Jakemaxcat Posted June 16, 2010 ID:268594 Share Posted June 16, 2010 I am attempting to fix a Dell Inspiron 510m with XP Home, AVG free, Windows firewall. The symptoms were that it was slow and had problems connecting to the internet.I ran Malwarebytes, which detected :-Spyware.onlinegamesworm.prolacoTrojan.AgentTrojan.swisynMalware.TraceRootkit.Agent (which after reading the forum, appears to be a nasty one).The removal using Malwarebytes and all seemed to be going well until the reboot. Got the error message, "The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem".I tried to restore, but either the system checkpoint files have been deleted or unable to access them.I am able to start windows in safe mode with a command prompt.It was then that I found the Malwarebytes forum.Defogger finished with no errors. Defogger didn't ask me to restart (as per the instructions), but I did it anyway.Ran the dds.scr file. Got the failure message due to themed32.dll missing about 100 times, to which I clicked ok each time. DDS.txt ==>DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL Run by Bob at 17:36:45.35 on 16/06/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.354 [GMT 1:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\ZCfgSvc.exeC:\Dellfix2\dds.scr============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dllBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dllBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dllBHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dllBHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No FileTB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dllTB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - No FileTB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No FileEB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [kdx] c:\program files\kontiki\KHost.exe -allmRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hidemRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentmRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exemRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exemRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tdRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exeIE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0000.1082\en-gb\msntb.dll/search.htmIE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cabDPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cabDPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cabDPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cabDPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cabDPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cabDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabDPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cabDPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,23/mcgdmgr.cabDPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CABDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cabDPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cabDPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cabFilter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dllHandler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dllHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: avgrsstarter - avgrsstx.dllNotify: igfxcui - igfxdev.dllNotify: req - c:\windows\system32\req.dllNotify: Sebring - c:\windows\system32\LgNotify.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll============= SERVICES / DRIVERS ===============R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-4 64160]R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 216200]S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-22 29584]S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-17 242896]S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-2-27 390528]S1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-6-7 59240]S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-6-7 166632]S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-1 916760]S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-1 308064]S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-27 54752]S2 gupdate1c989ff22fd18c0;Google Update Service (gupdate1c989ff22fd18c0);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-6-7 840936]S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-18 24652]S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]=============== Created Last 30 ================2010-06-16 16:19:25 0 ----a-w- c:\documents and settings\bob\defogger_reenable2010-06-14 12:29:31 0 d-----w- C:\Dellfix22010-06-14 12:27:59 1677 ----a-w- C:\Dellfix2010-06-14 08:18:18 50477 ----a-w- C:\Defogger.exe2010-06-14 08:18:18 3707422 ----a-w- C:\ComboFix.exe2010-06-14 08:18:18 293376 ----a-w- C:\qzb3qivg.exe2010-06-13 16:30:37 0 d-----w- c:\windows\LastGood.Tmp2010-06-13 09:25:15 0 d-----w- C:\78b3d2db2c8339f5c32010-06-12 20:15:33 0 d-----w- C:\6a81e9c1698b693065ba9f2010-06-10 07:31:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll2010-06-01 09:53:21 0 d--h--w- C:\$AVG2010-06-01 09:51:58 0 d-----w- c:\docume~1\alluse~1\applic~1\avg92010-06-01 09:50:57 0 d-----w- c:\windows\SxsCaPendDel==================== Find3M ====================2010-06-13 13:11:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys2010-06-01 09:52:51 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys2010-06-01 09:52:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll2010-05-12 10:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll2010-04-06 03:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll2008-10-22 21:59:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat============= FINISH: 17:40:34.15 ===============attach.txt should be attached to this post.I didn't see an ark.txt file and am not sure where the malwarebytes logs are. How can I fix this?Thanks,Attach.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 17, 2010 Root Admin ID:268905 Share Posted June 17, 2010 Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.---------------------------------------------------------------------------------------------Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.--------------------------------------------------------------------------------------------- Download ComboFix from below:Combofix download* IMPORTANT !!! Place combofix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:The Recovery Console was successfully installed.Click on Yes, to continue scanning for malware.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.--------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 17, 2010 Author ID:268974 Share Posted June 17, 2010 Just to clarify the situation.The Dell laptop Inspiron won't connect to the internet, in fact it doesn't appear to have a usable desktop. It is started in safe mode with a command prompt. The access to this forum is via a clean PC. I am using a memory stick to transfer the downloaded diagnosis program files (e.g. dss.scr, combofix etc) to the C: drive of the infectect laptop and sending the results/log back via the stick.XP Home was pre-installed on the laptop when bought new and Dell didn't supply the installation CD. I have contacted Dell requesting it be sent.Situation so far and questions:-1) done, combofix copied to a folder on the C: drive. (I have no desktop)2) there is no system tray and the instructions to temporarily disable security tools seem to be applicable only if you have one.I was able to go into windows task manager and kill processes such as AVG*.exe. When I attempted to kill AAWService.exe it just restarts.There is a process running called lsass.exe, which I believe is bad. Should I attempt to kill it or leave it?The other running processes are:-taskmgr.execmd.exewmiprvse.exeZCfgSvc.exeUNSECAPP.EXEsvchost.exe (x3)services.exewinlogon.execsrss.exesmss.exesystemsystem Idle Process SYSTEM3) I haven't run Combofix yet, I will wait till you confirm what action I should take for step 2.Thanks. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 17, 2010 Root Admin ID:269059 Share Posted June 17, 2010 If your able to see any GUI (which seeing task manager seems to indicate you can) then please run it. If it won't run then try the following.Avira AntiVir Rescue SystemRequires access to a working computer with a CD/DVD burner to create a bootable CD.Download the Avira AntiVir Rescue System from herePlace a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exeIf the above link does not work please try this one: hereThe program will automatically burn the CD for you.Place the burned CD into the affected computer and start the computer from this CD.On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.Click on the Configuration button.Select Scan all filesSelect Try to repair infected files and Rename files, if they cannot be removedSelect Scan for dialersSelect Scan for joke programs (Jokes)Select Scan for gamesSelect Scan for spyware (SPR)[*]Click on Virus scanner[*]Click on Start scanner at the bottom of the screen[*]Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and WarningsThe Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.Possible solutions to Screen Resolution and other issuesPlease see the post here if you're unable to view the entire screen of Avira.You can also review this one Fixed Rescue CD Resolution Probs with Dell VideoCurrently only the German keyboard is supported. Command Line not working English keyboards require work arounds.Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 17, 2010 Author ID:269237 Share Posted June 17, 2010 Well that didn't go well....what could go wrong did go wrong.There is no GUI to mention and no system tray. In normal mode every time I tried to end the AVG processes, they just restarted.Went back into safe mode, this time the AVG processes ended with Task Manager.I then started Combofix from the command prompt, but it said that AVG was still active and warned me that unpredictable results may occur if I continued, so I went for plan B.Plan B, Use the Avira Antivir Rescue System CD.Downloaded exec and burnt CD ok. Changed Dell laptop boot order to boot from CD, Linux came up ok. I selected Option 1: Boot AntiVir Rescue System (default).As it is a Dell, the screen resolution was wrong (i.e. can't see the British flag or start scanner button). I used "CTRL + ALT + BACKSPACE" to exit the graphical interface and then entered the command manually. ==> antivir -allfiles -z -ren /mnt/Scan time 00:00:01 Rebooted, still same as before.Is there a safe place I can download msconfig for XP, then I could update the startup list and prevent AVG from coming up and be able to run Combofix ?Thanks. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 17, 2010 Root Admin ID:269266 Share Posted June 17, 2010 Please try another one of the following. These type of infections are not going to be stopped by simply editing some startup lists.LiveCD for Malware and Virus RemovalHere are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair if needed.All of them except Avira are in the ISO image file format. Avira uses an EXE that has built-in CD burning capability.Avira AntiVir Rescue SystemBitDefender LiveCDDr Web LiveCDF-Secure Rescue CDKaspersky RescueDiskFor those users that need a FREE utility to properly burn the ISO imageImgBurnHow to write an image file to a disc with ImgBurnIf you do have the time, and required software you can build a UBCD4W that has a wealth of repair tools on it. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 18, 2010 Author ID:269762 Share Posted June 18, 2010 I didn't expect to fix the problem by editing the startup list, but I was hoping to use it to prevent AVG starting so that I could run Combofix.Avira Antivir didn't work.BitDefender ran ok, but didn't find anything.Are there any of the others that are more likely to be successful for a problem like this? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 18, 2010 Root Admin ID:270033 Share Posted June 18, 2010 Without being able to logon to a GUI Desktop or the Windows install CD it is probably going to be very difficult to track down the actual issue. We don't know if it's damage from this infection or an install or damage from registry issues or from trying to do a recovery.If you can find or borrow a Windows XP Home CD then you can run SFC to attempt a repair.How to Use SFC.EXE to Repair System Files Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 21, 2010 Author ID:271679 Share Posted June 21, 2010 I ran SFC.exe which finished without finding any missing files. I borrowed an XP Home CD, which I put in the drive and attempted to run recovery, but was stopped as I didn't know the Admin password. (It wasn't blank) After rebooting, the GUI was back, so I plugged an ethernet cable in to get the latest Malwarebytes database and ran a scan which found 5 objects:-3 occurrences of Trojan.Agent in the Registry, Backdoor.Bot also in the registry and Worm.Prolaco in a system restore file.I haven't attempted to remove them as I will wait for you suggestion as to the next action to take since the GUI is back.btw, Dell wanted Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 21, 2010 Author ID:271680 Share Posted June 21, 2010 Not sure what happened to the rest of that...btw, Dell wanted Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 21, 2010 Author ID:271681 Share Posted June 21, 2010 Is there a problem with pound signs on the forum?btw, Dell wanted 60GBP for a copy of the XP Home CD, which I think is criminal. They should have supplied it when the laptop was new, but it wasn't on the packing list. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 21, 2010 Root Admin ID:271741 Share Posted June 21, 2010 Please post the full MBAM log for me. Are you saying that aside from these detections in the log the system now appears to be okay and that error is no longer coming up?Please run a new DDS scan and post back it's logs as well.Download DDS and save it to your desktophttp://download.bleepingcomputer.com/sUBs/dds.scrDisable any script blocker if your Anti-Virus/Anti-Malware has it.Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.Then double click dds.scr to run the tool.When done, the DDS.txt will open.Click Yes at the next prompt for Optional Scan.When done, DDS will open two (2) logs:DDS.txtAttach.txtSave both reports to your desktopPlease include the following logs in your next reply: DDS.txt and Attach.txt Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 22, 2010 Author ID:272125 Share Posted June 22, 2010 The Themed32.dll not found error has gone away.There is another new error I get, but I don't it is related to this problem. (I think it is self inflicted...sorry)."Error loading C:\WINDOWS\uxarbiyixevoyoh.dll. The specified module could not be found."mbam log:-Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4222Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870221/06/2010 23:55:10mbam-log-2010-06-21 (23-55-10).txtScan type: Full scan (C:\|D:\|)Objects scanned: 224929Time elapsed: 1 hour(s), 10 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yrumegemida (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> No action taken.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001025.exe (Worm.Prolaco) -> No action taken.==================================================I have attached the DDS.txt and Attach.txt files as requested.Attach22Jun.txtDDS22Jun.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 22, 2010 Root Admin ID:272474 Share Posted June 22, 2010 Please download a new fresh copy of Combofix and overwrite your current copy then run it again and send me back the new log. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 23, 2010 Author ID:272882 Share Posted June 23, 2010 Combofix run ok, log attached.Combofixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 24, 2010 Root Admin ID:273363 Share Posted June 24, 2010 Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank linesRegistry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drvRegLock::[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}][HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]File::C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0001025.exeOpen a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser. Disable your Antivirus software. If it has Script Blocking features, please disable these as well. A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit.A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.Post back the Combofix log on your next reply.Then update Malwarebytes and and do another scan. Make sure you have it fix anything it finds and post back the new log as well. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 24, 2010 Author ID:273520 Share Posted June 24, 2010 Combofix run with CFscript, log attached.Malwarebytes updated and run, found 1 infection, (spyware.onlinegames), and selected to fix it. log attached. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 24, 2010 Author ID:273522 Share Posted June 24, 2010 Combofix run with CFscript, log attached.Malwarebytes updated and run, found 1 infection, (spyware.onlinegames), and selected to fix it. log attached.Combofixlog24Jun2010.txtmbam_log_2010_06_24__13_47_13_.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 24, 2010 Root Admin ID:273772 Share Posted June 24, 2010 Please click on START - RUN and copy/paste the following entry into the run line and click OK.CMD /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /v aux /t REG_SZ /d wdmaud.drv /fThen update your Anti-Virus and do a FULL system scan and let me know if it finds anything or not. Link to post Share on other sites More sharing options...
Jakemaxcat Posted June 25, 2010 Author ID:274170 Share Posted June 25, 2010 AVG Free updated, full scan run, nothing found.I assume that means it is virus free. Thanks for all your help. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 25, 2010 Root Admin ID:274372 Share Posted June 25, 2010 We should be done here. Some final housekeeping instructions, and protection information for you.Your logs appear clean.You should be good to go. We still have a few items to address.Disable your AntiVirus temporarily so that it does not block removal of Combofix.Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK ComboFix /UninstallThis will uninstall ComboFix. It will also implement some cleanup procedures.Re-enable your AntiVirus now.Delete any remaining tools we've used (DDS and GMER) and logs from them.Empty your Recycle Bin.============================================Please read the following topic: So how did I get infected in the first place?Take care. Link to post Share on other sites More sharing options...
Recommended Posts