30 -------- d-----w- c:\program files\IBM
2011-04-08 1247 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{94cd7e0a-3e3a-4b07-a710-c16d683e9b46}\mpengine.dll
2011-04-03 13:52:59 -------- d-----w- c:\program files\Coder1 Software
2011-03-22 22:56:32 -------- d-----w- c:\users\jordan\appdata\roaming\Rovio
2011-03-22 12:16:14 -------- d-----w- c:\program files\Rovio
2011-03-22 1212 -------- d-----w- c:\users\jordan\appdata\local\Intel
2011-03-18 01:28:15 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-03-18 01:28:07 -------- d-----w- c:\program files\common files\xing shared
2011-03-18 01:28:03 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-03-18 01:27:57 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
.
==================== Find3M ====================
.
2011-04-08 19:38:10 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-03-18 01:27:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-18 01:27:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-01 21:29:18 720896 ----a-w- c:\windows\iun6002.exe
.
============= FINISH: 19:04:17.55 ===============
Attached Files
File Type: txt Attach.txt (14.9 KB, 6 views)

__________________
podwarrior1 is offline  
Old 04-10-2011, 06:27 AM   #2
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • GMER log

__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-10-2011, 08:28 AM   #3
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



Thanks for the response! I downloaded Gmer and wasn't able to run it at first, but then I was able to run in it safe mode. Here is the log:

GMER 1.0.15.15570 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-10 11:26:35
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort2 SAMSUNG_HD321KJ rev.CP100-12
Running: gmer.exe; Driver: C:\Users\Jordan\AppData\Local\Temp\uxtiqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82245589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8226A092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtProtectVirtualMemory 778B51C0 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtWriteVirtualMemory 778B5D40 5 Bytes JMP 0032000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!KiUserExceptionDispatcher 778B6298 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[800] ole32.dll!CoCreateInstance 76E0590C 5 Bytes JMP 003A000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!NtProtectVirtualMemory 778B51C0 5 Bytes JMP 005A000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!NtWriteVirtualMemory 778B5D40 5 Bytes JMP 005B000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!KiUserExceptionDispatcher 778B6298 5 Bytes JMP 0024000A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000045 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-12#5&1b7613b3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
__________________
podwarrior1 is offline  
Old 04-10-2011, 08:36 AM   #4
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



podwarrior1:

Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-10-2011, 09:13 AM   #5
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



Hey! I think that really made some progress. Both logs are attached. It got rid of ana.exe which was causing me the most problems, but also got rid of some other stuff.

Firefox is running again and my task manager processes look a lot clearer.

Let me know if there is anything else I should do! Thanks so much.
Attached Files
File Type: txt TDSSKiller.2.4.21.0_10.04.2011_11.52.30_log.txt (66.6 KB, 10 views)
File Type: txt ComboFix.txt (16.6 KB, 7 views)
__________________
podwarrior1 is offline  
Old 04-10-2011, 09:48 AM   #6
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



podwarrior1:

Please do this next:

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:33440
uInternet Settings,ProxyOverride = <local>
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-10-2011, 11:02 AM   #7
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



Ok, the two logs are attached. Got rid of some more stuff. The stuff that was in Qoobox, I realize that is quarantined, but why not remove it?
Attached Files
File Type: txt ComboFix.txt (15.1 KB, 6 views)
File Type: txt mbam-log-2011-04-10 (13-55-02).txt (2.6 KB, 4 views)
__________________
podwarrior1 is offline  
Old 04-10-2011, 03:03 PM   #8
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



podwarrior1:

You are correct, qoobox is the ComboFix quarantine. Occasionally ComboFix will remove something legitimate in which case procedures are available to restore them. I don't like to let other programs remove anything from there just in case I need to restore them or upload them for analysis. Once we finish we will uninstall ComboFix which will remove qoobox and everything in it.

