Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

start up very slow and now, no startup bar and desktop icons

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » December 31st, 2008, 5:33 am

Hi Amir,

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » December 31st, 2008, 5:26 pm

Hello John and happy new year!



GooredFix v1.6 by jpshortstuff
Log created at 08:23 on 01/01/2009 running Option #1
Firefox version 3.0.5 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


Regards,

Amir
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 1st, 2009, 10:54 am

Hi Amir,

Happy new year! You do not seem to have the infection I thought you had, so we will have to keep searching.

Step 1: Download and Run DirLook
Please download DirLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
Link 3
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    C:\db3e0b543d6345ef8927e1fc
    C:\689900305e87959c74

  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please close it for now, as the log can also be found at C:\DirLook.txt.

Note: Scanning may take long for large folders.

Step 2: Run ATF Cleaner
Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 3: Run Malwarebytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware
  • Make sure you check for updates to have the latest definitions and no bugs.
  • After doing that, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 4: Post logs
Please post the following logs in a reply to this topic:
  • DirLook log
  • MBAM log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 1st, 2009, 7:14 pm

John,

Is the firefox reg key values found by gooredfix responsible for my searches redirect? funnily enough the redirect doesnt happen when i go to yahoo.com and use its search.




Malwarebytes' Anti-Malware 1.31
Database version: 1590
Windows 5.1.2600 Service Pack 3

2/01/2009 10:07:14 AM
mbam-log-2009-01-02 (10-07-14).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 116965
Time elapsed: 38 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


================================================================================================

DirLook.exe v2.0 by jpshortstuff
Log created at 09:19 on 02/01/2009
==================================
Contents of "C:\db3e0b543d6345ef8927e1fc"

---FOLDERS---

update (Created on 08/12/2008 at 22:38) d-----

---FILES---

(none found)

==================================
Contents of "C:\689900305e87959c74"

---FOLDERS---

update (Created on 08/12/2008 at 22:37) d-----

---FILES---

(none found)

==================================
=EOF=
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 2nd, 2009, 12:04 pm

Hi Amir,

Is the firefox reg key values found by gooredfix responsible for my searches redirect? funnily enough the redirect doesnt happen when i go to yahoo.com and use its search.

Well, lately an infection has been found that redirects search results in Firefox and one of our helpers designed a fix for this. That is why I decided to check if that infection is present. But like you see the 'Suspected Goored Entries' section is empty and the other entries like completely fine, so that is not the infection you have. But there are a lot of other infections that can redirect your searches, so we are not yet out of options ;)

Disconnect from internet and close running programs, especially programs like Spybot and Ad-Aware and their real-time functions.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Please post the Gmer log.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 2nd, 2009, 6:09 pm

Hi John,

I have posted two logs for gmer. The first one was created immediately when gmer was started and it did an automatic scan. The second one was created after I checked D drive and clicked on SCAN manually. Not sure i there is a difference...

Thanks.

Amir


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 08:45:26
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.14 ----








GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 09:01:19
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF465C576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF465C432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF465C910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF465C00A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF465C50C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF465BF4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF465BFAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF465C62C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF465C5EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF465C76C]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3420] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10002E30
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10002D90
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] ws2_32.dll!send 71AB4C27 5 Bytes JMP 100029A0
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] ws2_32.dll!recv 71AB676F 5 Bytes JMP 100024F0
.text C:\Program Files\Internet Explorer\iexplore.exe[3420] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10002D44

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005B0002
IAT C:\WINDOWS\system32\services.exe[752] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005B0000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.14 ----
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 2nd, 2009, 11:43 pm

File: C:\WINDOWS\SYSTEM32\wdmaud.sys

Type: Rootkit: hidden process



John,

Avast! has found the above suspicious file.

it recommends i ignore it and submit it for analysis. then it askes to do a scan from boot. it repeats itself again...
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 3rd, 2009, 9:49 am

Hi John,

Sorry for being impatient, however I went ahead and deleted the file C:\WINDOWS\SYSTEM32\wdmaud.sys

The laptop rebooted and avast ran another scan from boot.

The searches seem to be working a treat now. No worries as far as I can tell. I reinstalled firefox.

I also installed CC Cleaner to clean things up a bit.

I look forward to hearing from you.

Regards,

Amir
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 3rd, 2009, 11:18 am

How did you remove that file?
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 3rd, 2009, 4:16 pm

John,

Avast! found the file as it popped up a box [suspicious file found]; it gave me the option of ignore or delete. I initially kept ignoring it, (as per its recommendation), but then it kept popping up with the same warning. So I just clicked on the delete option.

By the way, there is still a wdmaud file in the system32 folder but I guess it's not the offender.

Regards,

Amir
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 4th, 2009, 6:16 am

Hi,

We need to upload the infected file for analysis and possible addition to the databases.

Please go to the vault or quarantine of Avast and then set back/restore the wdmaud.sys, do not remove! After doing that, we need to run ComboFix again using a script.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=37540

Suspect::
C:\WINDOWS\SYSTEM32\wdmaud.sys


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

After doing that close any open browsers.

Image

Refering to the picture above, drag CFScript into ComboFix.exe

ComboFix will start scannning and when it opens its log please close it.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Please post that log.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 5th, 2009, 7:21 am

This is the log of avast warnings. Do I need to restore the last file?




21/12/2008 12:38:25 PM SYSTEM 1628 Sign of "HTML:Iframe-inf" has been found in "http://financestoc.com/?sid=cmp0030\?sid=cmp0030" file.
24/12/2008 10:19:15 PM SYSTEM 1464 Sign of "HTML:Iframe-inf" has been found in "http://bigmp3online.com/?sid=aff0021\?sid=aff0021" file.
24/12/2008 10:30:46 PM SYSTEM 1464 Sign of "HTML:Iframe-inf" has been found in "http://financestoc.com/?sid=cmp0030\?sid=cmp0030" file.
27/12/2008 6:42:37 AM SYSTEM 1532 Sign of "JS:FakeAV-A [Trj]" has been found in "http://best-online-antivirus-scanner.info/scan.php?campaign=975186611&landid=2&country=au&rs=" file.
28/12/2008 1:26:30 AM SYSTEM 1532 Sign of "JS:FakeAV-A [Trj]" has been found in "http://best-online-antivirus-scanner.info/scan.php?campaign=353486801&landid=2&country=au&rs=" file.
28/12/2008 1:26:56 AM SYSTEM 1532 Sign of "JS:FakeAV-A [Trj]" has been found in "http://best-online-antivirus-scanner.info/scan.php?campaign=372086801&landid=2&country=au&rs=" file.
28/12/2008 1:27:03 AM SYSTEM 1532 Sign of "JS:FakeAV-A [Trj]" has been found in "http://best-online-antivirus-scanner.info/scan.php?campaign=376486801&landid=2&country=au&rs=" file.
2/01/2009 1:17:24 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\SwSetup\Hpgob\CH\Setup.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:22:09 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\SwSetup\Hpgob\KR\Setup.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:25:30 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\SwSetup\Hpgob\TW\Setup.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:28:20 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\SwSetup\Hpgob\TZ\Setup.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:34:11 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\SwSetup\Hpgob\US\Setup.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:51:31 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP7\A0000721.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:55:03 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP7\A0000722.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 1:57:50 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP7\A0000723.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 2:00:26 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP7\A0000724.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
2/01/2009 2:02:42 AM mike 2820 Sign of "Win32:IRCBot-DFI [Trj]" has been found in "C:\System Volume Information\_restore{2D6AFCA6-C76E-4DBB-8D3E-7F57086A04B5}\RP7\A0000725.exe\presetup\magic_ball_2-setup.exe\data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\12\MagicBall2.exe\[Armadillo]" file.
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 5th, 2009, 11:32 am

Hi,

Did you do what I told you to do with the CFScript and did you upload the file like instructed? If not, please do not continue with the steps below and just let me know.

Something that I want to make clear is that you should not be using your computer too much while we are in the cleaning process. It seems like you are installing things and going to strange webpages and like that we could go on for ages if you keep reinfecting yourself.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.
  • Download ERUNT
  • Save it to your desktop. Run and install this program.
  • In the box that opens only choose System registry
  • Then click OK.
  • Click save and then go to File > Exit.

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\SYSTEM32\wdmaud.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=-


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

If your have Avast as anti virus an additional thing has to be changed to make ComboFix work properly:
Image

After doing that close any open browsers.

Image

Refering to the picture above, drag CFScript into ComboFix.exe

ComboFix will start scannning and when it opens its log please close it.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Last of all, I'd like you to check a file/some files for malware.
C:\SwSetup\Hpgob\CH\Setup.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.

Please post the following logs:
  • New uninstall log (instructions are in my welcome speech at the begin of this topic)
  • New HijackThis log
  • ComboFix log
  • VirusTotal/Jotti logs

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: start up very slow and now, no startup bar and desktop icons

Unread postby amash » January 6th, 2009, 9:36 am

john,

i couldnt find the file in the avast vault.
please give me a day or two as i am flat out at work and no chance to use my laptop at home
amash
Regular Member
 
Posts: 24
Joined: December 12th, 2008, 6:06 pm

Re: start up very slow and now, no startup bar and desktop icons

Unread postby John B. » January 7th, 2009, 12:20 pm

Take your time, please do what you are instructed to do here (no matter if you did the other things or not):
viewtopic.php?p=390279#p390279
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware