Tech Support Forum banner
Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter · #1 ·
My wife downloaded some flashcodec.exe and now her PC is disconnected from the internet. The Wireless router and LAN connections show the IP and connection working properly, but nothing loads on the IE or Firrefox browser. I tried running all kinds of anti-spyware softwares but none of them can scan the PC since they are not able to download their definition files.

I tried running CombiFix in safe mode but it couldn't install the recovery console since it needed internet connection... The Windows system restore doesn't work in safe mode either... Anyway, I have attached the Combifix log for review...

Please help!!!
 

Attachments

·
Registered
Joined
·
3 Posts
Discussion Starter · #2 ·
Re: folllowed Instructions.. DDS text + Attach.zip attached

Hello Moderators,

As per the instructions here is the DDS Text ... Please help....

Thanks..


====================================


DDS (Ver_09-03-16.01) - NTFSx86
Run by Pankaj at 18:20:25.92 on Sat 05/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.271 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Documents and Settings\Pankaj.MH31AC7323\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Documents and Settings\Pankaj.MH31AC7323\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pankaj.MH31AC7323\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Pankaj.MH31AC7323\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Pankaj.MH31AC7323\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [Google Update] "c:\documents and settings\pankaj.mh31ac7323\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Whitney2_S2P] c:\program files\samsung\samsung scx-4725 series\spanel\rcp\Scan2pc.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\pankaj~1.mh3\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238538675515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {97CE0681-0D72-40C9-A92B-AE5A4ECB813A} = 85.255.0.0,85.255.0.0
TCP: {C25DA3F3-9473-49DB-8FB0-CE20539C6891} = 85.255.0.0,85.255.0.0
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pankaj~1.mh3\applic~1\mozilla\firefox\profiles\1dv3kxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.revolutionhealth.com/
FF - plugin: c:\documents and settings\pankaj.mh31ac7323\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\pankaj.mh31ac7323\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-11-27 23200]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

=============== Created Last 30 ================

2009-05-06 21:59 <DIR> --d----- c:\program files\Trend Micro
2009-05-01 19:33 139,264 a------- c:\windows\system32\igfxres.dll
2009-05-01 19:26 2,178,131 ac------ c:\windows\system32\dllcache\shvlres.dll
2009-05-01 19:25 7,680 ac------ c:\windows\system32\dllcache\migregdb.exe
2009-05-01 19:24 101,888 ac------ c:\windows\system32\dllcache\evntagnt.dll
2009-05-01 19:23 598,071 ac------ c:\windows\system32\dllcache\fpmmc.dll
2009-05-01 19:23 <DIR> --d----- c:\program files\msn gaming zone
2009-05-01 19:21 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-05-01 19:21 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-05-01 19:21 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-05-01 19:21 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-05-01 19:21 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-05-01 19:09 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-05-01 19:09 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-05-01 19:09 24,661 a------- c:\windows\system32\spxcoins.dll
2009-05-01 19:09 13,312 a------- c:\windows\system32\irclass.dll
2009-04-30 20:32 13,753 a----r-- c:\windows\SET3B.tmp
2009-04-30 20:32 1,086,058 a----r-- c:\windows\SET2F.tmp
2009-04-30 20:32 1,042,903 a----r-- c:\windows\SET2C.tmp
2009-04-30 19:45 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-04-30 19:45 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll
2009-04-30 19:45 20,480 ac------ c:\windows\system32\dllcache\inetwiz.exe
2009-04-30 19:45 214,528 ac------ c:\windows\system32\dllcache\icwconn1.exe
2009-04-30 19:45 86,016 ac------ c:\windows\system32\dllcache\icwconn2.exe
2009-04-30 19:27 13,753 a----r-- c:\windows\SET69.tmp
2009-04-30 19:27 1,086,058 a----r-- c:\windows\SET5D.tmp
2009-04-30 19:27 1,042,903 a----r-- c:\windows\SET5A.tmp
2009-04-30 12:06 161,792 a------- c:\windows\SWREG.exe
2009-04-30 12:06 98,816 a------- c:\windows\sed.exe
2009-04-28 14:29 256 a------- c:\windows\system32\pool.bin
2009-04-28 14:15 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-04-28 14:07 <DIR> --dsh--- c:\windows\ftpcache
2009-04-16 20:50 2,560 a------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-05-01 19:20 22,780 a------- c:\windows\system32\emptyregdb.dat
2009-04-30 11:57 144,376 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-28 20:44 33,368 a------- c:\docume~1\pankaj~1.mh3\applic~1\GDIPFONTCACHEV1.DAT
2001-09-10 10:00 139,264 a------- c:\windows\inf\i386\Rtscan.dll
2001-09-10 09:10 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2001-08-17 19:43 32,768 a------- c:\windows\inf\i386\Wiamicro.dll
2001-08-03 19:29 13,824 a------- c:\windows\inf\i386\usbscan.sys
2001-06-29 09:10 163,840 a------- c:\windows\inf\i386\viceo.dll

============= FINISH: 18:20:57.12 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix
While you may see us use this tool often, it should only be run after an initial analysis.

========================================

Before making the changes below, write down all the settings you see.


Please go to Start -> Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.

Press OK twice to get out of the properties screen and reboot if it asks.


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

========================================

You should be able to connect to the internet now. Let me know.
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
Glad to hear it, but..

So it seems that my wife's PC didnt have any worm infections ?
no...that's not the case. Well, perhaps not a worm but it definitely was infected. Be wary of codecs, they are often not what they appear to be. Those DNS settings were altered by infection.

Now that internet is back, please run ComboFix once more, in Normal Mode, not safe mode, using these instructions.

Delete your existing version of ComboFix, as it's updated frequently.


  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------
  8. Please go to Start > Run and copy/paste the following, then press Enter:

    C:\QooBox\Add-Remove Programs.txt

    A text file should open. Please post the contents of that file in your next reply.

    ---------------------------------------------------------------------------------------------
 

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
1 - 7 of 7 Posts
Status
Not open for further replies.
Top