How is your computer running now? Please do this next:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java(TM) 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • How is your computer running now?
  • ESET log
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-10-2011, 06:15 PM   #9
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



My computer is running well again, thanks! The problems I was having before all seem to be gone. I know exactly how the problems started too...won't be making that same mistake again.

I updated Java.

I ran the ESET scanner. I don't see any "tab" options, but I did export the scan results which are attached.
Attached Files
File Type: txt ESET.txt (709 Bytes, 4 views)
__________________
podwarrior1 is offline  
Old 04-10-2011, 08:01 PM   #10
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



podwarrior1:

One or more of the identified infections is possibly a keylogger.

You should change all of you passwords as soon as possible. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

This will take care of the ESET detections that are not already quarantined:

Open notepad and copy/paste the text in the quotebox below into it:

Code:
@echo off
del "C:\Users\Jordan\AppData\Local\exohogev.dll"
del "C:\Users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2265a3e1-41a176d4"
del "C:\Users\Jordan\Documents\My Games\RA2\ra2_101.exe"
del /Q %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run.

Now I have another update and some very important cleanup for you to take care of:

Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall


Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-10-2011, 09:20 PM   #11
Registered Member
 
Join Date: Apr 2011
Posts: 6
OS: Windows 7



Hey, many thanks. I will definitely look into getting an AV program. The few I have used in the past mostly annoyed me, took up too much system resources, or cost money. But... haven't had this serious of a problem on my computer before, so it may be time to actually get an AV program.

I am about to run TFC, and I updated Adobe Reader and uninstalled Combofix.

Glad to have my computer working again, I really appreciate all the time and help you've given to me today.
__________________
podwarrior1 is offline  
Old 04-11-2011, 02:06 PM   #12
Security Team
Analyst
 
RPMcMurphy's Avatar
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



You're welcome, podwarrior1. Take care.
__________________


ASAP & UNITE Member
RPMcMurphy is offline  
Old 04-12-2011, 05:42 PM   #13
Security Team
Analyst
 
Clark76's Avatar
 
Join Date: Jun 2006
Location: Cleveland, Ohio
Posts: 2,892
OS: XP Pro, Windows 7, Fedora



Since this issue appears to be resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

__________________
Proud Member of UNITE

“Of all the things I've lost, I miss my mind the most” - Mark Twain
Clark76 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Multiple BSODs
Over the past month I have been experiencing various BSODs ranging from when I turn on the laptop, to completely random ones. I have noticed that once the laptop is up and running, it seems a lot more stable and will be fine for days (if I hibernate it rather than turning off). Some (but not all)...
join_the_dots BSOD, App Crashes And Hangs 12 04-07-2011 03:36 PM
100++ 0x7f (0x0,,,) BSODs - ati2mtag.sys
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols...
victory89 Windows XP Support 26 04-02-2011 05:27 AM
Windows 7, BSOD issue.
Hello! I have in the last ~3 months been having a problem with my computer, it seems to go to BSOD every now and then, when I run several programs at the time (such as: Heroes of Newerth, iTunes, Spotify, Windows Media Player & Mozilla Firefox). The error message I get is: IRQL_NOT_LESS_OR_EQUAL...
capslacK- BSOD, App Crashes And Hangs 5 01-12-2011 06:00 PM
WHEA_UNCORRECTABLE_ERROR (124) win7 64
Hi everyone, im looking for assistance with this problem. It started about a month ago, only when gaming. The game froze and sound enter in a loop all the time, i need press reset in my computer. My HD´s are verified with Seatools, my memory and cpu are tested with Orthos (10 Passes)with no...
djwave BSOD, App Crashes And Hangs 9 01-03-2011 11:27 AM
Persistent BSOD errors
Hi, My Acer aspire 8735G is repeatedly having BSOD errors. The OS is Windows 7 (x64), and was pre-installed I have only had the machine since June/July I have previously reset to factory settings, but used the function which automatically backed up all files and retained the OS. As for the...
FGZstar BSOD, App Crashes And Hangs 2 01-02-2011 04:48 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 02:33 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts