PDA

View Full Version : All Applications first open to "Open With..." dialogue Win XP



craigbert
2011-04-24, 03:51
First off, the Spybot community is of the CHAIN!

Now the problem,

AVG Free detected some weird J"bunch of numbers".EXE thing then quarantined it. Then did the same with "QUA.exe".

Restarted computer. "Keyboard not detected" message, weird blue screen w/ "Please Wait" then an apparently "Normal" boot of winXP.

All applications open with an "Open With" dialogue.

Tried to adjust system audio volume... "rundl32.exe" not found message

I had no idea where to turn for help. If there is a solution, it will be here. This community fixed a gnarly laptop infection that I had a few years ago.

Thanks in advance.

Craigbert

craigbert
2011-04-24, 16:55
So I switched Malware Bytes from full scan to short scan (full scan was finishing in 5 seconds... weird right?) and it found 9 items.

Here's the log for that:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6428

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/23/2011 10:23:21 PM
mbam-log-2011-04-23 (22-23-21).txt

Scan type: Quick scan
Objects scanned: 159332
Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\qua.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\qua.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\qua.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\qua.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\0.521871964217075.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

craigbert
2011-04-24, 16:56
Ran MBAM again after restart:

Here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 6429

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/23/2011 11:33:08 PM
mbam-log-2011-04-23 (23-33-08).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 305974
Time elapsed: 1 hour(s), 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\19\fc45753-358abc07 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{1b64a798-aac5-46cf-acc6-e3be04b4390b}\RP197\A0030395.dll (Spyware.Agent) -> Quarantined and deleted successfully.

tashi
2011-04-24, 18:37
Hello craigbert,

Your topic was moved to the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) as malware logs are not to be posted elsewhere. ;)

Please see this forum's sticky which includes guidelines and instructions in post #2 on how to provide preliminary "DDS" logs used for analysis. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic providing the logs and a volunteer analyst will advise you when available. :)

If DDS won't run and produce a log please start a new topic anyway and explain the situation.

Best regards.