Can't open DDS

Solved
By alejoromero9
Aug 24, 2010
Topic Status:
Not open for further replies.
  1. Hi everyone. I'm new in the forum and long to be helpful someday.

    Right now I'm following the 8 steps to clean my Laptop up: So far I have had two issues. First, when running Malware it did not update. Last Update was on 4/5/2010. Yet, It found two threads and the software cleaned them up.
    Second, I downloaded the DDS program but it won't run. When clicking on "run" an alert prompts indicating there is no software in my computer to run it. Gives me two options: 1) Choosing a program from a list (tried notepad and wordpad and did not work) and 2) using the web to choose a software that leads me to Uniblue which I had already downloaded; I did not run it because at the beginning of the 8 steps I was warned not to run any other software during the process.

    Can anybody help?

    Thanks in advance.

    Alejandro.
  2. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    Welcome aboard [​IMG]

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now, try to run DDS.

    If still no go, post any other log, you can.
  3. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Not working

    Dear Roni:

    Thanks very much for your help. Unfortunately it did not work. After running exehelper I tried to open the DDS file and it came back to the screen where it asks to choose a program to open the file.

    I'm attaching all of the logs I have got since I began with the 8 steps. I hope you can help me as I'm getting a little anxious about this.

    Thanks in advance.

    Alejandro.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/08/2010 10:50:09 p.m.
    mbam-log-2010-08-23 (22-50-09).txt

    Scan type: Quick scan
    Objects scanned: 123027
    Time elapsed: 40 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    __________________________________________________________________________________

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-24 00:35:55
    Windows 5.1.2600 Service Pack 3
    Running: 3o27pp0g.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwdoqkow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 858EB168 ZwAlertResumeThread
    SSDT 857C4B00 ZwAlertThread
    SSDT 85844CD0 ZwAllocateVirtualMemory
    SSDT 859E84D8 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEEBF6020]
    SSDT 857CE908 ZwCreateMutant
    SSDT 8593A308 ZwCreateThread
    SSDT 85A7EF00 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEEBF62A0]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEEBF6800]
    SSDT 857591D8 ZwFreeVirtualMemory
    SSDT 85AAFEB0 ZwImpersonateAnonymousToken
    SSDT 85AA5570 ZwImpersonateThread
    SSDT 859189F8 ZwMapViewOfSection
    SSDT 85B021B0 ZwOpenEvent
    SSDT 857FD180 ZwOpenProcessToken
    SSDT 85A77438 ZwOpenSection
    SSDT 8585C4E8 ZwOpenThreadToken
    SSDT 858D3C28 ZwResumeThread
    SSDT 857381B8 ZwSetContextThread
    SSDT 85A88108 ZwSetInformationProcess
    SSDT 8585DE08 ZwSetInformationThread
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEEBF6A50]
    SSDT 85AB1AF0 ZwSuspendProcess
    SSDT 8585E828 ZwSuspendThread
    SSDT 858D3438 ZwTerminateProcess
    SSDT 8584B158 ZwTerminateThread
    SSDT 858BB220 ZwUnmapViewOfSection
    SSDT 85814208 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + F8 804E2754 4 Bytes JMP BF99ACD5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
    .text ntoskrnl.exe!_abnormal_termination + 250 804E28AC 4 Bytes CALL 83D3AE75
    ? kiilxea.sys The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@OfflineDetectionPending 1

    ---- EOF - GMER 1.0.15 ----


    _________________________________________________________________________________________

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Owner on 24/08/2010 at 20:07:16.


    Processes terminated by Rkill or while it was running:


    C:\Documents and Settings\Owner\Desktop\8 steps\rkill.com


    Rkill completed on 24/08/2010 at 20:07:26.


    _______________________________________________________________________________________

    exeHelper by Raktor
    Build 20100414
    Run at 20:09:05 on 08/24/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
  4. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    No worries. You did fine :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Thank Roni. Here you go...

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 185):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF7A6F000 \WINDOWS\system32\KDCOM.DLL
    0xF797F000 \WINDOWS\system32\BOOTVID.dll
    0xF7520000 ACPI.sys
    0xF7A71000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF750F000 pci.sys
    0xF756F000 isapnp.sys
    0xF7983000 ACPIEC.sys
    0xF7B37000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF7987000 compbatt.sys
    0xF798B000 \WINDOWS\System32\DRIVERS\BATTC.SYS
    0xF7B38000 pciide.sys
    0xF77EF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7A73000 aliide.sys
    0xF7A75000 intelide.sys
    0xF7A77000 toside.sys
    0xF7A79000 viaide.sys
    0xF7A7B000 cmdide.sys
    0xF74F1000 pcmcia.sys
    0xF757F000 MountMgr.sys
    0xF74D2000 ftdisk.sys
    0xF77F7000 PartMgr.sys
    0xF758F000 VolSnap.sys
    0xF798F000 cpqarray.sys
    0xF74BA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF74A2000 atapi.sys
    0xF7993000 aha154x.sys
    0xF77FF000 sparrow.sys
    0xF7997000 symc810.sys
    0xF759F000 aic78xx.sys
    0xF799B000 dac960nt.sys
    0xF75AF000 ql10wnt.sys
    0xF799F000 amsint.sys
    0xF7807000 asc.sys
    0xF79A3000 asc3550.sys
    0xF780F000 mraid35x.sys
    0xF7817000 i2omp.sys
    0xF79A7000 ini910u.sys
    0xF75BF000 ql1240.sys
    0xF75CF000 aic78u2.sys
    0xF781F000 symc8xx.sys
    0xF7827000 sym_hi.sys
    0xF782F000 sym_u3.sys
    0xF7837000 ABP480N5.SYS
    0xF783F000 asc3350p.sys
    0xF7A7D000 cd20xrnt.sys
    0xF75DF000 ultra.sys
    0xF7489000 adpu160m.sys
    0xF7847000 dpti2o.sys
    0xF75EF000 ql1080.sys
    0xF75FF000 ql1280.sys
    0xF760F000 ql12160.sys
    0xF784F000 perc2.sys
    0xF7A7F000 perc2hib.sys
    0xF7857000 hpn.sys
    0xF79AB000 cbidf2k.sys
    0xF745D000 dac2w2k.sys
    0xF761F000 disk.sys
    0xF762F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF743D000 fltmgr.sys
    0xF742B000 sr.sys
    0xF763F000 PxHelp20.sys
    0xF7414000 KSecDD.sys
    0xF7387000 Ntfs.sys
    0xF735A000 NDIS.sys
    0xF764F000 sisagp.sys
    0xF765F000 viaagp.sys
    0xF7349000 rmedia.sys
    0xF766F000 ohci1394.sys
    0xF767F000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF732F000 Mup.sys
    0xF768F000 agp440.sys
    0xF769F000 alim1541.sys
    0xF76AF000 amdagp.sys
    0xF76BF000 agpCPQ.sys
    0xF76EF000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF688D000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7267000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF67A6000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xF6792000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF789F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF676E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF78A7000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF687D000 \SystemRoot\system32\DRIVERS\Rtlnic51.sys
    0xF671A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF686D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF78AF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF66EE000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7AAD000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF78B7000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF685D000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF684D000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF76FF000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF66CB000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF770F000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
    0xF6635000 \SystemRoot\system32\drivers\smwdm.sys
    0xF6611000 \SystemRoot\system32\drivers\portcls.sys
    0xF771F000 \SystemRoot\system32\drivers\drmk.sys
    0xF7AAF000 \SystemRoot\system32\drivers\aeaudio.sys
    0xF65E0000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
    0xF64E1000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
    0xF643B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF78BF000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7CAE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7AB3000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF772F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF725F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6424000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF773F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF774F000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF78C7000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6413000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF775F000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF78CF000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF78D7000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF78DF000 \SystemRoot\system32\DRIVERS\RimSerial.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF78E7000 \SystemRoot\system32\DRIVERS\SymIM.sys
    0xF7ABD000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF63B5000 \SystemRoot\system32\DRIVERS\update.sys
    0xF724B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF777F000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF779F000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7066000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7AC5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CBE000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7AC7000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7907000 \SystemRoot\System32\drivers\vga.sys
