HELP!!! Computer won't do anything!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
At my wits end....have been fighting a series of viruses and problems that have culminated in my computer now not doing anything. I booted up and when I click on anything on the desktop or start menu....I get zilch...sometimes it pauses for just a sec like something is going to happen and then nothing. This is causing an unbelievable amount of issues and likely to lose me a lot of money as the contents of the machine are so important to my business. Can anybody help or am I out of luck?
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Try booting into safe mode

Reboot and tap F8 on startup...an options menu should appear...choose "Last known Good Configuration" see if that helps


then run these programs:


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.



  • [*]Disable any script blocking protection


    [*] Double click dds.pif to run the tool.


    [*]When done, two DDS.txt's will open.


    [*]Save both reports to your desktop.



---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.



  • [*] Extract the contents of the zipped file to desktop.


    [*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .


    [*] If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


    [*] In the right panel, you will see several boxes that have been checked. Uncheck the following ...


    • [*] Sections


      [*] IAT/EAT


      [*] Drives/Partition other than Systemdrive (typically C:\)


      [*] Show All (don't miss this one)





    [*] Then click the Scan button & wait for it to finish.


    [*] Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.



    [*]Save it where you can easily find it, such as your desktop, and post it in your next reply.





**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
I have not rebooted to see if it will allow me to access the web...right now it will not. I am posting here from my laptop. Before I did the reboot I wanted to know if I should save the files to a flash on my laptop and whether that would even be helpful. Right now, on the infected machine I can do nothing.
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Are you able to boot into safe mode?

Are you able to reach a desktop in either safe or normal mode?

Are your icons present on the desktop?

Were you able to reach the options menu when you tapped F8 on bootup:?


were you able to try "last known Good configuration"?

Please try and give as much detailed information as possible about the status of your computer...any error messages? stages it will boot to? whether task manager or your run box will open etc. etc...

then I will know better how best to approach this situation.
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
Ok, I'll try. I guess what I am most worried about is just turning the machine off and not ever being able to turn back on. Task manager does not work now...and has not since this started several weeks ago....
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
I was able to reboot Windows in safe mode...got to the desktop and tried to access the web with both Firefox and Explorer and it would not connect, the programs did open but error coming back saying could not connect. I was able to open the only other program, Excel, that I tried. Task manager does not open. Any ideas....is that enough info?

I do have exefix.reg on my desktop, should I try running that?
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
No,


can you download the above programs on another computer and transfer them to the infected computer via USB and run them?


What type of infection were you battling...can you describe what was happening and what tools or what have you done to try and clean the system?

If GMER and DDS wil not run...tell me what happens ...do you get an error message:

Run this program first


it will run directly from a USB stick:

Please download exeHelper to your desktop.

  • Double-click on exeHelper.com to run the fix.

    [*]A black window should pop up, press any key to close once the fix is completed.


    [*]Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)


Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
This is the log of running exehelper

Helper by Raktor
Build 20100329
Run at 11:20:53 on 04/07/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I should run the other programs now?
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
yes, try not to reboot the machine, if you have to, re-run exehelper

also uncheck the box beside "files" in GMER, that may help also.
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
Here is the result of the dds:

(Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Gregory Potts at 11:25:53.10 on Wed 04/07/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.759 [GMT -5:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
I:\Help\exeHelper.com
I:\Help\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.ask.com?o=15557&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by Comcast
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mSearch Page =
mStart Page = hxxp://home.sweetim.com
mSearch Bar = about:blank
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] ~"c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [DelayShred] "c:\program files\mcafee\mcafee shared components\shredder 5\shred32.exe" /q c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\mr6n252v\ff2_1_~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\lzfb910q\optn_1~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\gv17aufd\click_~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\kl8ji7w7\optn_1~1.sh! c:\docume~1\gregor~1\locals~1\tempor~1\content.ie5\sptq6t5u\index_~1.sh! c:\docume~1\gregor~1\locals~1\temp\~df2d9a.sh! c:\docume~1\gregor~1\locals~1\temp\~df2d8d.sh! c:\docume~1\gregor~1\locals~1\temp\~df1535.sh! c:\docume~1\gregor~1\locals~1\temp\toolbo~3.sh! c:\docume~1\gregor~1\locals~1\temp\perfli~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8865~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8861~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja886d~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8869~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja7865~1.sh! c:\docume~1\gregor~1\locals~1\temp\jaa469~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja9465~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja946d~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja9469~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8465~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja8461~1.sh! c:\docume~1\gregor~1\locals~1\temp\ja846d~1.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~4.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~3.sh! c:\docume~1\gregor~1\locals~1\temp\jar_ca~2.sh! c:\docume~1\gregor~1\locals~1\temp\JAR_CA~1.SH!
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [Acrobat Assistant 7.0] "d:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [HiYo] c:\program files\hiyo\bin\HiYo.exe /RunFromStartup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [zzz_ImInstaller_HiYo] "c:\documents and settings\gregory potts\local settings\temp\iminstaller\hiyo\HiYo_Install.exe" -startup -product HiYo
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PC Medkit] "c:\program files\pc medkit\2.3.0.7\PCMedkit.exe" --start-trayed
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\gregor~1\startm~1\programs\startup\pictur~1.lnk - d:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\magic-i.lnk - d:\programfiles\arcsoft\Magic-i.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: citigroup.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - hxxp://ce0.cacheus.com/_S/ppmate/PPMATE.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\gregor~1\applic~1\mozilla\firefox\profiles\rk0rsgqz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15557&l=dis
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BLT&o=15554&locale=en_US&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {EA57AFA6-6364-4336-A8F4-A01788F66704} - c:\documents and settings\gregory potts\local settings\application data\{EA57AFA6-6364-4336-A8F4-A01788F66704}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
============= SERVICES / DRIVERS ===============
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-12 310320]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-28 162640]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-12 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-12 482432]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100402.001\IDSXpx86.sys [2010-4-5 329592]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-28 19024]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
S2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-12 117640]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-28 40384]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-19 102448]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100406.023\NAVENG.SYS [2010-4-6 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100406.023\NAVEX15.SYS [2010-4-6 1324720]
=============== Created Last 30 ================
2010-03-29 03:58:21 0 dc----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-27 14:34:01 0 d-----r- c:\program files\Norton Support
2010-03-14 04:56:36 0 dc----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-03-14 04:24:53 0 d-----w- c:\program files\Ask.com
2010-03-14 04:21:52 0 d-----w- c:\docume~1\gregor~1\applic~1\Blitware
2010-03-14 04:21:25 0 d-----w- c:\program files\PC Medkit
2010-03-13 18:20:24 0 dc----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-13 18:20:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-13 18:02:23 0 d-----w- c:\program files\common files\PC Tools
2010-03-13 17:47:06 0 d-----w- c:\windows\system32\N360_BACKUP
==================== Find3M ====================
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-22 04:56:03 442080 ----a-w- c:\program files\msgr9us.exe
2009-06-08 15:25:25 3371384 ----a-w- c:\program files\mbam-setup.exe
2009-03-31 21:57:47 74949864 ----a-w- c:\program files\N360S300EN.exe
============= FINISH: 11:27:55.06 ===============


I will attach the corresponding attach zip next...
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
If you have any trouble running GMER, uncheck the box beside"files" as well - that often helps.

In case it crashes, make note of any files that say 'rootkit', 'hidden', 'suspicious modification' or 'max++'

thanks
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
Here are the results of running GMER:

R 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-07 18:19:18
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\pwtdapod.sys

---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86ED9CA1
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----


I have also attached the log. I have some anti spyware programs on the computer such as Spy bot search and destroy, Uni Registry, etc. Should I now try and run those or do the logs give you something to work with?

I really appreciate the help. Thanks.....
 

Attachments

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Please don't run anything that I don't ask you to, or it may interfere with what I am trying to do.

Please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
 

gpotts1636

Thread Starter
Joined
Apr 5, 2010
Messages
65
Well I copied this onto my flash and went back to the infected computer and cannot get it to recognize the flash is there. Also had a message that said windows had installed new hardware and needed to reboot and without really thinking clicked no. Reommendations? Are all your clients this difficult? Thanks....
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top