Solved Can't open DDS

[alejoromero9]

Hi everyone. I'm new in the forum and long to be helpful someday.

Right now I'm following the 8 steps to clean my Laptop up: So far I have had two issues. First, when running Malware it did not update. Last Update was on 4/5/2010. Yet, It found two threads and the software cleaned them up.
Second, I downloaded the DDS program but it won't run. When clicking on "run" an alert prompts indicating there is no software in my computer to run it. Gives me two options: 1) Choosing a program from a list (tried notepad and wordpad and did not work) and 2) using the web to choose a software that leads me to Uniblue which I had already downloaded; I did not run it because at the beginning of the 8 steps I was warned not to run any other software during the process.

Can anybody help?

Thanks in advance.

Alejandro.

 

[Broni]

Welcome aboard

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

• 
  * Double-click on the Rkill desktop icon to run the tool.
  * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  * If not, delete the file, then download and use the one provided in Link 2.
  * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  * Do not reboot until instructed.
  * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

• 
  * Please download exeHelper from Raktor to your desktop.
  * Double-click on exeHelper.com to run the fix.
  * A black window should pop up, press any key to close once the fix is completed.
  * A log file named log.txt will be created in the directory where you ran exeHelper.com
  * Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now, try to run DDS.

If still no go, post any other log, you can.

 

[alejoromero9]

Not working

Dear Roni:

Thanks very much for your help. Unfortunately it did not work. After running exehelper I tried to open the DDS file and it came back to the screen where it asks to choose a program to open the file.

I'm attaching all of the logs I have got since I began with the 8 steps. I hope you can help me as I'm getting a little anxious about this.

Thanks in advance.

Alejandro.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/08/2010 10:50:09 p.m.
mbam-log-2010-08-23 (22-50-09).txt

Scan type: Quick scan
Objects scanned: 123027
Time elapsed: 40 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________________________________________________________________

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-24 00:35:55
Windows 5.1.2600 Service Pack 3
Running: 3o27pp0g.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwdoqkow.sys


---- System - GMER 1.0.15 ----

SSDT 858EB168 ZwAlertResumeThread
SSDT 857C4B00 ZwAlertThread
SSDT 85844CD0 ZwAllocateVirtualMemory
SSDT 859E84D8 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEEBF6020]
SSDT 857CE908 ZwCreateMutant
SSDT 8593A308 ZwCreateThread
SSDT 85A7EF00 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEEBF62A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEEBF6800]
SSDT 857591D8 ZwFreeVirtualMemory
SSDT 85AAFEB0 ZwImpersonateAnonymousToken
SSDT 85AA5570 ZwImpersonateThread
SSDT 859189F8 ZwMapViewOfSection
SSDT 85B021B0 ZwOpenEvent
SSDT 857FD180 ZwOpenProcessToken
SSDT 85A77438 ZwOpenSection
SSDT 8585C4E8 ZwOpenThreadToken
SSDT 858D3C28 ZwResumeThread
SSDT 857381B8 ZwSetContextThread
SSDT 85A88108 ZwSetInformationProcess
SSDT 8585DE08 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEEBF6A50]
SSDT 85AB1AF0 ZwSuspendProcess
SSDT 8585E828 ZwSuspendThread
SSDT 858D3438 ZwTerminateProcess
SSDT 8584B158 ZwTerminateThread
SSDT 858BB220 ZwUnmapViewOfSection
SSDT 85814208 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F8 804E2754 4 Bytes JMP BF99ACD5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ntoskrnl.exe!_abnormal_termination + 250 804E28AC 4 Bytes CALL 83D3AE75
? kiilxea.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@OfflineDetectionPending 1

---- EOF - GMER 1.0.15 ----


_________________________________________________________________________________________

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 24/08/2010 at 20:07:16.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\Desktop\8 steps\rkill.com


Rkill completed on 24/08/2010 at 20:07:26.


_______________________________________________________________________________________

exeHelper by Raktor
Build 20100414
Run at 20:09:05 on 08/24/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

 

[Broni]

No worries. You did fine

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[alejoromero9]

Thank Roni. Here you go...

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 185):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7A6F000 \WINDOWS\system32\KDCOM.DLL
0xF797F000 \WINDOWS\system32\BOOTVID.dll
0xF7520000 ACPI.sys
0xF7A71000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF750F000 pci.sys
0xF756F000 isapnp.sys
0xF7983000 ACPIEC.sys
0xF7B37000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7987000 compbatt.sys
0xF798B000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7B38000 pciide.sys
0xF77EF000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A73000 aliide.sys
0xF7A75000 intelide.sys
0xF7A77000 toside.sys
0xF7A79000 viaide.sys
0xF7A7B000 cmdide.sys
0xF74F1000 pcmcia.sys
0xF757F000 MountMgr.sys
0xF74D2000 ftdisk.sys
0xF77F7000 PartMgr.sys
0xF758F000 VolSnap.sys
0xF798F000 cpqarray.sys
0xF74BA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF74A2000 atapi.sys
0xF7993000 aha154x.sys
0xF77FF000 sparrow.sys
0xF7997000 symc810.sys
0xF759F000 aic78xx.sys
0xF799B000 dac960nt.sys
0xF75AF000 ql10wnt.sys
0xF799F000 amsint.sys
0xF7807000 asc.sys
0xF79A3000 asc3550.sys
0xF780F000 mraid35x.sys
0xF7817000 i2omp.sys
0xF79A7000 ini910u.sys
0xF75BF000 ql1240.sys
0xF75CF000 aic78u2.sys
0xF781F000 symc8xx.sys
0xF7827000 sym_hi.sys
0xF782F000 sym_u3.sys
0xF7837000 ABP480N5.SYS
0xF783F000 asc3350p.sys
0xF7A7D000 cd20xrnt.sys
0xF75DF000 ultra.sys
0xF7489000 adpu160m.sys
0xF7847000 dpti2o.sys
0xF75EF000 ql1080.sys
0xF75FF000 ql1280.sys
0xF760F000 ql12160.sys
0xF784F000 perc2.sys
0xF7A7F000 perc2hib.sys
0xF7857000 hpn.sys
0xF79AB000 cbidf2k.sys
0xF745D000 dac2w2k.sys
0xF761F000 disk.sys
0xF762F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF743D000 fltmgr.sys
0xF742B000 sr.sys
0xF763F000 PxHelp20.sys
0xF7414000 KSecDD.sys
0xF7387000 Ntfs.sys
0xF735A000 NDIS.sys
0xF764F000 sisagp.sys
0xF765F000 viaagp.sys
0xF7349000 rmedia.sys
0xF766F000 ohci1394.sys
0xF767F000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF732F000 Mup.sys
0xF768F000 agp440.sys
0xF769F000 alim1541.sys
0xF76AF000 amdagp.sys
0xF76BF000 agpCPQ.sys
0xF76EF000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF688D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7267000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF67A6000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6792000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF789F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF676E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78A7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF687D000 \SystemRoot\system32\DRIVERS\Rtlnic51.sys
0xF671A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF686D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78AF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF66EE000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AAD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78B7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF685D000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF684D000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76FF000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66CB000 \SystemRoot\system32\DRIVERS\ks.sys
0xF770F000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF6635000 \SystemRoot\system32\drivers\smwdm.sys
0xF6611000 \SystemRoot\system32\drivers\portcls.sys
0xF771F000 \SystemRoot\system32\drivers\drmk.sys
0xF7AAF000 \SystemRoot\system32\drivers\aeaudio.sys
0xF65E0000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF64E1000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF643B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF78BF000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7CAE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7AB3000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF772F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF725F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6424000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF773F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF774F000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78C7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6413000 \SystemRoot\system32\DRIVERS\psched.sys
0xF775F000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78CF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78D7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF78DF000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF776F000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78E7000 \SystemRoot\system32\DRIVERS\SymIM.sys
0xF7ABD000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF63B5000 \SystemRoot\system32\DRIVERS\update.sys
0xF724B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF777F000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7066000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AC5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CBE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AC7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7907000 \SystemRoot\System32\drivers\vga.sys
0xF7AC9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7ACB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF790F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7917000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7062000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE23A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE1E1000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEE1B5000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xEE190000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xF7A23000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xF7ACD000 \SystemRoot\System32\Drivers\SYMDNS.SYS
0xF791F000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
0xEE12A000 \SystemRoot\System32\Drivers\SYMFW.SYS
0xF7927000 \SystemRoot\System32\Drivers\SYMIDS.SYS
0xEE0BD000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20100819.001\SymIDSCo.sys
0xEE097000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF72EF000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF72DF000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEE06F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEE04D000 \SystemRoot\System32\drivers\afd.sys
0xF72AF000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xEDFDD000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xF729F000 \SystemRoot\System32\Drivers\Fips.SYS
0xEDF7F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xEDF62000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xEDF3E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEDF26000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AD3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF63A1000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7887000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B73000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEDDF2000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xEDEBE000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xEDDEE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE178000 \??\C:\WINDOWS\system32\drivers\CO_Mon.sys
0xED959000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xED91C000 \SystemRoot\system32\drivers\wdmaud.sys
0xEDB36000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7AD9000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xEDA76000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xED60E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE168000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xECCBB000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xECB6F000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100823.025\NAVEX15.SYS
0xECB5B000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100823.025\NAVENG.SYS
0xECB1A000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA7D5000 \SystemRoot\system32\drivers\kmixer.sys
0xF7967000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
900 C:\WINDOWS\system32\smss.exe
1004 csrss.exe
1028 C:\WINDOWS\system32\winlogon.exe
1072 C:\WINDOWS\system32\services.exe
1084 C:\WINDOWS\system32\lsass.exe
1240 C:\WINDOWS\system32\svchost.exe
1296 svchost.exe
1336 C:\WINDOWS\system32\svchost.exe
1412 svchost.exe
1596 svchost.exe
1976 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
120 C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
1696 C:\WINDOWS\system32\spoolsv.exe
688 svchost.exe
700 C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
1608 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
476 C:\Program Files\Bonjour\mDNSResponder.exe
604 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
656 C:\WINDOWS\system32\HPZipm12.exe
740 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
1884 C:\Program Files\QuickTime\QTTask.exe
804 C:\Program Files\iTunes\iTunesHelper.exe
1556 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
380 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1716 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
1860 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
696 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
2068 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2080 C:\WINDOWS\system32\hkcmd.exe
2128 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
2380 C:\WINDOWS\system32\ctfmon.exe
2676 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2944 C:\Palm\HOTSYNC.EXE
2992 C:\WINDOWS\system32\svchost.exe
3076 C:\WINDOWS\system32\svchost.exe
3160 C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
3276 C:\Program Files\OpenOffice.org 2.0\program\soffice.bin
3772 C:\Program Files\iPod\bin\iPodService.exe
3388 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
3880 alg.exe
2812 C:\WINDOWS\system32\wuauclt.exe
3892 C:\WINDOWS\system32\taskmgr.exe
2488 C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
544 C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
2136 C:\WINDOWS\ElLince.scr
2392 C:\WINDOWS\explorer.exe
2756 C:\WINDOWS\system32\notepad.exe
3732 F:\8 steps\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`0baf4400 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HITACHI_DK23FA-60, Rev: 00M4A0A2
PhysicalDrive1 Model Number: ToshibaExternal USB HDD, Rev: 1.04

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD
465 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

 

[alejoromero9]

One more thing... Not sure If I should either run combofix or wait for you until you read the last log I posted

 

[Broni]

What is drive F?
Some eternal drive?

Go ahead with Combofix.

 

[alejoromero9]

F is an external Drive. I ran Combofix. Asked me to connect to internet to install recovery console. In about an hour there is only a blue screen "Connecting to http://download.microsoft.com.." and 1.2% (with the cursor blinking and moving up). Is it normal?

 

[Broni]

Stop it.
Re-run it and skip recovery console installation for now.

 

[alejoromero9]

Combofix run

OK Broni. Here is the log (the last one)... Am I Clean?

 

[Broni]

I can't tell yet. We'll need to run couple more scans.

Combofix log looks fine

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Uninstall Uniblue RegistryBooster (if present)
Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

=====================================================================

Update Mlawarebytes, run "Quick scan". Post the log.

=======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[alejoromero9]

Looks like its working

Attached the logs.

Tx

 

[Broni]

I'd prefer, if you attach single logs, not a one piece.
Thanks

Your computer would greatly benefit from installing another 512MB of RAM.

========================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  tatusMessages = 0
  O9 - Extra Button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Key error. File not found
  O9 - Extra 'Tools' menuitem : AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Error: Value error. File not found
  O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
  O16 - DPF: {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} http://www.infospace.com/mypoints.main/tbar/mypointsSetup.exe (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  [2010/08/20 21:54:43 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
  [2010/08/20 21:52:56 | 005,169,888 | ---- | C] (Uniblue Systems Ltd                                         ) -- C:\Documents and Settings\Owner\Desktop\registrybooster.exe
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Queridas Directoras y Guías.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Presentation2.ppt:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Presentación CrediAgil.ppt:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\pago arrecife enefebmar.ppt:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Invitacion Cumpleanos Gabriela Romero.jpg:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Invitacion cumple Gabriela.jpg:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\factura diciembre].doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\factura barone enro.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\credo y pensamiento taekwondo.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\CrediAgil.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta trabajo Katiuska.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta tata.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\carta dona daysi.doc:Roxio EMC Stream
  @Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\calendario.xls:Roxio EMC Stream
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
  "DisableMonitoring" =-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

====================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[alejoromero9]

Thanks Roni and sorry about the logs. Its gonna be 2 am over here and I need to get some rest. We will continue tomorrow. I can not describe how thankful I am for your time and help.

Bye.

 

[Broni]

You're very welcome

 

[alejoromero9]

Hi Broni. I took me almost 24 hrs to download Java. Now that I try to run it a mmessage prompts indicating "JavaSetup6u21.exe" is not a valid Win32 application.

Pls your directions.

 

[Broni]

It may be bad download.
What type of internet connection do you have.
Try to run JavaRa first to uninstall old Java versions.

 

[alejoromero9]

I've got a wriless connection through a Linksys Router, 54 Mbps. Not sure if you want me to download Java again. If tha's the case, should I uninstall the current Java beore the download?

 

[Broni]

I'm curious why Java download took so long, since you seem to on broadband connection.
Is it cable, or DSL?

1. Run JavaRa to uninstall old Java version.
2. Re-download new Java (IMPORTANT! Make sure to download "off-line" file) and try to install it again.

 

[alejoromero9]

DSL. I'm going to do as you said

 

[Broni]

Cool ....

 

[alejoromero9]

One question. Last week when trying to fix this on my own I downloaded SmartCleaner. Would you prefer I uninstall it?

 

[Broni]

Yes. It's a rogue program.
See WOT's rating: http://www.mywot.com/en/scorecard/smartcleaner.net
I suspect, it deals with registry and if so, it may be a part of your current Java issue.

 

[alejoromero9]

Got a Task Shield warning "winlogon.exe". What do i do?

 

[Broni]

When doing what?
I need to know EXACT message.