1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Leftover Virtumonde trash

Discussion in 'Virus & Other Malware Removal' started by texmedic49, Sep 20, 2010.

Thread Status:
Not open for further replies.
  1. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010

    Now that I seem to have removed my root-kit :) I now wish to figure out how to remove what is leftover from a Virumonde infection that I had last year. I am no longer infected, but have 2 calls for dll files that are left in the registry, and cause an error on system start, generating error boxes. I am simply tired of them, but had to get my other issues taken care of first.

    Hijack This and MB both allow me to delete the registry entries for both dlls, but they keep reappearing. I have researched this, only to find that it has something to do with the system restore function in XP. That doesn't make sense to me as I have turned system restore off, and it still happens. That leads me to believe that this problem is coming from somewhere else, but I have no idea how to track it down.

  2. CatByte

    CatByte Malware Specialist

    Feb 24, 2009

    Please do the following:

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A window will open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
    • Please post the contents of that file.


    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    Please include the contents of the following in your next reply:



    Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in reply.

    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Note: Please turn System Restore back ON - an infected restore point is better than no restore point at all.
  3. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    Alright, so I got finished with the TDSS infection, and am now ready to tackle this task. I have turned system restore back on, but the DDS log isn't showing the restore point that I just created, and it IS there, or at least it shows up on the calendar. I will run GMER overnight, as it took forever to scan the first time. Here are the other logs:

    DDS (Ver_10-03-17.01)

    ==== Disk Partitions =========================

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    7-Zip 4.57
    Access Manager 2
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.4
    AGEIA PhysX v7.09.13
    Apple Mobile Device Support
    Best Buy Digital Music Store
    BlackBerry Desktop Software 4.3
    CA Anti-Spyware
    CA Anti-Virus
    CA Backup and Migration
    CA Internet Security Suite
    CA Personal Firewall
    CA Pest Patrol Realtime Protection
    CA Website Inspector
    Canon CanoScan Toolbox 4.1
    dBpowerAMP FLAC Codec
    Digital Media Reader
    DirectX for Managed Code Update (December 2004)
    Duplicate File Finder
    FLAC Installer 1.1.2a (remove only)
    Garmin Communicator Plugin
    Garmin USB Drivers
    GIMP 2.6.7
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    GSC 2.00
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    HP Customer Participation Program 7.0
    HP Driver Diagnostics
    HP Imaging Device Functions 7.0
    HP Photosmart Essential
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Product Detection
    HP Solution Center 7.0
    HP Update
    hx2000 WM5 Drivers Update
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Adapters and Drivers
    IrfanView (remove only)
    J2SE Runtime Environment 5.0 Update 7
    Java 2 Runtime Environment, SE v1.4.2
    Java Auto Updater
    Java(TM) 6 Update 21
    LG USB Modem driver
    Lizardtech DjVu Control (autoinstall)
    Logitech SetPoint
    Macromedia Flash Player
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Professional Edition 2003
    Microsoft Picture It! Photo Premium 9
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Works
    mkw Audio Compression Toolkit
    mkw Runtime Libraries
    Monkey's Audio
    Mozilla Firefox (3.6.10)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Multimedia Keyboard Driver
    Nero BurnRights
    Nero Suite
    NotifyWire Power Tools for Craigslist
    NVIDIA Drivers
    Octoshape add-in for Adobe Flash Player
    OpenOffice.org 2.4
    Photo Viewer
    Picture Package
    Quick Zip 4.60.017
    RealPlayer Basic
    Realtek High Definition Audio Driver
    Rhapsody Player Engine
    RivaTuner v2.06
    Sansa Updater
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows XP (KB981852)
    Sony Picture Utility
    Sony USB Driver
    SOS Online Backup
    Spybot - Search & Destroy
    Symantec KB-DocID:2003093015493306
    System Requirements Lab
    TeamSpeak 2 RC2
    TEG-PCITXR 32bit Gigabit PCI Adatper
    Unreal Tournament 2004
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    USB Storage Driver
    UT2004Mi v2.00
    Ventrilo Client
    Viewpoint Media Player
    VZAccess Manager for RIM
    WebFldrs XP
    Winamp (remove only)
    Windows Backup Utility
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Movie Maker 2.0
    Windows Update Remover
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    XviD MPEG4 Video Codec (remove only)

    ==== End Of File ===========================

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Roland at 0:28:06.78 on Tue 09/21/2010
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
    AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

