Cannot open files; TDSS.d, google redirect

Status
Not open for further replies.
G

groza528

Posts: 22   +0
This isn't my first time here :-/

I was here maybe two months ago with a WinXP Defender bug. Well either it was hiding somewhere or I was wrong about where I picked it up and got it again, because it came back with a vengeance. I first noticed it Sunday morning and after some preliminary cleaning looked like it was gone, but then I discovered it had brought a google redirect with it. And I'm thinking that redirected me somewhere where I picked up something worse, because now I cannot open most common filetypes: PDF, DOC, XLS, TXT, PNG, JPG (and presumably others) all give me some variation on "Access is denied" or "User does not have privileges" when I try to open them, copy them, or move them. I can delete them. Security settings on the documents indicate that I should have full access. Note: This does not seem to apply to *new* files, so I can get to my scan logs.
FWIW, I had the 'access is denied' glitch on txt files previously but I was able to get around it by choosing "open with."

I have completed the 8 steps (well, haven't got around to reinstalling java yet but the old version is gone). Before that I also tried a few antivirus programs recommended by other sites: Hitman Pro, TDSSkiller, Kaspersky Virus Removal Tool 2010... all to no avail

Symptom recap:
- WinXP Defender pop-ups (now gone)
- Google Redirect (still have it)
- Trying to open some programs or installers presented message "X is not a valid win32 application" (now gone)
- Kaspersky VRT2010 recognizes it as Rootkit.Win32.TDSS.d but cannot disinfect
- Bluescreened twice trying to run GMER: "A problem has been detected and Windows has been shut down to prevent damage to your computer" DRIVER_IRQL_NOTLESS_OR_EQUAL, then PFN_LIST_CORRUPT
- Cannot open or move basic file types (most important to me)
- Randomly opens additional tabs in firefox

Please help, I'm in over my head (again) :(

Logs attached

HijackThis log will not attach properly -- the attachment manager window tells me the connection to the server is reset. Had to zip it.
 

Attachments

  • SUPERAntiSpyware Scan Log - 04-13-2010 - 10-37-40.log
    2.4 KB · Views: 2
  • mbam-log-2010-04-13 (09-35-59).txt
    983 bytes · Views: 2
  • hijackthis.zip
    3.4 KB · Views: 2
We've been having a problem getting the HJT log in. And for some reason, I can't open your log- even after extracting it. But allow me to comment:
Before that I also tried a few antivirus programs recommended by other sites: Hitman Pro, TDSSkiller, Kaspersky Virus Removal Tool 2010... all to no avail
Click to expand...
Random running of programs you find on the internet in an effort to find and fix malware almost always gets the user into trouble. Files get removed or damaged and following up trying to get that handled on top of the malware itself is a lot harder on us than if you came here initially.

I had the 'access is denied' glitch on txt files previously but I was able to get around it by choosing "open with."
Click to expand...

This 'glitch' could have been a permissions problem and should have been handled originally. It's possible all the malware wasn't removed or it's possible you have a permission problem and need to change a setting.
===============
Please disable, then uninstall Hitman before doing the two scans below.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Logs please when you finish.

Please do not run any other cleaning or scanning programs while I am helping you. Do not run a Registry cleaner or make any Registry changes.
 
Eep, sorry about probably making it worse then! I'm an engineer (though not a computer engineer) so I'm too proud to come for help if I haven't tried to fix it myself first, but I won't touch it anymore except as instructed.

NOD32 is still running, but I wanted to check; do you want me to paste the contents of my HijackThis log as well?

Also add
- Internet Explorer window will not remain open more than a couple of minutes
to my list of symptoms.
 
Had the same problem with the Combofix log as I did with the Hijackthis log... let me know if you want me to paste the text of either in the thread.
 

Attachments

  • 100413_NOD32log.txt
    2.8 KB · Views: 1
  • 100413_combofixlog.zip
    7.9 KB · Views: 1
so I'm too proud to come for help if I haven't tried to fix it myself first, but I won't touch it anymore except as instructed.
Click to expand...

Pride can be a disabling thing! Just think- I can't do any of the engineering things you do!:confused:

Try to get the HijackThis log in however you can- but not zipped. Are you getting any error message when IE crashes? Too early to tell cause.
 
No error messages on IE; the window just suddenly shuts. The first time it happened I ignored it because I have a touchy trackpad and I assumed I just clicked it by mistake.

HijackThis
-----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:50 AM, on 4/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora10\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Schlumberger\TRX\TRXService.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
D:\Program Files\FTL\FTLAgent.Net.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\Program Files\Timbuktu Pro\minitb2 .exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\McAfee\Common Framework\udaterui .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\Novadigm\radtray .exe
C:\Program Files\Microsoft Office Communicator\communicator .exe
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Temp\SSUPDATE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"
O4 - HKLM\..\Run: [FTL Connected Agent] D:\Program Files\FTL\FTLAgent.Net.exe /d:10
O4 - HKLM\..\Run: [FTL Email Agent] D:\Program Files\FTL\FTLAgent.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [DiskMonitor] "C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - http://nlwsl076.ddns.slb.atosorigin...033&UICulture=9&ReportStack=1&OpType=PrintCab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178561480471
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181591086296
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nam.slb.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = nam.slb.com
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: CMGShield - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: TRXServer - Unknown owner - C:\Program Files\Schlumberger\TRX\TRXService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12325 bytes
 
Hmm... well it seems sometimes the IE window will stay open after all, and also sometimes it opens a new window so let's rephrase that as
- Internet Explorer acts in an unpredictable (and unwanted) manner

Should I paste the text of the other zipped log as well? Do you want me not to zip *anything* or was it just the Hijackthis log?
 
For starters, this entry in the HJT log: C:\Temp\SSUPDATE.EXE is for a parasite SafeSurfingUpdate from the DyFuCa/MoneyTree parasite variantIt can have different names from different AV programs.

Description of MoneyTree >>is an ActiveX control used to download premium-rate dialers, generally for porn sites. Dialers are used by a variety of web sites, such as hotactiondating.com.

MoneyTree/DyFuCA installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs InternetOptimizer.

For removal of the entries found by Eset:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	
C:\WINDOWS\inf\Auto1.inf		
C:\WINDOWS\inf\Auto2.inf	
C:\WINDOWS\Fonts\1rcOE7.com	
:Services

:Reg

:Files  
C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe	
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe	
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe	
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe	
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe	
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe	
C:\Program Files\Novadigm\radtray.exe	
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe	
C:\Program Files\Timbuktu Pro\minitb2.exe	
C:\WINDOWS\system32\EmsServiceHelper.exe	
D:\FTLBackup\FTL\FTLAgent.exe	

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot as instructed and run Combofix again. Follow with rescan for HijackThis.

Please include the following in your next reply:
OTMoveIt log
New Combofix Report
New HJTscan

Is Drive D a flash drive? If so, we'll need to disinfect it also so don't use it until after that is done.
 
When I try to run OTM under your instructions I receive a message that Windows is shutting down because my desktop encryption software has closed unexpectedly. No logs were generated, so presumably Windows shut down too quickly for OTM to run. I believe EmsServiceHelper.exe is related to that software. Would you like me to try again, minus that line?

Also, D:\ is not a flash drive, but I have used flash drives since getting infected.
 
Nice catch! It doesn't want you to remove it. Sorry- I should have caught that. Try this first:

Remove the entry C:\WINDOWS\system32\EmsServiceHelper.exe from the File section in the Code box and put it in Processes. That will shut it down first> like this:
Code: 
:Processes	
C:\WINDOWS\inf\Auto1.inf		
C:\WINDOWS\inf\Auto2.inf	
C:\WINDOWS\Fonts\1rcOE7.com
C:\WINDOWS\system32\EmsServiceHelper.exe		
:Services

:Reg

:Files  
C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe	
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe	
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe	
C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe	
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe	
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe	
C:\Program Files\Novadigm\radtray.exe	
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe	
C:\Program Files\Timbuktu Pro\minitb2.exe	
D:\FTLBackup\FTL\FTLAgent.exe	

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

The file has to be moved because it has a Trojan. If the problem continues after changing the Code box:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Start> Run> type in services.msc> find EMS and double click> Set Startup type to Disabled> Stop the Service. Boot back into Normal Mode.
 
I did still have the same problem even after disabling the program from the startup progression, but I managed to get around it by changing the "recovery" tab from "Restart" to "Take no Action."

However, I have a different problem -- ComboFix seems to have vanished from my desktop and I am unable to reinstall it. When I tried I, it failed from both sites, and when I tried again a few minutes later firefox said it couldn't find the page. I will try again in a few hours; maybe they are uploading a new version?

OTMoveIt and Hijackthis logs are pasted below:

All processes killed
========== PROCESSES ==========
No active process named C:\WINDOWS\inf\Auto1.inf was found!
No active process named C:\WINDOWS\inf\Auto2.inf was found!
No active process named C:\WINDOWS\Fonts\1rcOE7.com was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe not found.
File/Folder C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe not found.
File/Folder C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe not found.
File/Folder C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe not found.
File/Folder C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe not found.
C:\Program Files\McAfee\Common Framework\UdaterUI.exe moved successfully.
File/Folder C:\Program Files\Microsoft Office Communicator\communicator.exe not found.
File/Folder C:\Program Files\Novadigm\radtray.exe not found.
File/Folder C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe not found.
C:\Program Files\Timbuktu Pro\minitb2.exe moved successfully.
C:\WINDOWS\system32\EmsServiceHelper.exe moved successfully.
D:\FTLBackup\FTL\FTLAgent.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 6693 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 624 bytes

User: JBoomer
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 74555705 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43457229 bytes
->Flash cache emptied: 2154 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes
->FireFox cache emptied: 3324657 bytes
->Flash cache emptied: 7309 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 11258600 bytes
->Java cache emptied: 14 bytes
->Flash cache emptied: 17379 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 58432263 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 42861 bytes
RecycleBin emptied: 566975 bytes

Total Files Cleaned = 185.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04162010_124813

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_ca4.dat moved successfully.

Registry entries deleted on Reboot...
 
Having trouble getting the HJT log in at all... going to try splitting it in half.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:13 PM, on 4/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\etlisrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora10\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Schlumberger\TRX\TRXService.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
D:\Program Files\FTL\FTLAgent.Net.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"
O4 - HKLM\..\Run: [FTL Connected Agent] D:\Program Files\FTL\FTLAgent.Net.exe /d:10
O4 - HKLM\..\Run: [FTL Email Agent] D:\Program Files\FTL\FTLAgent.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
O4 - HKLM\..\Run: [DiskMonitor] "C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [SLBRMS_Check] C:\PROGRA~1\NOVADIGM\RADREXXW.EXE VIPEVENT.REX SLBRMS
O4 - HKLM\..\RunOnce: [SLB_RMS] regedit /s C:\TEMP\Radia\MS_OFFICE_2K7_RMS\RMS_Client\RMS.cfg
O4 - HKLM\..\RunOnce: [PSLIST] REG.EXE ADD HKCU\SOFTWARE\SYSINTERNALS\PSLIST /v EulaAccepted /t REG_DWORD /d 1 /F
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
 
Hold on the HijackThis log for now. But please run Combofix again and give me the report. (See Post 2 for instructions) You can delete the current report for Combofix on the desktop- not the program, just the report. Note that all security is to be turned off before running Combofix.

I need a current update on the problems you are experiencing from malware. This does not include the problem with the HJT log. (HJT log can be attached if necessary next time I have you run it)

Do you know what this is for?
O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
 
Cannot run ComboFix!

I'm having trouble running ComboFix.

As I said, the program had recently vanished from my desktop and I could not reinstall it. Firefox cannot find the file when I try to download it; IE will get to 99% on the download and then tell me I don't have permission to move ComboFix[1]. I did finally get it installed, but I had to do so in safe mode.

When I try to run Combo-Fix in normal mode I get the following message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Also, I do not see the typical combo-fix icon; just a generic exe icon.

When I try to run Combo-Fix in safe mode it starts up and begins running, but then blue-screens with this message: "IRQL_NOT_LESS_OR_EQUAL" I do see the combo-fix icon in safe mode.

I believe that entry in the hijackthis log is related to Kaspersky Virus Removal Tool, which starts up every time the computer boots. I have since uninstalled it.

Symptoms are still roughly the same-- Cannot open files (or ComboFix) due to being told I don't have access, Google redirect, new tabs opening in firefox

Any suggestions for getting ComboFix running? If not, is there something else to try instead?
 
I was able to successfully run ComboFix, but only in safe mode - I hope that's still useful! Some googling revealed that Roxio Easy CD creator is often linked with the IRQL_ bluescreen, so I uninstalled it. After that I was able to run ComboFix in safe mode. Log attached.
 

Attachments

  • 100417_combofixlog.txt
    32.5 KB · Views: 1
I was here maybe two months ago with a WinXP Defender bug. Well either it was hiding somewhere or I was wrong about where I picked it up and got it again, because it came back with a vengeance.
Click to expand...

Broni had your system clean just over a month ago: Clean on 2/28 Unable to open Task Manager -- completed 8 steps https://www.techspot.com/vb/topic143650.html

I note that you are using Exceed which is a service that lets you connect to the internet through a server which is located in United States. This connection changes your location to the United States and in the internet world, you will be known as an American user.
c:\\ExceedNT\\exceed.exe"=

You are also using the Juniper network The dssamproxy.exe which is a Secure Application Manager Proxy. You're running Netopia Remote Control software and a mirror remote.

I've set up one CFScript below. Run it and leave the new report it creates. I suspect the you will need to reformat and reinstall and when you do, you need to review what programs you're using:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\drivers\15461921.sys
c:\windows\system32\drivers\1546192.sys
c:\windows\system32\drivers\hitmanpro35.sys
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
c:\documents and settings\All Users\Application Data\075GMAU.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\documents and settings\All Users\Application Data\avG

Folder::
c:\program files\Hitman Pro 3.5
c:\program files\Eusing Free Registry Cleaner

Domains::

AtJob::

Extra::
Firefox::
Firefox-: Profile- c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\
Firefox-: prefs.js- startup.homepage

Registry::

Driver::
Tb2Device
Tb2MirrorSys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
 
Bobbye said:
I note that you are using Exceed which is a service that lets you connect to the internet through a server which is located in United States. This connection changes your location to the United States and in the internet world, you will be known as an American user.
c:\\ExceedNT\\exceed.exe"=
Click to expand...
I don't use Exceed to connect to the internet, just as a runtime environment for some UNIX-based software. Does that make a difference?

Bobbye said:
I've set up one CFScript below. Run it and leave the new report it creates. I suspect the you will need to reformat and reinstall and when you do, you need to review what programs you're using:
Click to expand...
I was afraid you might say that :-/ Just to be clear, do you mean that you suspect I will *eventually* have to reformat or that I will *immediately* have to reformat? That is, should I wait to run the script until I am ready to reformat?
 
Please run the script now. I can then determine how effective it will be.

You have an unusual assortment of programs. I don't know whether running them is leaving you so vulnerable or whether your security is lax. This is not the same malware you had before.
 
Log attached.

I was able to run Combo-Fix in normal mode last night, and again this morning-- the only difference I can think of is that I was running offline. But I noticed the cat icon was back so I gave it a try. Currently the icon is gone again.
 

Attachments

  • 100418_combofixlog2.txt
    31.7 KB · Views: 1
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\documents and settings\All Users\Application Data\avG
c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
c:\documents and settings\All Users\Application Data\L2gJwEW5.exe
c:\windows\system32\DRIVERS\15461922.sys
c:\documents and settings\All Users\Application Data\TEMP

Folder::
c:\temp\plugtmp-1
c:\temp\plugtmp
c:\temp\plugtmp-2
c:\temp\plugtmp-4
c:\temp\plugtmp-3
c:\temp\plugtmp-9
c:\temp\plugtmp-8
c:\temp\plugtmp-7
c:\temp\plugtmp-6
c:\temp\plugtmp-5
c:\temp\{609F7AC8-C510-11D4-A788-009027ABA5D0}
c:\temp\{AC76BA86-7AD7-1033-7B44-A93000000001}
c:\temp\WPDNSE
c:\temp\W2K

Registry::

Extra::
Firefox::
File::
c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
Firefox-: Profile- c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\
Firefox-: prefs.js: browser.startup.homepage 

Driver::
15461922
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please run theEset scan again after this:
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave both CF Script report and new Eset log in next report.
 
You security was running when you did the Combofix script- it should have been disabled.

Questions:
1. Have you notice any improvement in the system?
2. If I counted right, you have your homepage set to open with 11 tabs loaded- is that right?
I have some concern about these: about:blank|about:blank- It wouldn't make any sense to have 2 blank tabs load because you can open a new tab whenever you want or you can use the other tabs to go to a different site.
3. Do you know what these 'avG entries are for? I've tried to move them twice but they remain. It's not AVG antivirus:
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\documents and settings\All Users\Application Data\avG
============================
The Eset log is still showing these although I tried to move them:
C:\WINDOWS\Fonts\1rcOE7.com
C:\WINDOWS\inf\Auto1.inf INF/Autorun.gen trojan
C:\WINDOWS\inf\Auto2.inf INF/Autorun.gen trojan

Chances are good that their source is your USB drive. If you are using one, we need to disinfect it.

So we need to consider a Rootkit. Please run the following:

Please download GMER: Go to this site http://www.gmer.net/files.php and click on Download EXE. Save the file to your desktop
Two other links for the download should you need one:
Link 2
Link 3
  • Double click on downloaded .exe file on the desktop
  • Select Rootkit tab> click Scan
  • When scan is completed, click Save button, and save the results as gmer.log
This screenshot HERE will show you how the display will come up.

Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

Let me know about the flash drive- it needs to be disinfected, which isn't a big deal- usually. I'll check the Rootkit results and we'll decide where to go after that.
|
 
Due to inactivity, this thread is being closed. If you need it reopened, please send a PM to your helper and include the URL of the thread.

NOTE: This message applies only to the original posting member.
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
540
Mark Fuller
M
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
476
eriksnyman1
E
B
Help with "special permissions" please
Replies
1
Views
531
Nelson28
N

Latest posts

Back