TechSpot

Cannot open files; TDSS.d, google redirect

By groza528
Apr 13, 2010
  1. This isn't my first time here :-/

    I was here maybe two months ago with a WinXP Defender bug. Well either it was hiding somewhere or I was wrong about where I picked it up and got it again, because it came back with a vengeance. I first noticed it Sunday morning and after some preliminary cleaning looked like it was gone, but then I discovered it had brought a google redirect with it. And I'm thinking that redirected me somewhere where I picked up something worse, because now I cannot open most common filetypes: PDF, DOC, XLS, TXT, PNG, JPG (and presumably others) all give me some variation on "Access is denied" or "User does not have privileges" when I try to open them, copy them, or move them. I can delete them. Security settings on the documents indicate that I should have full access. Note: This does not seem to apply to *new* files, so I can get to my scan logs.
    FWIW, I had the 'access is denied' glitch on txt files previously but I was able to get around it by choosing "open with."

    I have completed the 8 steps (well, haven't got around to reinstalling java yet but the old version is gone). Before that I also tried a few antivirus programs recommended by other sites: Hitman Pro, TDSSkiller, Kaspersky Virus Removal Tool 2010... all to no avail

    Symptom recap:
    - WinXP Defender pop-ups (now gone)
    - Google Redirect (still have it)
    - Trying to open some programs or installers presented message "X is not a valid win32 application" (now gone)
    - Kaspersky VRT2010 recognizes it as Rootkit.Win32.TDSS.d but cannot disinfect
    - Bluescreened twice trying to run GMER: "A problem has been detected and Windows has been shut down to prevent damage to your computer" DRIVER_IRQL_NOTLESS_OR_EQUAL, then PFN_LIST_CORRUPT
    - Cannot open or move basic file types (most important to me)
    - Randomly opens additional tabs in firefox

    Please help, I'm in over my head (again) :(

    Logs attached

    HijackThis log will not attach properly -- the attachment manager window tells me the connection to the server is reset. Had to zip it.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We've been having a problem getting the HJT log in. And for some reason, I can't open your log- even after extracting it. But allow me to comment:
    Random running of programs you find on the internet in an effort to find and fix malware almost always gets the user into trouble. Files get removed or damaged and following up trying to get that handled on top of the malware itself is a lot harder on us than if you came here initially.

    This 'glitch' could have been a permissions problem and should have been handled originally. It's possible all the malware wasn't removed or it's possible you have a permission problem and need to change a setting.
    ===============
    Please disable, then uninstall Hitman before doing the two scans below.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Logs please when you finish.

    Please do not run any other cleaning or scanning programs while I am helping you. Do not run a Registry cleaner or make any Registry changes.
     
  3. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Eep, sorry about probably making it worse then! I'm an engineer (though not a computer engineer) so I'm too proud to come for help if I haven't tried to fix it myself first, but I won't touch it anymore except as instructed.

    NOD32 is still running, but I wanted to check; do you want me to paste the contents of my HijackThis log as well?

    Also add
    - Internet Explorer window will not remain open more than a couple of minutes
    to my list of symptoms.
     
  4. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Had the same problem with the Combofix log as I did with the Hijackthis log... let me know if you want me to paste the text of either in the thread.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Pride can be a disabling thing! Just think- I can't do any of the engineering things you do!:confused:

    Try to get the HijackThis log in however you can- but not zipped. Are you getting any error message when IE crashes? Too early to tell cause.
     
  6. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    No error messages on IE; the window just suddenly shuts. The first time it happened I ignored it because I have a touchy trackpad and I assumed I just clicked it by mistake.

    HijackThis
    -----------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:39:50 AM, on 4/13/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\EMSService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\CmgShieldSvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\etlisrv.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
    C:\WINDOWS\system32\lxdncoms.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\oracle\ora10\bin\omtsreco.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Novadigm\radexecd.exe
    C:\Program Files\Novadigm\radsched.exe
    C:\Program Files\Novadigm\Radstgms.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\Program Files\Schlumberger\TRX\TRXService.exe
    C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\WLTRAY.exe
    D:\Program Files\FTL\FTLAgent.Net.exe
    C:\Program Files\Timbuktu Pro\minitb2.exe
    C:\WINDOWS\System32\CMGShieldUI.exe
    C:\Program Files\Timbuktu Pro\minitb2 .exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\McAfee\Common Framework\udaterui .exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr .exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\PROGRA~1\Novadigm\radtray .exe
    C:\Program Files\Microsoft Office Communicator\communicator .exe
    C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor .exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Temp\SSUPDATE.EXE
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"
    O4 - HKLM\..\Run: [FTL Connected Agent] D:\Program Files\FTL\FTLAgent.Net.exe /d:10
    O4 - HKLM\..\Run: [FTL Email Agent] D:\Program Files\FTL\FTLAgent.exe
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
    O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
    O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
    O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
    O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
    O4 - HKLM\..\Run: [DiskMonitor] "C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} (RSClientPrint 2005 Class) - http://nlwsl076.ddns.slb.atosorigin...033&UICulture=9&ReportStack=1&OpType=PrintCab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178561480471
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181591086296
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com
    O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.slb.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nam.slb.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = nam.slb.com
    O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
    O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    O23 - Service: CMGShield - CREDANT Technologies, Inc. - C:\WINDOWS\system32\CmgShieldSvc.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
    O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
    O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
    O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora10\bin\omtsreco.exe
    O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
    O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
    O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
    O23 - Service: TRXServer - Unknown owner - C:\Program Files\Schlumberger\TRX\TRXService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 12325 bytes
     
  7. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    (Also see requested logs in post above yours)
     
  8. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Hmm... well it seems sometimes the IE window will stay open after all, and also sometimes it opens a new window so let's rephrase that as
    - Internet Explorer acts in an unpredictable (and unwanted) manner

    Should I paste the text of the other zipped log as well? Do you want me not to zip *anything* or was it just the Hijackthis log?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For starters, this entry in the HJT log: C:\Temp\SSUPDATE.EXE is for a parasite SafeSurfingUpdate from the DyFuCa/MoneyTree parasite variantIt can have different names from different AV programs.

    Description of MoneyTree >>is an ActiveX control used to download premium-rate dialers, generally for porn sites. Dialers are used by a variety of web sites, such as hotactiondating.com.

    MoneyTree/DyFuCA installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs InternetOptimizer.

    For removal of the entries found by Eset:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      C:\WINDOWS\inf\Auto1.inf		
      C:\WINDOWS\inf\Auto2.inf	
      C:\WINDOWS\Fonts\1rcOE7.com	
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe	
      C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe	
      C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe	
      C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe	
      C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe	
      C:\Program Files\McAfee\Common Framework\udaterui.exe
      C:\Program Files\Microsoft Office Communicator\communicator.exe	
      C:\Program Files\Novadigm\radtray.exe	
      C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe	
      C:\Program Files\Timbuktu Pro\minitb2.exe	
      C:\WINDOWS\system32\EmsServiceHelper.exe	
      D:\FTLBackup\FTL\FTLAgent.exe	
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Reboot as instructed and run Combofix again. Follow with rescan for HijackThis.

    Please include the following in your next reply:
    OTMoveIt log
    New Combofix Report
    New HJTscan


    Is Drive D a flash drive? If so, we'll need to disinfect it also so don't use it until after that is done.
     
  10. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    When I try to run OTM under your instructions I receive a message that Windows is shutting down because my desktop encryption software has closed unexpectedly. No logs were generated, so presumably Windows shut down too quickly for OTM to run. I believe EmsServiceHelper.exe is related to that software. Would you like me to try again, minus that line?

