infected laptop shuts off before I can run Spybot

S

scooperman

New member
IBM Thinkpad G41 running XP

Malware showed up yesterday. Fake antivirus popup claimed application can not be executed. Saw three different popup windows, tried clicking out/dismissing the popups but they kept coming back. Then it started Internet Explorer and tried to access some porn site. Shut it down. Disconnected from network.

Restarted and tried running Spybot. While it ran, these popups kept appearing every few seconds. Spybot takes 3 hours to run, for a while I kept dismissing popups but gave up. When Spybot finished, it showed one red thing. It would not let me start the fix process, it just beeped when I tried clicking on Fix.

Tried a system restore to an earlier date. No better.

Tried running Spybot from command line with /autoupdate and /autofix /onlyspyware, it starts but can not finish, the PC shuts off.

Tried this a number of times, it boots, program starts, PC shuts off.

Tried a number of times to get into Safe Mode. Usually PC shuts off after it fllls the screen with the page showing a list of drivers.

Changed the BIOS date back a year and was able to boot to Safe Mode. Was able to start Spybot, it ran for a minute, maybe two, and then the PC shut off.

Now using an old 98 PC to go online and search for help.

This morning I found this forum. I see others had similar infection but have not seen anyone with the PC-shutting-itself-off symptom.

As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.
---------------------------------
Hello scooperman,
scooperman said:
As soon as I can figure out what DDS means, I will try to find (?) it, download (?) it, and see if I can get the laptop to run long enough to run it.
Click to expand...

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Post #2. Hope that helps. :)

Best regards.
-------------------------------------
yes that helped.

Sometimes it stays on longer than a couple minutes. I am on it right now so I am typing fast. Want to get these uploaded.

DDS instructions said to zip the text files and attach, hope it works.

In advance, thank you for any assistance.

DDS (Ver_10-03-17.01) - NTFSx86
Run by JR at 14:24:57.41 on Thu 06/24/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.619 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
E:\PEACHT~1\PeachtreePrefetcher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\JR\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [TrackPointSrv] tp4serv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UC_SMB]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [QuickTime Task] "E:\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero8\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [Prolific_OneButton] c:\program files\usbfast\OneBtn.exe
mRun: [PeachtreePrefetcher.exe] "e:\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - e:\msoffi~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\msoffi~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: QConGina - QConGina.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli pwdmon
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jr\applic~1\mozilla\firefox\profiles\nizs9fet.default\
FF - plugin: e:\plugins\npqtplugin.dll
FF - plugin: e:\plugins\npqtplugin2.dll
FF - plugin: e:\plugins\npqtplugin3.dll
FF - plugin: e:\plugins\npqtplugin4.dll
FF - plugin: e:\plugins\npqtplugin5.dll
FF - plugin: e:\plugins\npqtplugin6.dll
FF - plugin: e:\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
e:\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\firefox\greprefs\all.js - pref("html5.enable", false);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ASMBATT;ASMBATT;c:\windows\system32\drivers\ASMBATT.SYS [2008-9-19 4992]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2008-9-19 16384]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-7-10 53032]
R2 PEDRV;P&E Microcomputer System PCI Driver.;c:\windows\system32\drivers\pedrv.sys [2000-8-3 23296]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 13904]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-6 30192]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2008-9-22 10379]
S3 PLTurbh;Prolific turbo filter driver for hdd;c:\windows\system32\drivers\plturbh.sys [2009-7-6 9728]
S3 PLTurbo;Prolific turbo filter driver for odd;c:\windows\system32\drivers\plturbo.sys [2009-7-6 9984]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2008-9-19 12288]

=============== Created Last 30 ================

2010-06-23 22:17:22 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-06-24 13:01:00 90112 ----a-w- c:\windows\DUMP4016.tmp
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2009-07-06 15:35:27 1990640 ----a-w- c:\program files\GoogleDesktopSetup.exe
2009-06-29 14:15:07 1951432 ----a-w- c:\program files\ppviewer.exe
2008-10-07 15:35:50 20 --sha-w- c:\windows\WINPROD.DLL
2009-08-26 22:53:38 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082620090827\index.dat

============= FINISH: 14:26:55.84 ===============
 
Last edited by a moderator:
Hello,

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Copy-paste also contents of fresh dds.txt log.
 
I tried twice. The first time, it stayed ON long enough to download and start GMER, it ran for a minute and then BSOD with "IRQL_NOT_LESS_OR_EQUAL" error. The second time, after it booted it wanted to report errors to Microsoft so I hooked up the cable and let it do so. Then I started the downloaded exe again and it seemed to be running OK, but of course after a couple of minutes the PC shut down, that's what it does now. Unless someone can tell me how to keep it powered up, I won't be able to run anything that takes more than a couple minutes.

I have looked for BIOS options that might have anything to do with turning off the PC but can't find anything abnormal looking. I used the blue button to check the Thinkpad configuration options, even changed the power management to a setting for never going into a power-saving or sleep mode, and it still shuts off a few minutes after power-up.

Another thing. I don't type quickly. This post editor logs me off before I get my post written. Can I change the timeout setting?
 
Last week after this started, I tried to do a Windows update but was unable to find IE anywhere on this PC. I tried accessing Microsoft with Firefox but it refused to play, insisted I must use IE. I did a soft shutdown and the Windows popup saying it was doing an update showed up, so I let it do its thing. It took a long time, maybe 30 minutes.

This morning I was doing what you asked, booted up the laptop, download GMER, run it, it shuts off. Repeat, tried running a couple more times, it powered off. Then I noticed that IE was back. So after a few tries/fails with GMER what the heck I used IE to access Microsoft and had it send the latest updates.

Next boot, it would get as far as the Welcome screen and then shut off. A couple of times I saw a flash of an error message and then it would power off. The message would say "the requested operation was..." and then it was gone before I could read the rest.

For an hour and a half, I tried booting, and it never made it to XP, shut off during boot. (Still can't safe boot, that shuts off too.) Eventually I gave up and threw in the XP cd and tried a cd boot. It did some loading and said it would start Windows, and then of course it just powered off. Then more boot attempts without CD, would not finish, powered off same as before. Tried the cd with the F2 option, got to a screen which looks DOSish, typed HELP to see what was there. I didn't want to mess with stuff I didn't understand but the SCAN option for BOOTCFG seemed safe so I tried that and ... it powered off.

Now at about 2 hours of unfinished boots, finally it booted to XP and I quickly hit Task Manager to see if I could recognize anything, watched that for a bit as the screen refreshed a few times, didn't see anything useful to me.

Hit the Access IBM icon. This is similar to hitting the blue keyboard button during boot, but in Windows it looks prettier and seems to have some more functions. I went looking for hardware configuration, anything that might affect power down, or battery saving, of hibernate, and I seemed to get it into a higher-power mode, the screen is brighter and I told it to never hibernate.

The PC has stayed on now for a whopping ten minutes. So I am trying GMER again and it is running. Net post I will let you know if it finished.
 
Hi,

Please try to run gmer by having just sections checked (in safe mode if needed).
 
GMER started with all the boxes checked. I did not see your previous instruction to leave "Files" unchecked, I did see the instruction to not check the "Show All" box.

It has been running for 3 hours now. Do you want me to stop it and change to just "Sections" or let it run?
 
If it takes much longer (shouldn't take hours) try with sections only.
 
I let it run for another hour and then gave up. It had not finished the C drive.
I unclicked all the boxes except for Sections, and restarted it.
 
The previous attempt to run GMER was showing about a dozen lines of text in its screen when I told it to stop. I re-ran it with only Sections selected, after half an hour it finished. Only one line of text showing. I tried Copy to clipboard and then opened Notepad, it opened and I pasted, but when I attempted to save the text file everything died, Notepad froze. I figured the information was still in the paste buffer so I attempted to get online, and this froze, could not connect to the internet.

In the GMER screen I see this:
Type: Init
Name: C:\\WINDOWS\System32\Drivers\PEDRV.SYS
Value entry point in "init secton (0B986CE00)

I need to shut down now and go home, will be back in the morning.
 
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
1. attached are the zipped dds output files

2. my first impression is that ComboFix must have done something good. Formerly, after pressing a key or moving the mouse you had to wait to see if anything would happen. Laptop is responding to keys and mouse normally. Clicks to start programs (e.g. the browser) respond rapidly.

3. a note: the how-to instructions for ComboFix at bleepingcomputer have a link to download a zipped tool to remove TeaTimer. The link is broken, gives 404 error. I used another PC to search around, could not find it, found most people gave up and just uninstalled Spybot before trying to run ComboFix, so that's what I did, I uninstalled Spybot before running ComboFix.

4. while I wait for responses from you, I could be learning more about how to protect my PC once you believe the bugs are gone. If you could recommend a site or resource for me to study, please do so.
 
Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
DirLook::
c:\windows\system32\%commonprogramfiles%


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (both 9.3 and update 9.3.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
 
Ran the CFScript thing with ComboFix. I did the Adobe and Java uninstalls, I did the new Java install. Did not install Acrobat. (Is there any way I can run my PC without this Java stuff?) Ran ATFCleaner. Started Kaspersky Online Scanner. After 5 hours it was only 40% finished and I had to leave. I left it running overnight. This morning when I arrived there was nothing on the screen except the desktop, no programs running. How can I determine if KOS finished, where would I find its report?
 
Hi,

Did you have any other programs running there? I wonder if the system rebooted itself at some point during the process. Kaspersky online scanner won't store log anywhere without user commands.

I'd suggest defragging the hard drive and then running Kaspersky scanner again.
 
no other programs were running. I am trying to do nothing on this PC, except what you tell me to do.

I will defrag and Kaspersky again. Hope it goes faster this time. When it started yesterday, it took a long time to download stuff, and it got slower and slower as it neared completion of its download. Maybe 2 hours to download. It seemed to be running OK, and was showing that it had found bad stuff, when I left.
 
Ok. Let me know if same thing happens again with Kaspersky and we'll try something else.
 
Took 2+ hours to defrag C, only 22% free. So I uninstalled some stuff I never use. Then I uninstalled the new Java and reinstalled it on my E: partition to try to get back a little C drive space. Then started Kaspersky scan, it took over 7 hours.

Attachments:

DDS.txt
Attach.zip
ComboFixlog.txt
Kas_scan.txt

Again, thank you for your patience, expertise, and assistance.
 
You must log in or register to reply here.
Back
Top