Solved: explorer.exe virus/malware?!

mallwo27 · 06:41 AM

Hi there,

I am trying to fix a laptop for someone which appears to have got infected with a virus or some sort of malware.

The problem is that the explorer.exe is crashing and restarting every few seconds.

I have tried a number of things to fix it but without using exploer theres only so much i can do!!. I started with copying and renaming the explorer.exe to test.exe and running this but the problem still occured. I have also tried replacing the explorer.exe with the test.exe in the winlogon shell key within regedit - nope - so i tried replacing the whole shell... again still no joy.

I found 2 executable files on the c drive which according to some research i did are viruses, so I removed them... still no joy though. The files where
C:\mywyxngk.exe
C:\yjqcq.exe

The problem also occurs in safe mode and I am un able to run a system restore... it all sets up OK but won't actually start the restore

I know a little bit about computers but I am all out of ideas!! is there anyone that could possibly help me please?!!!!

I have managed to install HJT onto the infected computer and the log is below.

Many thanks in advance,
Mark

--------------------------------------------
Hi Jack This Log........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:31, on 22/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\CMD.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\aWolIAtu.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\hgfdge4unjdfdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\David\lsass.exe
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1204842285671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1204842273484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: aWolIAtu - C:\WINDOWS\SYSTEM32\aWolIAtu.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 5809 bytes

karbo · 22-Jan-2009, 08:14 AM #2

I would get rid of the MyWebSearch toolbar if I were you. It's often related to malware or at least adware.

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265YYGB

Here's a link on how to completely remove it from your computer.

Kenny94 · 22-Jan-2009, 09:28 AM #3

Hi Mark and Welcome to TSG!

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

You have several infections...And no antivirus program.. If you can't download SDFix.exe and Avira AntiVir? Do you have a flash drive you can use to download these?

Lets fix System Configuration Utility warning.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\aWolIAtu.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: C:\WINDOWS\system32\hgfdge4unjdfdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the

Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back to the thread with a new HijackThis log.

Next

I do not see an anti-virus program installed on your computer. It is extremely important that you have an antivirus program installed and running on your computer to prevent anymore possible infections. I would like you to download and install a free antivirus program..

Avira AntiVir Personal

In your next reply, please include these log(s):

* Report.txt
* HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

mallwo27 · 22-Jan-2009, 09:42 AM #4

many thanks for your prompt response. I will try this now and let you know how i get on.

Kenny94 · 22-Jan-2009, 09:43 AM #5

Quote:

Originally Posted by mallwo27

many thanks for your prompt response. I will try this now and let you know how i get on.

mallwo27 · 22-Jan-2009, 12:17 PM #6

Hi - It's worked!

Your instructions were very clear and concise... I had to do a little bit of messing around in order to get the SDFix program onto the infected laptop because of the lack of the explorer.exe application but once I got it all on there it worked brilliantly.

The HiJack This log and the report from SDFix are below as requested.

Many thanks again for your help... I will definitley return to this forum for help and advice in the future!

Regards,
Mark

-------------------
Hi Jack This Log file
-------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:47:23, on 22/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\David\Desktop\antivir_workstation_winu_en_h.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1204842285671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1204842273484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5950 bytes

----------------
SDFix Report File
----------------

SDFix: Version 1.240
Run by David on 22/01/2009 at 15:12

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\David\Desktop\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\aWolIAtu.dll - Deleted
C:\336757~1 - Deleted
C:\autorun.inf - Deleted
C:\Documents and Settings\David\lsass.exe - Deleted
C:\WINDOWS\system32\TDSSbrsr.dll - Deleted
C:\WINDOWS\system32\TDSSriqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted

Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 15:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\David\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled

elivery Manager Service"
"C:\\Documents and Settings\\David\\Local Settings\\Temp\\JT40BHIr.exe"="C:\\Documents and Settings\\David\\Local Settings\\Temp\\JT40BHIr.exe:*:Enabled:UK Provider"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe: *:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe: *:Enabled:PnkBstrB"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found

File Backups: - C:\DOCUME~1\David\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c909c63b4fa217757574b9dcdd658c3\ BIT466.tmp"
Tue 20 Jan 2009 3,202,259 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\13845fb1668dcf3e1108eea4eb534172\ BIT475.tmp"
Tue 20 Jan 2009 436,978 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2006c93acdb066bdfcaef21319037e32\ BIT478.tmp"
Tue 20 Jan 2009 8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\ BIT46E.tmp"
Tue 20 Jan 2009 1,533,660 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3845068ed327bc2e46e418df87819139\ BIT473.tmp"
Tue 20 Jan 2009 8,822,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\38f348c87f8c2315e0e711a1f264b063\ BIT46C.tmp"
Tue 20 Jan 2009 247,411 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cddf1f85ad64aea830346cc75b2bb06\ BIT474.tmp"
Tue 20 Jan 2009 7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\ BIT477.tmp"
Tue 20 Jan 2009 10,718,926 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5f8bbff06b2da0a7956609cdcd5aa176\ BIT471.tmp"
Tue 20 Jan 2009 606,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\60e28f2fefe55b8867c36eb78f0d8fdc\ BIT45F.tmp"
Tue 20 Jan 2009 8,838,082 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7510764a379c454f8a63fd524057d801\ BIT476.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7779524ce1b472c62f1b0f1a192676ad\ BIT467.tmp"
Tue 20 Jan 2009 2,064,289 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94a59580b29774d63166bdd411779e\ BIT46B.tmp"
Tue 20 Jan 2009 7,568,097 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7faa20870c6776cd1f316e4a996e02a0\ BIT45D.tmp"
Tue 20 Jan 2009 4,198,322 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9042a53c4572f5a2c03d7cf3c7b8c660\ BIT46D.tmp"
Tue 20 Jan 2009 2,131,121 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\916bfa969481cdaef14e1805a5f36838\ BIT45C.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9664ff6405d9e0e32778ca8618d4be26\ BIT465.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97de84be36b27af6e66a0586433cda52\ BIT463.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ec3943a72ea4aa7fb7b808e2b7554c8\ BIT464.tmp"
Tue 20 Jan 2009 658,288 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ee5964523257b6757b16b9f92698b0a\ BIT469.tmp"
Tue 20 Jan 2009 639,856 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9f4032b7c01ffa276d9d4715007a565f\ BIT50B.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b1b7c028246879bfa7b282d31a0545ca\ BIT470.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5ceb6274f4d7fd206d6adab3df8e834\ BIT461.tmp"
Tue 20 Jan 2009 9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b78797d4e2ea9a8dcbe3140f470c3736\ BIT45B.tmp"
Tue 20 Jan 2009 4,002,699 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9e0a1f39e0cc4f28d528e7663acf15f\ BIT46A.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb1cc7c8ed3868a5a32ffb677fe0fde8\ BIT468.tmp"
Tue 20 Jan 2009 9,125,335 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cfda6a5f0253f13aa506464213273105\ BIT472.tmp"
Tue 20 Jan 2009 3,413,065 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e1749044d2d432721cb286a5985abcde\ BIT46F.tmp"
Tue 20 Jan 2009 1,945,267 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1092d1fd4234f8be26835d1f7b0bdcb\ BIT460.tmp"
Tue 20 Jan 2009 4,133,846 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f933472eb8131bfff7bb4b909a21dd8e\ BIT462.tmp"
Mon 10 Nov 2008 20,480 A..H. --- "C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Journal\Cache\NB3.tmp"

Finished!

Kenny94 · 22-Jan-2009, 12:26 PM #7

We still have infections to remove...

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply with a new hijackthis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

mallwo27 · 22-Jan-2009, 12:40 PM #8

oops...

I thought we were done and I have now given the laptop back to the owner. I will try and track him down so I can get it back and finish working on it.... it may be a bit tricky as we are on an army base in the middle east and i have no direct point of contact for him.... but hopefully he will be dropping by my office soon with some goodies to return the favour so I will try to get his laptop back and will run these programs!!

thanks again for your help! If I manage to get the computer back I will let you know how I get on with these next steps.... and then wait until you say we're done before I give it back to him again!!

Mark

Kenny94 · 22-Jan-2009, 12:42 PM #9

Quote:

Originally Posted by mallwo27

oops...

I thought we were done and I have now given the laptop back to the owner. I will try and track him down so I can get it back and finish working on it.... it may be a bit tricky as we are on an army base in the middle east and i have no direct point of contact for him.... but hopefully he will be dropping by my office soon with some goodies to return the favour so I will try to get his laptop back and will run these programs!!

thanks again for your help! If I manage to get the computer back I will let you know how I get on with these next steps.... and then wait until you say we're done before I give it back to him again!!

Mark

Sounds good! Be safe....

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Solved: explorer.exe virus/malware?!

Find the solution to your computer problem!

Find the solution to your
computer problem!