    Also, D:\ is not a flash drive, but I have used flash drives since getting infected.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nice catch! It doesn't want you to remove it. Sorry- I should have caught that. Try this first:

    Remove the entry C:\WINDOWS\system32\EmsServiceHelper.exe from the File section in the Code box and put it in Processes. That will shut it down first> like this:
    Code:
    :Processes	
    C:\WINDOWS\inf\Auto1.inf		
    C:\WINDOWS\inf\Auto2.inf	
    C:\WINDOWS\Fonts\1rcOE7.com
    C:\WINDOWS\system32\EmsServiceHelper.exe		
    :Services
    
    :Reg
    
    :Files  
    C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe	
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe	
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe	
    C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe	
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe	
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\Microsoft Office Communicator\communicator.exe	
    C:\Program Files\Novadigm\radtray.exe	
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe	
    C:\Program Files\Timbuktu Pro\minitb2.exe	
    D:\FTLBackup\FTL\FTLAgent.exe	
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
    
    The file has to be moved because it has a Trojan. If the problem continues after changing the Code box:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Start> Run> type in services.msc> find EMS and double click> Set Startup type to Disabled> Stop the Service. Boot back into Normal Mode.
     
  12. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    I did still have the same problem even after disabling the program from the startup progression, but I managed to get around it by changing the "recovery" tab from "Restart" to "Take no Action."

    However, I have a different problem -- ComboFix seems to have vanished from my desktop and I am unable to reinstall it. When I tried I, it failed from both sites, and when I tried again a few minutes later firefox said it couldn't find the page. I will try again in a few hours; maybe they are uploading a new version?

    OTMoveIt and Hijackthis logs are pasted below:

    All processes killed
    ========== PROCESSES ==========
    No active process named C:\WINDOWS\inf\Auto1.inf was found!
    No active process named C:\WINDOWS\inf\Auto2.inf was found!
    No active process named C:\WINDOWS\Fonts\1rcOE7.com was found!
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File/Folder C:\Documents and Settings\All Users\Application Data\L2gJwEW5.exe not found.
    File/Folder C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe not found.
    File/Folder C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe not found.
    File/Folder C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe not found.
    File/Folder C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe not found.
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe moved successfully.
    File/Folder C:\Program Files\Microsoft Office Communicator\communicator.exe not found.
    File/Folder C:\Program Files\Novadigm\radtray.exe not found.
    File/Folder C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe not found.
    C:\Program Files\Timbuktu Pro\minitb2.exe moved successfully.
    C:\WINDOWS\system32\EmsServiceHelper.exe moved successfully.
    D:\FTLBackup\FTL\FTLAgent.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 6693 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 624 bytes

    User: JBoomer
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 74555705 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 43457229 bytes
    ->Flash cache emptied: 2154 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 111826 bytes
    ->FireFox cache emptied: 3324657 bytes
    ->Flash cache emptied: 7309 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 11258600 bytes
    ->Java cache emptied: 14 bytes
    ->Flash cache emptied: 17379 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 58432263 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 42861 bytes
    RecycleBin emptied: 566975 bytes

    Total Files Cleaned = 185.00 mb


    OTM by OldTimer - Version 3.1.10.1 log created on 04162010_124813

    Files moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_ca4.dat moved successfully.

    Registry entries deleted on Reboot...
     
  13. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Having trouble getting the HJT log in at all... going to try splitting it in half.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:33:13 PM, on 4/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\etlisrv.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
    C:\WINDOWS\system32\lxdncoms.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\oracle\ora10\bin\omtsreco.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Novadigm\radexecd.exe
    C:\Program Files\Novadigm\radsched.exe
    C:\Program Files\Novadigm\Radstgms.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\Program Files\Schlumberger\TRX\TRXService.exe
    C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\system32\CmgShieldSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\WLTRAY.exe
    D:\Program Files\FTL\FTLAgent.Net.exe
    C:\WINDOWS\System32\CMGShieldUI.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hub.slb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"
    O4 - HKLM\..\Run: [FTL Connected Agent] D:\Program Files\FTL\FTLAgent.Net.exe /d:10
    O4 - HKLM\..\Run: [FTL Email Agent] D:\Program Files\FTL\FTLAgent.exe
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
    O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
    O4 - HKLM\..\Run: [EFS] C:\WINDOWS\SYSTEM32\WScript.EXE C:\PROGRA~1\NOVADIGM\SLB_EFS.VBS
    O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
    O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [EXCEEDLOGS] RemoveExceedLogs.exe
    O4 - HKLM\..\Run: [DiskMonitor] "C:\Program Files\Common Files\Schlumberger Shared\Diskmonitor.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\RunOnce: [SLBRMS_Check] C:\PROGRA~1\NOVADIGM\RADREXXW.EXE VIPEVENT.REX SLBRMS
    O4 - HKLM\..\RunOnce: [SLB_RMS] regedit /s C:\TEMP\Radia\MS_OFFICE_2K7_RMS\RMS_Client\RMS.cfg
    O4 - HKLM\..\RunOnce: [PSLIST] REG.EXE ADD HKCU\SOFTWARE\SYSINTERNALS\PSLIST /v EulaAccepted /t REG_DWORD /d 1 /F
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
     
  14. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Gah-- I'll keep trying later :(
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hold on the HijackThis log for now. But please run Combofix again and give me the report. (See Post 2 for instructions) You can delete the current report for Combofix on the desktop- not the program, just the report. Note that all security is to be turned off before running Combofix.

    I need a current update on the problems you are experiencing from malware. This does not include the problem with the HJT log. (HJT log can be attached if necessary next time I have you run it)

    Do you know what this is for?
    O4 - Startup: setup_9.0.0.722_12.04.2010_17-12.lnk = C:\Documents and Settings\JBoomer\Desktop\Virus Removal Tool\setup_9.0.0.722_12.04.2010_17-12\startup.exe
     
  16. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Cannot run ComboFix!

    I'm having trouble running ComboFix.

    As I said, the program had recently vanished from my desktop and I could not reinstall it. Firefox cannot find the file when I try to download it; IE will get to 99% on the download and then tell me I don't have permission to move ComboFix[1]. I did finally get it installed, but I had to do so in safe mode.

    When I try to run Combo-Fix in normal mode I get the following message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Also, I do not see the typical combo-fix icon; just a generic exe icon.

    When I try to run Combo-Fix in safe mode it starts up and begins running, but then blue-screens with this message: "IRQL_NOT_LESS_OR_EQUAL" I do see the combo-fix icon in safe mode.

    I believe that entry in the hijackthis log is related to Kaspersky Virus Removal Tool, which starts up every time the computer boots. I have since uninstalled it.

    Symptoms are still roughly the same-- Cannot open files (or ComboFix) due to being told I don't have access, Google redirect, new tabs opening in firefox

    Any suggestions for getting ComboFix running? If not, is there something else to try instead?
     
  17. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    I was able to successfully run ComboFix, but only in safe mode - I hope that's still useful! Some googling revealed that Roxio Easy CD creator is often linked with the IRQL_ bluescreen, so I uninstalled it. After that I was able to run ComboFix in safe mode. Log attached.
     

    Attached Files:

  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Broni had your system clean just over a month ago: Clean on 2/28 Unable to open Task Manager -- completed 8 steps http://www.techspot.com/vb/topic143650.html

    I note that you are using Exceed which is a service that lets you connect to the internet through a server which is located in United States. This connection changes your location to the United States and in the internet world, you will be known as an American user.
    c:\\ExceedNT\\exceed.exe"=

    You are also using the Juniper network The dssamproxy.exe which is a Secure Application Manager Proxy. You're running Netopia Remote Control software and a mirror remote.

    I've set up one CFScript below. Run it and leave the new report it creates. I suspect the you will need to reformat and reinstall and when you do, you need to review what programs you're using:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\15461921.sys
    c:\windows\system32\drivers\1546192.sys
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
    c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
    c:\documents and settings\All Users\Application Data\075GMAU.dat
    c:\documents and settings\NetworkService\Local Settings\Application Data\avG
    c:\documents and settings\All Users\Application Data\avG
    
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\program files\Eusing Free Registry Cleaner
    
    Domains::
    
    AtJob::
    
    Extra::
    Firefox::
    Firefox-: Profile- c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\
    Firefox-: prefs.js- startup.homepage
    
    Registry::
    
    Driver::
    Tb2Device
    Tb2MirrorSys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
     
  19. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    I don't use Exceed to connect to the internet, just as a runtime environment for some UNIX-based software. Does that make a difference?

    I was afraid you might say that :-/ Just to be clear, do you mean that you suspect I will *eventually* have to reformat or that I will *immediately* have to reformat? That is, should I wait to run the script until I am ready to reformat?
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the script now. I can then determine how effective it will be.

    You have an unusual assortment of programs. I don't know whether running them is leaving you so vulnerable or whether your security is lax. This is not the same malware you had before.
     
  21. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Log attached.

    I was able to run Combo-Fix in normal mode last night, and again this morning-- the only difference I can think of is that I was running offline. But I noticed the cat icon was back so I gave it a try. Currently the icon is gone again.
     

    Attached Files:

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\NetworkService\Local Settings\Application Data\avG
    c:\documents and settings\All Users\Application Data\avG
    c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
    c:\documents and settings\All Users\Application Data\L2gJwEW5.exe
    c:\windows\system32\DRIVERS\15461922.sys
    c:\documents and settings\All Users\Application Data\TEMP
    
    Folder::
    c:\temp\plugtmp-1
    c:\temp\plugtmp
    c:\temp\plugtmp-2
    c:\temp\plugtmp-4
    c:\temp\plugtmp-3
    c:\temp\plugtmp-9
    c:\temp\plugtmp-8
    c:\temp\plugtmp-7
    c:\temp\plugtmp-6
    c:\temp\plugtmp-5
    c:\temp\{609F7AC8-C510-11D4-A788-009027ABA5D0}
    c:\temp\{AC76BA86-7AD7-1033-7B44-A93000000001}
    c:\temp\WPDNSE
    c:\temp\W2K
    
    Registry::
    
    Extra::
    Firefox::
    File::
    c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    Firefox-: Profile- c:\documents and settings\JBoomer\Application Data\Mozilla\Firefox\Profiles\qugigexc.default\
    Firefox-: prefs.js: browser.startup.homepage 
    
    Driver::
    15461922
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please run theEset scan again after this:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave both CF Script report and new Eset log in next report.
     
  23. groza528

    groza528 TS Rookie Topic Starter Posts: 22

    Logs attached.
     

    Attached Files:

  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You security was running when you did the Combofix script- it should have been disabled.

    Questions:
    1. Have you notice any improvement in the system?
    2. If I counted right, you have your homepage set to open with 11 tabs loaded- is that right?
    I have some concern about these: about:blank|about:blank- It wouldn't make any sense to have 2 blank tabs load because you can open a new tab whenever you want or you can use the other tabs to go to a different site.
    3. Do you know what these 'avG entries are for? I've tried to move them twice but they remain. It's not AVG antivirus:
    c:\documents and settings\NetworkService\Local Settings\Application Data\avG
    c:\documents and settings\All Users\Application Data\avG
    ============================
    The Eset log is still showing these although I tried to move them:
    C:\WINDOWS\Fonts\1rcOE7.com
    C:\WINDOWS\inf\Auto1.inf INF/Autorun.gen trojan
    C:\WINDOWS\inf\Auto2.inf INF/Autorun.gen trojan


    Chances are good that their source is your USB drive. If you are using one, we need to disinfect it.

    So we need to consider a Rootkit. Please run the following:

    Please download GMER: Go to this site http://www.gmer.net/files.php and click on Download EXE. Save the file to your desktop
    Two other links for the download should you need one:
    Link 2
    Link 3
    • Double click on downloaded .exe file on the desktop
    • Select Rootkit tab> click Scan
    • When scan is completed, click Save button, and save the results as gmer.log
    This screenshot HERE will show you how the display will come up.

    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    Let me know about the flash drive- it needs to be disinfected, which isn't a big deal- usually. I'll check the Rootkit results and we'll decide where to go after that.
    |
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Due to inactivity, this thread is being closed. If you need it reopened, please send a PM to your helper and include the URL of the thread.

    NOTE: This message applies only to the original posting member.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...