    0xF7AC9000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7ACB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF790F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7917000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7062000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEE23A000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEE1E1000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEE1B5000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xEE190000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xF7A23000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xF7ACD000 \SystemRoot\System32\Drivers\SYMDNS.SYS
    0xF791F000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
    0xEE12A000 \SystemRoot\System32\Drivers\SYMFW.SYS
    0xF7927000 \SystemRoot\System32\Drivers\SYMIDS.SYS
    0xEE0BD000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20100819.001\SymIDSCo.sys
    0xEE097000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF72EF000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF72DF000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xEE06F000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE04D000 \SystemRoot\System32\drivers\afd.sys
    0xF72AF000 \SystemRoot\System32\Drivers\SRTSPX.SYS
    0xEDFDD000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xF729F000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEDF7F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xEDF62000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xEDF3E000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xEDF26000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7AD3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF63A1000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7887000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7B73000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
    0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xEDDF2000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xEDEBE000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
    0xEDDEE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEE178000 \??\C:\WINDOWS\system32\drivers\CO_Mon.sys
    0xED959000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xED91C000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEDB36000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF7AD9000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xEDA76000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xED60E000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEE168000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
    0xECCBB000 \SystemRoot\System32\Drivers\SRTSP.SYS
    0xECB6F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100823.025\NAVEX15.SYS
    0xECB5B000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100823.025\NAVENG.SYS
    0xECB1A000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA7D5000 \SystemRoot\system32\drivers\kmixer.sys
    0xF7967000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 50):
    0 System Idle Process
    4 System
    900 C:\WINDOWS\system32\smss.exe
    1004 csrss.exe
    1028 C:\WINDOWS\system32\winlogon.exe
    1072 C:\WINDOWS\system32\services.exe
    1084 C:\WINDOWS\system32\lsass.exe
    1240 C:\WINDOWS\system32\svchost.exe
    1296 svchost.exe
    1336 C:\WINDOWS\system32\svchost.exe
    1412 svchost.exe
    1596 svchost.exe
    1976 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
    120 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    1696 C:\WINDOWS\system32\spoolsv.exe
    688 svchost.exe
    700 C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
    1608 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    476 C:\Program Files\Bonjour\mDNSResponder.exe
    604 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    656 C:\WINDOWS\system32\HPZipm12.exe
    740 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    1884 C:\Program Files\QuickTime\QTTask.exe
    804 C:\Program Files\iTunes\iTunesHelper.exe
    1556 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    380 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1716 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    1860 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    696 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    2068 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    2080 C:\WINDOWS\system32\hkcmd.exe
    2128 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    2380 C:\WINDOWS\system32\ctfmon.exe
    2676 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2944 C:\Palm\HOTSYNC.EXE
    2992 C:\WINDOWS\system32\svchost.exe
    3076 C:\WINDOWS\system32\svchost.exe
    3160 C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
    3276 C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
    3772 C:\Program Files\iPod\bin\iPodService.exe
    3388 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    3880 alg.exe
    2812 C:\WINDOWS\system32\wuauclt.exe
    3892 C:\WINDOWS\system32\taskmgr.exe
    2488 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
    544 C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    2136 C:\WINDOWS\ElLince.scr
    2392 C:\WINDOWS\explorer.exe
    2756 C:\WINDOWS\system32\notepad.exe
    3732 F:\8 steps\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`0baf4400 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
    \\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: HITACHI_DK23FA-60, Rev: 00M4A0A2
    PhysicalDrive1 Model Number: ToshibaExternal USB HDD, Rev: 1.04

    Size Device Name MBR Status
    --------------------------------------------
    55 GB \\.\PhysicalDrive0 Gateway MBR code detected
    SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD
    465 GB \\.\PhysicalDrive1 RE: Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice:

    Done!
  6. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    One more thing... Not sure If I should either run combofix or wait for you until you read the last log I posted
  7. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    What is drive F?
    Some eternal drive?

    Go ahead with Combofix.
  8. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    F is an external Drive. I ran Combofix. Asked me to connect to internet to install recovery console. In about an hour there is only a blue screen "Connecting to http://download.microsoft.com.." and 1.2% (with the cursor blinking and moving up). Is it normal?
  9. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    Stop it.
    Re-run it and skip recovery console installation for now.
  10. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Combofix run

    OK Broni. Here is the log (the last one)... Am I Clean?

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    I can't tell yet. We'll need to run couple more scans.

    Combofix log looks fine :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    Uninstall Uniblue RegistryBooster (if present)
    Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

    =====================================================================

    Update Mlawarebytes, run "Quick scan". Post the log.

    =======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  12. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Looks like its working

    Attached the logs.

    Tx

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    I'd prefer, if you attach single logs, not a one piece.
    Thanks :)

    Your computer would greatly benefit from installing another 512MB of RAM.

    ========================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      tatusMessages = 0
      O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
      O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
      O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
      O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} http://www.infospace.com/mypoints.main/tbar/mypointsSetup.exe (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2010/08/20 21:54:43 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
      [2010/08/20 21:52:56 | 005,169,888 | ---- | C] (Uniblue Systems Ltd                                         ) -- C:\Documents and Settings\Owner\Desktop\registrybooster.exe
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Queridas Directoras y GuĆ­as.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Presentation2.ppt:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\PresentaciĆ³n CrediAgil.ppt:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\pago arrecife enefebmar.ppt:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Invitacion Cumpleanos Gabriela Romero.jpg:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Invitacion cumple Gabriela.jpg:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\factura diciembre].doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\factura barone enro.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\credo y pensamiento taekwondo.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\CrediAgil.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta trabajo Katiuska.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta tata.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta dona daysi.doc:Roxio EMC Stream
      @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\calendario.xls:Roxio EMC Stream
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Thanks Roni and sorry about the logs. Its gonna be 2 am over here and I need to get some rest. We will continue tomorrow. I can not describe how thankful I am for your time and help.

    Bye.
  15. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    You're very welcome :)
  16. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Hi Broni. I took me almost 24 hrs to download Java. Now that I try to run it a mmessage prompts indicating "JavaSetup6u21.exe" is not a valid Win32 application.

    Pls your directions.
  17. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    It may be bad download.
    What type of internet connection do you have.
    Try to run JavaRa first to uninstall old Java versions.
  18. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    I've got a wriless connection through a Linksys Router, 54 Mbps. Not sure if you want me to download Java again. If tha's the case, should I uninstall the current Java beore the download?
  19. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    I'm curious why Java download took so long, since you seem to on broadband connection.
    Is it cable, or DSL?

    1. Run JavaRa to uninstall old Java version.
    2. Re-download new Java (IMPORTANT! Make sure to download "off-line" file) and try to install it again.
  20. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    DSL. I'm going to do as you said
  21. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    Cool :)....
  22. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    One question. Last week when trying to fix this on my own I downloaded SmartCleaner. Would you prefer I uninstall it?
  23. Broni

    Broni Malware Annihilator Posts: 45,265   +243

  24. alejoromero9

    alejoromero9 Newcomer, in training Topic Starter Posts: 51

    Got a Task Shield warning "winlogon.exe". What do i do?
  25. Broni

    Broni Malware Annihilator Posts: 45,265   +243

    When doing what?
    I need to know EXACT message.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.