    ============== Running Processes ===============

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.duckhunter.net/
    uSearch Bar = hxxp://www.google.com/ie
    uSearch Page = hxxp://www.google.com
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = http=
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
    TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [SansaDispatch] c:\documents and settings\roland\application data\sandisk\sansa updater\SansaDispatch.exe
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
    mRun: [InCD] c:\program files\ahead\incd\InCD.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.06\RivaTuner.exe" /S
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
    mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
    mRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"
    mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
    mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [mudajaloyo.old] Rundll32.exe "c:\program files\vufogepi\vufogepi.dll",s
    mRun: [28e0bf1e] rundll32.exe "c:\windows\system32\tarozahi.dll",b
    StartupFolder: c:\documents and settings\roland\start menu\programs\startup\Cyber-shot Viewer Media Check Tool.lnk.disabled
    StartupFolder: c:\documents and settings\roland\start menu\programs\startup\dBpowerAMP.lnk.disabled
    StartupFolder: c:\docume~1\roland\startm~1\programs\startup\notify~1.lnk - c:\program files\notifywire\NotifyWire.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: &Google Search
    IE: &Translate English Word
    IE: Backward Links
    IE: Cached Snapshot of Page
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Similar Pages
    IE: Translate Page into English
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: c:\windows\system32\VetRedir.dll
    Trusted Zone: sayunkle.com\www
    DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
    DPF: {0DD4ADBE-E91D-48CC-9A04-87EA1674E385} - hxxp://gamer.ubicom.com/benchmarks/PerfTestCliActiveXProj_20060127.cab
    DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1198883935150
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250003616890
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs: UmxSbxExw.dll
    SSODL: WebCheck - - No File
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\roland\applic~1\mozilla\firefox\profiles\84j8c4x7.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.duckhunter.net/
    FF - prefs.js: network.proxy.http -
    FF - prefs.js: network.proxy.http_port - 5555
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    =============== Created Last 30 ================

    2010-09-21 00:50:31 1374 ----a-w- c:\windows\imsins.BAK
    2010-09-20 16:03:02 0 ----a-w- C:\vcredist.bmp
    2010-09-19 05:29:35 96512 ----a-w- c:\windows\system32\drivers\vjcqkhni.sys

    ==================== Find3M ====================

    2010-09-20 15:21:56 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:06:51 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2008-12-30 16:27:21 6456 ---ha-w- c:\program files\jihobiyi
    2005-05-13 22:12:00 217073 --sha-r- c:\windows\meta4.exe
    2010-06-16 03:24:39 2 --shatr- c:\windows\winstart.bat
    2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
    2005-06-26 20:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
    2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
    2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
    2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
    2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
    2008-09-28 01:17:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

    ============= FINISH: 0:29:08.37 ===============

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000003cc

    Kernel Drivers (total 145):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7607000 ohci1394.sys
    0xF7617000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7627000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF770F000 PartMgr.sys
    0xF7637000 VolSnap.sys
    0xF74C0000 atapi.sys
    0xF7647000 disk.sys
    0xF74A0000 fltmgr.sys
    0xF748E000 sr.sys
    0xF7477000 KSecDD.sys
    0xF7464000 WudfPf.sys
    0xF7B52000 Ntfs.sys
    0xF7437000 NDIS.sys
    0xF741D000 Mup.sys
    0xF7876000 kmxstart.sys
    0xF7717000 BTHidMgr.sys
    0xB9F17000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xB9790000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB977C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9754000 \SystemRoot\System32\DRIVERS\HDAudBus.sys
    0xB9FF4000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB9730000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xB9FEC000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xB9718000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
    0xB9F07000 \SystemRoot\System32\DRIVERS\nic1394.sys
    0xB96F2000 \SystemRoot\System32\DRIVERS\e100b325.sys
    0xB9EF7000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF7697000 \SystemRoot\system32\DRIVERS\L8042mou.Sys
    0xB96E1000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
    0xB9FE4000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xB9FDC000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF76A7000 \SystemRoot\System32\DRIVERS\serial.sys
    0xBA728000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xB96CD000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF76B7000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xBA724000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
    0xF76C7000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF76D7000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB96AA000 \SystemRoot\System32\DRIVERS\ks.sys
    0xB9FD4000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xB9FCC000 \SystemRoot\System32\DRIVERS\InCDPass.sys
    0xB9FC4000 \SystemRoot\System32\Drivers\incdrm.SYS
    0xF76E7000 \SystemRoot\System32\Drivers\VcommMgr.sys
    0xBA718000 \SystemRoot\system32\DRIVERS\vbtenum.sys
    0xB9FBC000 \SystemRoot\system32\DRIVERS\blueletaudio.sys
    0xB9644000 \SystemRoot\system32\DRIVERS\portcls.sys
    0xF76F7000 \SystemRoot\system32\DRIVERS\drmk.sys
    0xF7747000 \SystemRoot\system32\DRIVERS\BlueletSCOAudio.sys
    0xF7A6B000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF79C3000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF774F000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF7587000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xBA714000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB962D000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF7577000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF7567000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7757000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB961C000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF7557000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF775F000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF7767000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xBA10A000 \SystemRoot\system32\DRIVERS\btnetdrv.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\VComm.sys
    0xF7777000 \SystemRoot\system32\DRIVERS\RimSerial.sys
    0xF7527000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF777F000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF79C7000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB95BE000 \SystemRoot\System32\DRIVERS\update.sys
    0xBA106000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF7517000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB6C05000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF7507000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79CB000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xB6B1D000 \SystemRoot\System32\DRIVERS\kmxfw.sys
    0xBA72C000 \SystemRoot\System32\Drivers\VETFDDNT.SYS
    0xF79D7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB6A68000 \SystemRoot\System32\Drivers\VETEFILE.SYS
    0xB701A000 \SystemRoot\System32\Drivers\VET-REC.SYS
    0xF779F000 \SystemRoot\System32\Drivers\VET-FILT.SYS
    0xB6A1A000 \SystemRoot\System32\Drivers\VETMONNT.SYS
    0xB69FB000 \SystemRoot\System32\Drivers\VETEBOOT.SYS
    0xF7A66000 \SystemRoot\System32\Drivers\Null.SYS
    0xF77AF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF79F1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF77BF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF77CF000 \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
    0xF77D7000 \SystemRoot\System32\drivers\vga.sys
    0xF77DF000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xF7A05000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7A07000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB6FE6000 \SystemRoot\System32\Drivers\InCDrec.SYS
    0xB6972000 \SystemRoot\System32\Drivers\InCDfs.SYS
    0xF77FF000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7807000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB6FDE000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xBA7B8000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xB6FD6000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB695F000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB6906000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB68DE000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB68B8000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xB6896000 \SystemRoot\System32\drivers\afd.sys
    0xBA7A8000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xBA798000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xB686B000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB67FB000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xBA778000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA758000 \SystemRoot\System32\DRIVERS\arp1394.sys
    0xB6BE9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB6BE5000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xBA748000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB67E3000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7A03000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB6FF6000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB69EB000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA3BF000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB642E000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xB5F15000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB5ED8000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB6022000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF79F7000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xF79DD000 \SystemRoot\System32\Drivers\ASCTRM.SYS
    0xB4DF8000 \SystemRoot\System32\DRIVERS\KmxCF.sys
    0xB50A7000 \SystemRoot\System32\Drivers\MCSTRM.SYS
    0xB4D79000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB4A90000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB489C000 \??\C:\Program Files\RivaTuner v2.06\RivaTuner32.sys
    0xB16A5000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 62):
    0 System Idle Process
    4 System
    1256 C:\WINDOWS\system32\smss.exe
    1552 csrss.exe
    372 C:\WINDOWS\system32\winlogon.exe
    576 C:\WINDOWS\system32\services.exe
    288 C:\WINDOWS\system32\lsass.exe
    1988 C:\WINDOWS\system32\svchost.exe
    428 svchost.exe
    876 C:\WINDOWS\system32\svchost.exe
    996 C:\Program Files\Ahead\InCD\InCDsrv.exe
    460 C:\WINDOWS\system32\svchost.exe
    1672 svchost.exe
    156 svchost.exe
    728 C:\WINDOWS\system32\LEXBCES.EXE
    552 C:\WINDOWS\system32\LEXPPS.EXE
    792 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    940 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    1048 C:\WINDOWS\system32\spoolsv.exe
    836 C:\WINDOWS\explorer.exe
    180 C:\Program Files\SOS Online Backup\OverlayCache.exe
    948 C:\Program Files\Digital Media Reader\shwiconEM.exe
    1024 C:\Program Files\Ahead\InCD\InCD.exe
    108 C:\WINDOWS\system32\rundll32.exe
    692 svchost.exe
    1068 C:\Program Files\iTunes\iTunesHelper.exe
    1760 C:\Program Files\Real\RealPlayer\realplay.exe
    896 C:\WINDOWS\SoundMan.exe
    1836 C:\Program Files\CA\CA Internet Security Suite\casc.exe
    712 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
    548 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
    1412 C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
    1516 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    656 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    440 C:\WINDOWS\system32\ctfmon.exe
    1660 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    1072 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    1568 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1504 C:\Documents and Settings\Roland\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    1224 C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    2748 svchost.exe
    2768 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    3344 C:\Program Files\NotifyWire\NotifyWire.exe
    2960 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
    3236 C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
    3628 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    3820 C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    3840 C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    1796 C:\Program Files\Java\jre6\bin\jqs.exe
    2248 C:\WINDOWS\system32\nvsvc32.exe
    2452 C:\WINDOWS\system32\HPZipm12.exe
    2892 C:\WINDOWS\system32\svchost.exe
    3448 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
    3684 C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    1720 C:\Program Files\iPod\bin\iPodService.exe
    2704 C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    3540 alg.exe
    2544 C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    684 C:\Program Files\Mozilla Firefox\firefox.exe
    3164 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2820 C:\Documents and Settings\Roland\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600JD-22HBB0, Rev: 08.02D08

    Size Device Name MBR Status
    149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

  4. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    got the Gmer scan done. What next?

    Attached Files:

  5. CatByte

    CatByte Malware Specialist

    Feb 24, 2009

    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
  6. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    So I ran combofix. I attempted to open Firefox afterwards to post the log. It wouldn't open. Then the computer rebooted. I cannot see anything other than my background pic, although I can move the mouse, and I heard the windows "sound" after it rebooted. What next?
  7. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    Update: I tried to boot into safe mode, same story there, nothing comes up. I can access the task manager, can execute a few simple commands through "run" but that is about it. Awaiting your instructions.
  8. CatByte

    CatByte Malware Specialist

    Feb 24, 2009
    Open the task manager > new task type explorer.exe see if you get your desktop back

    if not, tap F8 on reboot and choose "Last Known Good Configuration" at the options menu
  9. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    Neither option worked. I even tried pulling up the restore point utility, I can see the process running, but I get no interface.
  10. CatByte

    CatByte Malware Specialist

    Feb 24, 2009
    What happens when you try to boot into safe mode?

    Exactly how far does the boot process get?

    it sounds as though Explorer.exe may have been removed, which is unusual as CF doesn't normally remove system files.

    we need to replace explorer.exe with a copy on your system

    if you boot into safe mode are you able to navigate through the task manager at all?

    Are you able to boot to the Recovery Console?

    Please try the following:

    there should be a copy of explorer.exe locate in your i386 folder or your dllcache

    reboot and open task manager

    in New task type three dots ... (yes that is three periods) that will open My Computer

    now navigate to C:\windows\Servicepackfiles\i386 look for explorer.exe > right click the file and choose "copy" > now navigate back to C:\windows > right click and choose > paste

    your computer should now boot normally

    if you don't find a copy of explorer.exe at that location:

    try these locations:

    C:\windows\erdnt\cache or c:\windows\system32\dllcache
  11. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    Just a thought, if I can access the drive and directories with a Knoppix live disc, I should be able to do the same thing, no?
  12. CatByte

    CatByte Malware Specialist

    Feb 24, 2009
    yes, but it's easier, just to copy and paste through the c:\ drive


    sorry just read that you can't get to the c:\ drive

    let's copy the file through the recovery console

    one sec and I'll get the instructions
  13. CatByte

    CatByte Malware Specialist

    Feb 24, 2009

    Please do the following:

    1. Restart your computer.
    2. Before Windows loads, you will be prompted to choose which Operating System to start.
    3. Use the up and down arrow key to select Microsoft Windows Recovery Console
    4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter'(note the spaces):

    cd \

    copy C:\windows\erdnt\cache\explorer.exe c:\windows

    6. Type y to the prompt and press 'Enter'.

    7. Type exit and press 'Enter'. Your computer should reboot.
  14. texmedic49

    texmedic49 Thread Starter

    Sep 20, 2010
    K. And BTW, thanks for your help, I guess this turned into more than you bargained for...
  15. CatByte

    CatByte Malware Specialist

    Feb 24, 2009
    no not really...this isn't unusual

    if that doesn't work, do you already have a knoppix disk? as I have instructions for another boot disk where I have had users use it to replace winlogon.exe and explorer.exe with great success
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/951189

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice