Jump to content
kstmommy

Emergency Help - can't work until safe. Virus/Malware issues

Recommended Posts

Morning. Ok on step 1, under Program Files properties, the read only box isn't technically checkmarked, but it seems to be selected with a green square in the selection. If I de-select it, and hit apply, I get the warning message attached... I cancelled out and did not make any changes until you advise..

Also, as you can see by the image, I have no "security" tab to check.

changes.bmp

Share this post


Link to post
Share on other sites

A) next time, if you need to attach an image, try to save it as a GIF file when you 1st do it.

BMP files are a bit harder to work with.

b) You will need to click on the Advanced button and see what is available under it.

That should have the more granular file permissions.

Share this post


Link to post
Share on other sites

Under advanced, there's only options for Archive and Index attributes and Compress or Encript attributes. The only thing checked is allow Indexing for fast searching.

Share this post


Link to post
Share on other sites

Do this when you have some un-interrupted time available. This is to insure that administrators & also system have access to folders on the hard drive

Download and save subinacl.exe to your system

http://www.microsoft.com/en-us/download/details.aspx?id=23510

See the Instructions on that page. Follow them. and insure that subinacl.exe is placed at \Windows\System32

Download ans save to your Desktop the attached file KSTM3.txt

Now, then, right-click on that file, and select Rename and rename it to KSTM3.bat

Then double-click that file to be run in a Command prompt window

Have infinite patience while it runs. It will take a significant time to execute

Let me know the results after it is done.

To close the command prompt window, you can type in EXIT

Share this post


Link to post
Share on other sites

Ok, all done. I watched the scan or program start and then walked away, and when I returned, the window had closed. I'm not sure if I was supposed to see results or not?

Share this post


Link to post
Share on other sites

Allright. Very carefully now, do a new run of DDS and then copy > paste the dds.txt report.

Tell me if you are able to run your normal, everyday programs on the system {except for antivirus & mbam, leave those for much, much later}.

I want to see if we are at a good place at this point.

Share this post


Link to post
Share on other sites

All done. Normal programs loading ok. Checked AOL, iTunes, Yahoo Messenger, all loaded up fine. Here's the log..

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 7.0.6000.17114

Run by Mom at 15:06:36 on 2013-04-04

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ================

.

C:\WINDOWS\system32\nvsvc32.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\AOL\1176508629\ee\AOLSoftware.exe

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxps://portal.arise.com/Login.aspx

mStart Page = hxxp://www.aol.com/?src=customie7

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/redir.asp?affid=105-79&installtype=force&dtag=563psc1&langid=1&systempopup=true

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [HostManager] c:\program files\common files\aol\1176508629\ee\AOLSoftware.exe

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

Trusted Zone: arise.com

Trusted Zone: intuit.com

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://asp23.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab

DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228867869953

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB

DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ns.arise.com/dana-cached/setup/JuniperSetupSP1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ns.arise.com/dana-cached/sc/JuniperSetupClient.cab

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.172\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2013-04-04 02:10:01 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-04-02 15:33:05 -------- d-----w- C:\_OTL

2013-04-02 03:20:30 -------- d-----w- c:\documents and settings\mom\application data\Malwarebytes

2013-04-01 21:52:36 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-04-01 21:52:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-03-29 21:23:37 -------- d-----w- c:\documents and settings\mom\Doctor Web

2013-03-29 21:12:25 -------- d-----w- c:\windows\ERUNT

2013-03-29 21:12:17 -------- d-----w- C:\JRT

2013-03-29 15:39:01 15048 ----a-w- C:\FixitRegBackup.reg

2013-03-29 15:38:17 806400 ----a-w- C:\MicrosoftFixit50692.msi

2013-03-29 12:55:22 5044813 ------r- C:\ComboFix.exe

2013-03-29 12:16:23 -------- d-----w- c:\program files\HitmanPro

2013-03-29 12:12:15 -------- d-----w- c:\documents and settings\mom\local settings\application data\Updater26276

2013-03-29 12:12:06 -------- d-----w- c:\program files\Deal Spy

2013-03-29 04:01:36 7108640 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4ff1d7e2-9e7b-48dc-9094-627ba69c21a9}\mpengine.dll

2013-03-29 03:18:18 -------- d-----w- C:\AI_RecycleBin

2013-03-28 15:43:55 -------- d-----w- C:\MGtools

2013-03-28 14:54:26 1898001 ----a-w- C:\MGtools.exe

2013-03-28 10:41:51 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2013-03-28 10:41:51 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys

2013-03-28 10:41:51 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys

2013-03-28 10:41:50 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2013-03-28 10:41:29 41664 ----a-w- c:\windows\avastSS.scr

2013-03-28 10:41:09 -------- d-----w- c:\program files\AVAST Software

2013-03-28 10:40:38 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2013-03-28 01:01:28 -------- d-sha-r- C:\cmdcons

2013-03-27 23:28:35 98816 ----a-w- c:\windows\sed.exe

2013-03-27 23:28:35 256000 ----a-w- c:\windows\PEV.exe

2013-03-27 23:28:35 208896 ----a-w- c:\windows\MBR.exe

2013-03-27 23:09:37 -------- d-----w- C:\8f60095d261204a9c8041a453db3610c

2013-03-27 21:50:40 7108640 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2013-03-17 19:52:17 -------- d-----w- c:\program files\ESET

.

==================== Find3M ====================

.

2013-03-29 12:43:40 12872 ----a-w- c:\windows\system32\bootdelete.exe

2013-03-28 16:55:37 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-28 16:55:36 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-01-30 10:53:21 232336 ----a-w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 15:06:59.34 ===============

Share this post


Link to post
Share on other sites

This is an opportune time to do a full backup.

When you have time, whereby you do not need to use the system for day-to-use.

I'd like to have you do a full backup of this system to Offline media (external drive, DVDs, or large USB-flash-thumb drive}.

Let me know after you are finished.

Later after that, I can plan to address remove remains of MSE, and trying to square away your MBAM

Share this post


Link to post
Share on other sites

Ok, so I am ashamingly admitting I have never done a backup like this. I found a recommended free program to do this and it is telling me it's 124 Gigs of data? Like as in 31 dvd's?? I have no external drive, or large enough flash drive. Is this absolutely necessary?

Share this post


Link to post
Share on other sites

It would be a good thing. Let's have you do what is minimal, using a tool you already have.

Double click on ERUNT and let it run and create a new folder and take the defaults.

Once that is done, do the following

Please download SystemLook from one of the links below and save it to your Desktop.

Get one & only one of them

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield (2 lines):
    :Regfind
    {6680132f-759a-4e64-979a-462d4d0a4d19}


  • Click the Look button to start the scan.
  • Have infinite patience while it is scanning.
  • When finished, a NOTEPAD window will open with the results of the scan. Please Copy & Paste this log in your next reply.
  • Press EXIT button when all done.

Note: The log can also be found on your Desktop entitled SystemLook.txt

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

Share this post


Link to post
Share on other sites

All done...

SystemLook 30.07.11 by jpshortstuff

Log created at 17:14 on 04/04/2013 by Mom

Administrator - Elevation successful

========== Regfind ==========

Searching for "{6680132f-759a-4e64-979a-462d4d0a4d19}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{6680132F-759A-4E64-979A-462D4D0A4D19}]

-= EOF =-

Share this post


Link to post
Share on other sites

I have put this in suspense, since your computer monitor is not 100 % + you have issues with Taskbar.

Hello,

Do this when you will not be uninterrupted. Do your best to completely turn off Avast.

If Combofix squawks about MSE go ahead and proceed forward.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for member Kstmommy only. If you are a casual viewer, do NOT try this on your system!

If you are not Kstmommy and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:


Driver::
MsMpSvc
File::
c:\Program Files\Microsoft Security Client\MsMpEng.exe
Folder::
c:\Program Files\Microsoft Security Client
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"0"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
    Please wait for ComboFix to finish running
    Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
    After you have completed the above, please provide:
    the ComboFix.txt report.

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

I'm having some issues. I rebooted the pc before I started the above, and monitor went out. I had to force shutdown by the power button. Reconnected everything, monitor okay now. BUT, now Windows boots up and has NO taskbar. No start button, nothing. Only desktop icons. So I ctrl alt del to get task manager up, and shut down and reboot from there. At reboot, got blue screen running chkdsk and security scans etc. All completed and finished booting up, only to have the same scenario. No taskbar, no start button, no system clock, nothing. Nothing happens when I hit the Windows key either. Not sure what to do here. Other than the missing taskbar, everything seems to be loading normally.

Share this post


Link to post
Share on other sites

You likely picked the Recovery Console option instead of letting the system auto-load into Windows.

Since we first put Combofix on this system, it has had a Recovery console option.

What you want to do is to do a firm restart, and just let the system do it's own selection and it will load into Windows XP.

Please do that. IF and only if it is needed, power off the system & wait a minute & then power up again.

I need a copy of C:\Combofix.txt please

Share this post


Link to post
Share on other sites

I think you misunderstood. I haven't even ran ComboFix yet. I did do the firm restart and let it do it's thing and there's still no taskbar.

Share this post


Link to post
Share on other sites

I am still confused.....

Q: Did you run the CFscript run ? yes or no

For now, do another restart, and tap & retap F8 Function key so you get Advanced Boot Options

then choose Safe Mode.

Then see if you can do some very simple things, like opening Windows Explorer or NOTEPAD.

After that, restart the computer one more time.

Have loads and lots of patience and wait for Windows XP to fully load.

Share this post


Link to post
Share on other sites

Sorry to be confusing...

No, I have not done anything with CFScript yet. I decided to do a fresh reboot before I attempted any of that, due to the fact that I had done your other instructions and I didn't think I rebooted after the last one.

I got into Safe Mode fine, but again, there's NO taskbar in Safe Mode either. I was able to open documents and folders on my desktop.

Restarted again, waited like 10 mins, and it's fully loaded up, but again with NO taskbar. I even checked to see if it got hidden, and it's not there at all.

Share this post


Link to post
Share on other sites

Press the Windows key. Do you see the taskbar now?

Press Windows-key+R key. Do you get the RUN dialog ?

Let us put a hold on the Cfscript with Combofix run. put a hold on it. This last thing has got me upset. Very surprised. :(

Share this post


Link to post
Share on other sites

I do not see the taskbar when I hit the Windows key.

I am, however, able to see the RUN dialog when I hit the Windows + R.

Share this post


Link to post
Share on other sites

What do you see on the Desktop ?

Does it have a link to Internet Explorer?

Do you think that just the Taskbar is what is "missing in action" ?

Share this post


Link to post
Share on other sites

I see all of my icons. Internet Explorer is there, along with every other one. Remember, I have no internet access to use it though. If you need me to do anything, I have to do it via flash drive. I did also make sure the flash drive was removed. The odd part is that the icons are all realigned all the way down to where the taskbar should be.

Other than the realignment of the icons, it just seems that yes, only the taskbar is missing in action. Very strange.

Share this post


Link to post
Share on other sites

If you force-move your mouse pointer all the way to the very, very bottom of the screen, it should have the Taskbar popup

Then, if so, you should be able to do a Right-click on it and IIRC

you should be able to drill thru the Options to get the taskbar to stick in place.

Are you in Normal mode?

Share this post


Link to post
Share on other sites

I already tried that in both normal and safe mode. It didn't pop up in either case.

Share this post


Link to post
Share on other sites

You should be pretty handy with the RUN option and how it works. right?

For example, if you do not have a link to Windows Explorer, one presses the Windows-key+R

and then types in

explorer.exe

then Windows Explorer will start.

Agreed?

Share this post


Link to post
Share on other sites

Yes, I can do that.

I do have a folder on the desktop that I opened and then navigated to the control panel. I looked at the Taskbar settings and it looked all normal. I even tried hiding the taskbar, to see if it would pop up and when it didn't, I changed it back to show taskbar, still not there,

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.