PLEASE HELP! MALWARE has taken over my laptop!

[amanyeah]

Immediately upon logging on this pops up. WINDOWS RECOVERY [CRITICAL ERROR Damaged hard drive clusters detected]

Here is the DDS and attach file zip. please help!


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mama at 17:08:21.88 on Thu 04/21/2011
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.246.55 [GMT 8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\lexpps.exe
C:\Documents and Settings\All Users\Application Data\SQYJBiKnjSxs.exe
C:\WINDOWS\System32\attrib.exe
C:\Documents and Settings\All Users\Application Data\17227572.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.6:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [SQYJBiKnjSxs] c:\documents and settings\all users\application data\SQYJBiKnjSxs.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\mama\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
SEH: {05041043-0C5F-46A4-A959-58D2A1F73262} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\tbl1cs9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com/
FF - prefs.js: network.proxy.ftp - 10.34.50.6
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.6
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.6
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.6
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.6
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2011-3-15 14848]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2011-3-15 32768]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-6 561152]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2011-3-15 34344]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2011-3-15 191016]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
S4 Remote Auther Service;Remote Auther Service;"c:\windows\system32\svshost.exe" --> c:\windows\system32\svshost.exe [?]
.
=============== Created Last 30 ================
.
2011-04-16 06:34:17 487424 ---ha-w- c:\docume~1\alluse~1\applic~1\17227572.exe
2011-04-16 06:25:08 569344 ---ha-w- c:\docume~1\alluse~1\applic~1\SQYJBiKnjSxs.exe
.
==================== Find3M ====================
.
.
============= FINISH: 17:10:54.06 ===============

 

[Blade81]

Hi,

Your system is in really bad shape. It probably got infected due to lack of up-to-date Windows + Internet Explorer and all the rest. It's really important that system is updated after we've get it clean (I'll tell you when it's suitable moment for updating).


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[amanyeah]

HI! Thank you very much for giving time to my problem. Full disclosure. Prior to running combofix I noticed that my icons weren't as clear as usual. They looked like they'd been grayed out or just mere watermarks. They still remain the same way after combofix.

After ComboFix I also noticed on my desktop that an internet explorer logo appeared. also a "catchme.log" and a "log.txt". also i cannot open these documents. when double-clicked it says it "is not a valid Win32 application. I am however able to open them via right-clicking then open with wordpad. also there are 2 combofix.txt files so i have included them as well.

Again, thank you SO MUCH for your assistance.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aman Enconado at 4:53:46.56 on Tue 04/26/2011
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.246.24 [GMT 8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aman Enconado\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.7:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\amanen~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\amanen~1\applic~1\mozilla\firefox\profiles\x82aqc4n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: network.proxy.ftp - 10.34.50.7
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.7
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.7
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.7
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.7
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2011-3-15 14848]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2011-3-15 32768]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-6 561152]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2011-3-15 34344]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2011-3-15 191016]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
S4 Remote Auther Service;Remote Auther Service;"c:\windows\system32\svshost.exe" --> c:\windows\system32\svshost.exe [?]
.
=============== Created Last 30 ================
.
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 4:55:02.84 ===============

 

[Blade81]

Hi,

Before we take any further steps I'd like you to install service pack 2 for Windows XP. You can download it here. When installed, post back fresh dds logs.

 

[amanyeah]

Ok. Did what you asked. Thanks so much again. By the way, is it normal for the computer to run slowly after installing Service Pack 2? Because it is running slower than it used to... Anyway, here is the DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aman Enconado at 11:27:46.94 on Wed 04/27/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.46 [GMT 8:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aman Enconado\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.7:8080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\amanen~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\amanen~1\applic~1\mozilla\firefox\profiles\x82aqc4n.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.7
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.7
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.7
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.7
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.7
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2011-3-15 14848]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2011-3-15 32768]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-6 561152]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2011-3-15 34344]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2011-3-15 191016]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
S4 Remote Auther Service;Remote Auther Service;"c:\windows\system32\svshost.exe" --> c:\windows\system32\svshost.exe [?]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 11:29:10.12 ===============

 

[Blade81]

Hi,

Reason for slow performance is that system has too little RAM installed. At least 512 megabytes should be installed.


Are you familiar with this proxy setting: 10.34.50.7:8080 ?

 

[amanyeah]

oh.. I see... is that still possible? installing RAM on an old laptop? i have an IBM R50e. bought it around 2005-2006. it's ancient but it's all i got.

yes. that proxy setting is what our school required so that we could log on to the school system.

 

[Blade81]

Hi,

is that still possible? installing RAM on an old laptop? i have an IBM R50e.

It may be possible but memory type that machine accepts is pretty pricy. It may become cheaper to buy a whole new system in long run.


Anyway, let's do some more cleaning there and see if performance can be made any better


Open notepad and copy/paste the text in the quotebox below into it:

Driver::
"Remote Auther Service"
DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Vulnerable Adobe Acrobat 5.0 is not supported anymore and should be uninstalled. Ad-Aware 2007 is not supported anymore either so it can be uninstalled to save some space.

Spybot 1.4 is not supported anymore and should be uninstalled. Fresh copy of Spybot can be downloaded here.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.

Kaspersky Online Scanner can be uninstalled since it's not supported anymore.


When done, post fresh dds logs and above mentioned ComboFix resultant log.

 

[amanyeah]

ok. thanks very much for the advice!


I tried opening up notepad but it wouldn't open up... I have also noticed that the icon for notepad now looks different.

I then tried opening one of the .txt files we had before but now it doesn't open, rather it asks me what program i want to open it with. there's a list of "recommended programs" and "other programs" but notepad is nowhere to be seen... there is however wordpad. would that be alright to use? or would it make matters worse?

 

[Blade81]

Hi,

Wordpad will do too. Just make sure file gets saved as ".txt" type.

 

[amanyeah]

ok. did it successfully. I'm curious though as to what happened to my notepad.. any idea? :scratch:

here are the new DDS files. i have also attached the combofix log as log.zip

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Aman Enconado at 4:16:46.46 on Thu 04/28/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.94 [GMT 8:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aman Enconado\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.ph/
mStart Page = about:blank
uInternet Settings,ProxyServer = 10.34.50.7:8080
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] $$
StartupFolder: c:\docume~1\amanen~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\amanen~1\applic~1\mozilla\firefox\profiles\x82aqc4n.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.ftp - 10.34.50.7
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 10.34.50.7
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 10.34.50.7
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.34.50.7
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 10.34.50.7
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2011-3-15 14848]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2011-3-15 32768]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2011-3-15 34344]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2011-3-15 191016]
S0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys --> c:\windows\system32\drivers\ifp300.sys [?]
.
=============== Created Last 30 ================
.
2011-04-27 18:17:55 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-27 03:18:05 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-04-26 22:17:16 440998 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-26 22:13:01 28672 ------w- c:\program files\messenger\custsat.dll
2011-04-26 22:12:58 96768 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-04-26 22:12:22 40832 ------w- c:\windows\system32\drivers\irbus.sys
2011-04-26 22:12:21 9728 ------w- c:\windows\system32\comsdupd.exe
2011-04-26 22:12:21 53248 ------w- c:\windows\system32\vbicodec.ax
2011-04-26 22:12:20 239616 ------w- c:\windows\system32\wstrenderer.ax
2011-04-26 22:12:20 164352 ------w- c:\windows\system32\wstpager.ax
2011-04-26 22:10:58 1737856 ------w- c:\windows\system32\mtxparhd.dll
2011-04-26 21:57:57 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 21:48:25 2897920 ------w- c:\windows\system32\xpsp2res.dll
2011-04-26 21:42:01 19528 ----a-w- c:\windows\002298_.tmp
2011-04-26 21:41:45 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-04-26 21:41:29 15872 ----a-w- c:\windows\system32\spupdsvc.exe
2011-04-26 21:32:23 -------- d-----w- c:\windows\EHome
2011-04-25 20:12:24 -------- d-sha-r- C:\cmdcons
2011-04-25 20:05:36 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:05:35 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:05:35 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:05:35 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
.
============= FINISH: 4:18:04.14 ===============

 

[amanyeah]

by the way is it safe to uninstall my avira antivir? the red shield on the lower right says it's outdated...

 

[Blade81]

Hi,

by the way is it safe to uninstall my avira antivir? the red shield on the lower right says it's outdated...

Yes. You need to get fresh version later.


Open text editor and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /a/s C:\notepad.exe >LogIt.txt
START LogIt.txt
DEL %0

Double-click on fixes.bat file to execute it. Text editor should open up. Post back its contents, please. If editor doesn't open up post contents of LogIt.txt file that should appear on your desktop.

 

[amanyeah]

hello!

There was no option for "all files" in the "type" drop-down menu when I tried to save. I tried it as a .rtf and an icon appeared on the desktop. I double-clicked it and a black box opened but no LogIt.txt file.

I do not know how to describe what happened so I have attached a screenshot (saved in monocolor to save space) instead of trying to put it in words. :red:

 

[amanyeah]

Here is the screenshot.

 

[Blade81]

Hi,

Download attached fixes.zip and extract its contents (fixes.bat) to your desktop. Then run the extracted file and wait until process gets finished (command prompt window opens and then closes). As a result you should have LogIt.txt file on your desktop. Post back its contents (don't open the file before command prompt window has closed itself).

 

[amanyeah]

Hello! : Here it is! Thank you for your patience!

Volume in drive C has no label.
Volume Serial Number is D432-C06D

Directory of C:\WINDOWS

08/04/2004 12:56 AM 69,120 notepad.exe
1 File(s) 69,120 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/23/2001 12:00 PM 66,048 notepad.exe
1 File(s) 66,048 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 12:56 AM 69,120 notepad.exe
1 File(s) 69,120 bytes

Total Files Listed:
3 File(s) 204,288 bytes
0 Dir(s) 14,217,322,496 bytes free

 

[Blade81]

Good. That shows notepad is still there. Could you grab a screenshot of that issue you have with notepad? That would probably tell more.

 

[amanyeah]

That's great! :

I didn't know what you were looking for. But here's what I did. I clicked "Start" and it opened up a box showing my name and several applications. One of them was Notebook. However upon clicking it nothing happened. I have taken a picture of the icon. : Hope it helps! Thanks Blade81!

 

[Blade81]

Hi,

Right click that Notepad there and select properties. A window will open. Post back a screenshot showing the window with shortcut tab active.