1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP!!! Computer won't do anything!

Discussion in 'Virus & Other Malware Removal' started by gpotts1636, Apr 5, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    At my wits end....have been fighting a series of viruses and problems that have culminated in my computer now not doing anything. I booted up and when I click on anything on the desktop or start menu....I get zilch...sometimes it pauses for just a sec like something is going to happen and then nothing. This is causing an unbelievable amount of issues and likely to lose me a lot of money as the contents of the machine are so important to my business. Can anybody help or am I out of luck?
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Try booting into safe mode

    Reboot and tap F8 on startup...an options menu should appear...choose "Last known Good Configuration" see if that helps


    then run these programs:


    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.



    • [*]Disable any script blocking protection

      [*] Double click dds.pif to run the tool.

      [*]When done, two DDS.txt's will open.

      [*]Save both reports to your desktop.

    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    [​IMG]
    Download GMER Rootkit Scanner from here or here.



    • [*] Extract the contents of the zipped file to desktop.

      [*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

      [*] If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

      [​IMG]
      Click the image to enlarge it


      [*] In the right panel, you will see several boxes that have been checked. Uncheck the following ...


      • [*] Sections

        [*] IAT/EAT

        [*] Drives/Partition other than Systemdrive (typically C:\)

        [*] Show All (don't miss this one)



      [*] Then click the Scan button & wait for it to finish.

      [*] Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.


      [*]Save it where you can easily find it, such as your desktop, and post it in your next reply.



    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  3. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    I have not rebooted to see if it will allow me to access the web...right now it will not. I am posting here from my laptop. Before I did the reboot I wanted to know if I should save the files to a flash on my laptop and whether that would even be helpful. Right now, on the infected machine I can do nothing.
     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Are you able to boot into safe mode?

    Are you able to reach a desktop in either safe or normal mode?

    Are your icons present on the desktop?

    Were you able to reach the options menu when you tapped F8 on bootup:?


    were you able to try "last known Good configuration"?

    Please try and give as much detailed information as possible about the status of your computer...any error messages? stages it will boot to? whether task manager or your run box will open etc. etc...

    then I will know better how best to approach this situation.
     
  5. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    Ok, I'll try. I guess what I am most worried about is just turning the machine off and not ever being able to turn back on. Task manager does not work now...and has not since this started several weeks ago....
     
  6. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    I was able to reboot Windows in safe mode...got to the desktop and tried to access the web with both Firefox and Explorer and it would not connect, the programs did open but error coming back saying could not connect. I was able to open the only other program, Excel, that I tried. Task manager does not open. Any ideas....is that enough info?

    I do have exefix.reg on my desktop, should I try running that?
     
  7. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    No,


    can you download the above programs on another computer and transfer them to the infected computer via USB and run them?


    What type of infection were you battling...can you describe what was happening and what tools or what have you done to try and clean the system?

    If GMER and DDS wil not run...tell me what happens ...do you get an error message:

    Run this program first


    it will run directly from a USB stick:

    Please download exeHelper to your desktop.

    • Double-click on exeHelper.com to run the fix.

      [*]A black window should pop up, press any key to close once the fix is completed.

      [*]Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

    Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
     
  8. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    This is the log of running exehelper

    Helper by Raktor
    Build 20100329
    Run at 11:20:53 on 04/07/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    I should run the other programs now?
     
  9. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    yes, try not to reboot the machine, if you have to, re-run exehelper

    also uncheck the box beside "files" in GMER, that may help also.
     
  10. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    Here is the result of the dds:

    (Ver_10-03-17.01) - NTFSx86 MINIMAL
    Run by Gregory Potts at 11:25:53.10 on Wed 04/07/2010
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.759 [GMT -5:00]
    AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\freecell.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    I:\Help\exeHelper.com
    I:\Help\dds.com
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.ask.com?o=15557&l=dis
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uWindow Title = Microsoft Internet Explorer provided by Comcast
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
    mSearch Page =
    mStart Page = hxxp://home.sweetim.com
    mSearch Bar = about:blank
    mWindow Title = Microsoft Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = about:blank
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
    TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Messenger (Yahoo!)] ~"c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRunOnce: [DelayShred] "c:\program files\mcafee\mcafee shared components\shredder 5\shred32.exe" /q c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\mr6n252v\ff2_1_~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\lzfb910q\optn_1~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\gv17aufd\click_~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\kl8ji7w7\optn_1~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\sptq6t5u\index_~1.sh! c:\docume~1\gregor~1\locals~1\temp\~df2d9a.sh! c:\docume~1\gregor~1\locals~1\temp\~df2d8d.sh! c:\docume~1\gregor~1\locals~1\temp\~df1535.sh! c:\docume~1\gregor~1\locals~1\temp\toolbo~3.sh! c:\docume~1\gregor~1\locals~1\temp\perfli~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8865~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8861~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja886d~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8869~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja7865~1.sh! c:\docume~1\gregor~1\locals~1\temp\jaa469~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja9465~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja946d~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja9469~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8465~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8461~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja846d~1.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~4.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~3.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~2.sh! c:\docume~1\gregor~1\locals~1\temp\JAR_CA~1.SH!
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [ATIModeChange] Ati2mdxx.exe
    mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
    mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
    mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
    mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
    mRun: [Acrobat Assistant 7.0] "d:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
    mRun: [<NO NAME>]
    mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
    mRun: [HiYo] c:\program files\hiyo\bin\HiYo.exe /RunFromStartup
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
    mRun: [zzz_ImInstaller_HiYo] "c:\documents and settings\gregory potts\local settings\temp\iminstaller\hiyo\HiYo_Install.exe" -startup -product HiYo
    mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [PC Medkit] "c:\program files\pc medkit\2.3.0.7\PCMedkit.exe" --start-trayed
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\docume~1\gregor~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\magic-i.lnk - d:\programfiles\arcsoft\Magic-i.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - d:\office12\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
    IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
    IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: citigroup.com
    Trusted Zone: turbotax.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
    DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
    DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
    DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - hxxp://ce0.cacheus.com/_S/ppmate/PPMATE.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
    Notify: igfxcui - igfxsrvc.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\gregor~1\applic~1\mozilla\firefox\profiles\rk0rsgqz.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
    FF - prefs.js: browser.search.selectedEngine - Ask.com
    FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15557&l=dis
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BLT&o=15554&locale=en_US&q=
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
    FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
    FF - plugin: d:\program files\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {EA57AFA6-6364-4336-A8F4-A01788F66704} - c:\documents and settings\gregory potts\local settings\application data\{EA57AFA6-6364-4336-A8F4-A01788F66704}
    FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    ============= SERVICES / DRIVERS ===============
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-12 310320]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-28 162640]
    S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-12 259632]
    S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-12 482432]
    S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-5 329592]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-28 19024]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
    S2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-12 117640]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-19 102448]
    S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100406.023\NAVENG.SYS [2010-4-6 84912]
    S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100406.023\NAVEX15.SYS [2010-4-6 1324720]
    =============== Created Last 30 ================
    2010-03-29 03:58:21 0 dc----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-03-27 14:34:01 0 d-----r- c:\program files\Norton Support
    2010-03-14 04:56:36 0 dc----w- c:\docume~1\alluse~1\applic~1\RegCure
    2010-03-14 04:24:53 0 d-----w- c:\program files\Ask.com
    2010-03-14 04:21:52 0 d-----w- c:\docume~1\gregor~1\applic~1\Blitware
    2010-03-14 04:21:25 0 d-----w- c:\program files\PC Medkit
    2010-03-13 18:20:24 0 dc----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-03-13 18:20:24 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-03-13 18:02:23 0 d-----w- c:\program files\common files\PC Tools
    2010-03-13 17:47:06 0 d-----w- c:\windows\system32\N360_BACKUP
    ==================== Find3M ====================
    2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
    2009-06-22 04:56:03 442080 ----a-w- c:\program files\msgr9us.exe
    2009-06-08 15:25:25 3371384 ----a-w- c:\program files\mbam-setup.exe
    2009-03-31 21:57:47 74949864 ----a-w- c:\program files\N360S300EN.exe
    ============= FINISH: 11:27:55.06 ===============


    I will attach the corresponding attach zip next...
     
  11. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    The zipped attach file...not sure this is working....
     

    Attached Files:

  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    If you have any trouble running GMER, uncheck the box beside"files" as well - that often helps.

    In case it crashes, make note of any files that say 'rootkit', 'hidden', 'suspicious modification' or 'max++'

    thanks
     
  13. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    Here are the results of running GMER:

    R 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-07 18:19:18
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\pwtdapod.sys

    ---- Devices - GMER 1.0.15 ----
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 86ED9CA1
    ---- Files - GMER 1.0.15 ----
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
    ---- EOF - GMER 1.0.15 ----


    I have also attached the log. I have some anti spyware programs on the computer such as Spy bot search and destroy, Uni Registry, etc. Should I now try and run those or do the logs give you something to work with?

    I really appreciate the help. Thanks.....
     

    Attached Files:

  14. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please don't run anything that I don't ask you to, or it may interfere with what I am trying to do.

    Please do the following:

    Download ComboFix from either of these locations:
    Link 1
    Link 2


    VERY IMPORTANT !!!
    Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
     
  15. gpotts1636

    gpotts1636 Thread Starter

    Joined:
    Apr 5, 2010
    Messages:
    65
    Well I copied this onto my flash and went back to the infected computer and cannot get it to recognize the flash is there. Also had a message that said windows had installed new hardware and needed to reboot and without really thinking clicked no. Reommendations? Are all your clients this difficult? Thanks....
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914950

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice