Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't run any .exe files, hijacked browser, etc.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 24th, 2009, 11:55 am

Hi! :) I'm trying to fix my cousin's computer which hasn't been working properly for months now... :shock:

At first I couldn't run any .exe files (including HJT), but I renamed HJT to scanner.pif and got it to work. But I think there's still something wrong with running other executable files.

Other problems I've noticed are that the other user accounts on Windows freeze up once they've loaded the screen. You can't click on anything, and an hourglass pops up when you hover over the taskbar. But for some reason only one account is working, the others freeze up. Also, the browser has been hijacked. When I search certain things on Google and click on a link, it'll take me somewhere else. And I can't even visit this forum on that computer. :lol:



Anyways, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:42 AM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: searchersmart search enhancer - {512DA1DA-4D8B-E2F5-88F3-292DF7FE1CFA} - C:\WINDOWS\system32\zjlvevklakaiumct.dll
O2 - BHO: mxlivemedia browser enhancer - {67BCEA6F-BDB8-F7D5-3965-8B3011C4A764} - C:\WINDOWS\system32\pyqqjetaee.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [zotpdvsyssfpe] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\pyqqjetaee.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 5272 bytes
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm
Advertisement
Register to Remove

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 27th, 2009, 6:27 am

Hello & Welcome to Malware Removal
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click ensure Notify me when a reply is posted is ticked on the Post A Reply page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • Continue to respond to this thread until I give you the All Clean!
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after a log will appear
  • Click Yes at the next prompt, another log named attach.txt will appear
  • A window will open instructing you to post both logs. Copy the contents of both logs & post in your next reply
GMER Rootkit Scanner
Download GMER Rootkit Scanner here.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post the contents in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


To post in next reply:
DDS log
Contents of Attach.txt
Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 27th, 2009, 11:44 am

Hello! Thank you for helping me!

Here are my results:

DDS Log
DDS (Ver_09-03-16.01) - NTFSx86
Run by volcomst0ne56 at 6:12:42.70 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.694 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\volcomst0ne56\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.gateway.com/
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: searchersmart search enhancer: {512da1da-4d8b-e2f5-88f3-292df7fe1cfa} - c:\windows\system32\zjlvevklakaiumct.dll
BHO: mxlivemedia browser enhancer: {67bcea6f-bdb8-f7d5-3965-8b3011c4a764} - c:\windows\system32\pyqqjetaee.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Search panel: {16576a18-7245-9315-d2d3-ade923a03cc6} - c:\windows\system32\zjlvevklakaiumct.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [<NO NAME>]
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [zotpdvsyssfpe] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\pyqqjetaee.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [2009-3-22 29344]
R2 ZipMagic Task Manager;ZipMagic Task Manager;c:\progra~1\allume\zipmagic\mxtask.exe -service --> c:\progra~1\allume\zipmagic\MXTask.exe -Service [?]

=============== Created Last 30 ================

2009-03-24 08:45 <DIR> --d----- c:\program files\Trend Micro
2009-03-22 12:23 167,936 -------- c:\windows\system32\RcdScan.dll
2009-03-22 12:23 29,344 -------- c:\windows\system32\drivers\cmosa.sys
2009-03-22 12:23 414,944 -------- c:\windows\system32\COMCT332.OCX
2009-03-22 12:23 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-03-22 12:23 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-03-22 12:23 328,480 -------- c:\windows\system32\ssa3d30.ocx
2009-03-22 12:18 <DIR> -cd----- C:\SavedPetz
2009-03-22 11:46 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-22 11:46 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-17 19:41 <DIR> --d----- c:\program files\AIM Music Link
2009-03-15 13:49 21 a------- c:\windows\atid.ini
2009-03-15 13:31 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-03-15 13:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-03-15 13:25 <DIR> --d----- c:\program files\AIM6
2009-03-15 13:25 1,430 ac--h--- C:\IPH.PH

==================== Find3M ====================

2009-03-17 08:20 57,394 a------- c:\windows\system32\zjlvevklakaiumct.dll-uninst.exe
2009-02-20 04:37 607,232 a------- c:\windows\system32\zjlvevklakaiumct.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-17 08:18 47,583 a------- c:\windows\system32\kvbnhnjdmeyllv.exe
2009-01-14 12:38 380,928 a------- c:\windows\system32\pyqqjetaee.dll
2008-09-09 01:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 6:13:48.14 ===============



Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/29/2005 8:33:09 PM
System Uptime: 3/27/2009 6:08:12 AM (0 hours ago)

Motherboard: Intel Corporation | | D945GCZ
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2799/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 209.047 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 2.712 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP33: 3/22/2009 12:18:31 PM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AIM 6
AIM MusicLink 4.0.0.0
AQUAZONE DESKTOP GARDEN
BigFix
Cabos
CalyxLoanBridge11
CardRd81
CCScore
Cook'n with Betty Crocker
CR2
Dell ResourceCD
Digital Media Reader
Download Updater (AOL LLC)
Encyclopaedia Britannica CD Installer
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvcpt
ESSvpaht
ESSvpot
FloorPlan 3D v10
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Windows Internet Explorer 7 (KB947864)
Intel Audio Studio
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iPod for Windows 2005-09-23
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 7
Kaplan Question Trainer
Kodak EasyShare software
KSU
Lexmark 2300 Series
Lexmark Fax Solutions
MapleStory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Application Error Reporting
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Mosby's Medical Encyclopedia
Mozilla Firefox (3.0.7)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero OEM
Notifier
OfficeReady Professional 3.0
OfotoXMI
OTtBP
OTtBPSDK
Point
PowerDVD
Quicken 2005
QuickTime
RealPlayer Basic
Recovery Software Suite Gateway
RON Too1 Mxlivemedia
Search Assistant Searchersmart
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Setup
SFR
SFR2
SHASTA
SigmaTel Audio
SKIN0001
SKINXSDK
SoftV92 Data Fax Modem with SmartCP
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Wireless Keyboard Driver
Verizon Online
VPRINTOL
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WIRELESS
ZipMagic Deluxe

==== Event Viewer Messages From Past Week ========

3/21/2009 3:32:18 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/21/2009 8:02:57 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001320C2B55C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================



Gmer Log
GMER 1.0.15.14957 - http://www.gmer.net
Rootkit scan 2009-03-27 08:40:04
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code E29FE220 ZwEnumerateKey
Code E1F71978 ZwFlushInstructionCache
Code AA5FDEAB pIofCallDriver
Code AA5FE853 pIofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs zmxpzip.sys (ZipFolders File System Filter Driver/Allume Systems)
AttachedDevice \FileSystem\Fastfat \Fat zmxpzip.sys (ZipFolders File System Filter Driver/Allume Systems)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\TDSSpaxt.sys (*** hidden *** ) AA5FC000-AA60E000 (73728 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:344] AA5FED66

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\TDSSpaxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSpaxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSpaxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoexh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfub.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSfpmp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSpaxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSpaxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSoexh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfub.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSfpmp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsbhc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSrhym.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSStkdv.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@affid 41
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@subid v300
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata@flagged 1
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\InprocServer32@ C:\Program Files\Kodak\Kodak EasyShare software\bin\Escom.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\ProgID@ EasyShare.EasyShare_ImageCollection.1
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\TypeLib@ {09101CA1-D527-11D6-AD30-0050DAD88A02}
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\VersionIndependentProgID@ EasyShare.EasyShare_ImageCollection

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Temp\TDSS6dc8.tmp 122880 bytes executable
File C:\Documents and Settings\Owner\Local Settings\Temp\TDSS6e16.tmp 617472 bytes executable
File C:\WINDOWS\system32\drivers\TDSSpaxt.sys 60416 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\TDSScfub.dll 61440 bytes executable
File C:\WINDOWS\system32\TDSSfpmp.dll 2712 bytes
File C:\WINDOWS\system32\TDSSnrsr.dll 29696 bytes executable
File C:\WINDOWS\system32\TDSSoexh.dll 35840 bytes executable
File C:\WINDOWS\system32\TDSSosvd.dat 441 bytes
File C:\WINDOWS\system32\TDSSriqp.dll 31232 bytes executable
File C:\WINDOWS\system32\TDSStkdv.log 7083 bytes

---- EOF - GMER 1.0.15 ----
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 27th, 2009, 12:27 pm

MRU P2P Policy
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Cabos

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) & any other P2P programs.
While in Add/Remove Programs also remove the following:
RON Too1 Mxlivemedia
Search Assistant Searchersmart


ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Combofix
Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply along with a new HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Combofix log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 27th, 2009, 12:55 pm

I uninstalled the programs you told me, and I ran ATF Cleaner.

But I couldn't run ComboFix because I think there's still something wrong with the PC running .exe files. I double-clicked the icon, an hourglass popped up and then disappeared. :shock:
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 27th, 2009, 1:20 pm

OK... try this

Right click on Combofix.exe & rename it to Commy.pif
See if that makes a difference.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 27th, 2009, 1:40 pm

That didn't work. :cry:
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 28th, 2009, 12:01 am

OK... we'll try this:
  • Click on Start >> Run... and then type devmgmt.msc and click OK
  • In the now open Device Manager window click View menu then click on Show hidden devices
  • Navigate to Non-Plug and Play Drivers and click on the plus sign +
  • Locate anything similar to TDSSserv.sys (basically any file starting with TDSS)
  • Highlight that driver and right click on it and select Disable
  • Now Reboot(Restart) your computer.
Delete the copy of Combofix you have then download it again.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 28th, 2009, 10:56 am

That worked! :) Thank you!

Here's the ComboFix results:
ComboFix 09-03-26.03 - volcomst0ne56 2009-03-28 7:40:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.709 [GMT -7:00]
Running from: c:\documents and settings\volcomst0ne56\Desktop\Combo-Fix.exe
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Solt Lake Software
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081202184223890.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081204161600468.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081204165725484.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081204184843578.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081206121442218.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081206121702687.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081208173237312.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081209163354062.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081209175310156.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081209180055578.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081210095858343.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081210162915218.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081210215710140.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081211230118093.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20081213224747375.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090106172239687.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090107170910359.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090108164704328.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090109230506765.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090109231212625.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090112170141500.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090113171431555.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090114173417500.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090115153836359.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090118220337187.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090120173902750.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090121173659375.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090125120939453.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090126124810828.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090130203813562.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090202164654562.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090204081607751.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090204164308421.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090207080708984.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090207101720750.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090209170229156.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090211170232562.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090213124729328.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090218154754343.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090219172408453.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090224182929031.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090305212232453.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090306144841765.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090306193429890.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090311154532656.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090312155819062.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090318151914562.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\LOG\20090318152057500.log
c:\documents and settings\All Users\Application Data\Solt Lake Software\Pro Antispyware 2009\proas2009.exe
c:\documents and settings\Owner\Application Data\Google\dfxvideo.dll
c:\documents and settings\Owner\Application Data\Google\ggqjh22510678.exe
c:\documents and settings\Owner\Application Data\Google\T-Scan
c:\documents and settings\Owner\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Owner\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Owner\Application Data\Google\T-Scan\y.gif
c:\program files\Common\helper.sig
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\Drivers\TDSSpaxt.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoexh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\winsrc.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-24 08:45 . 2009-03-24 08:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-22 12:23 . 1999-05-07 13:24 414,944 --------- c:\windows\system32\COMCT332.OCX
2009-03-22 12:23 . 1998-11-10 10:46 328,480 --------- c:\windows\system32\ssa3d30.ocx
2009-03-22 12:23 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2009-03-22 12:23 . 2000-10-11 16:02 167,936 --------- c:\windows\system32\RcdScan.dll
2009-03-22 12:23 . 2000-05-08 20:50 29,344 --------- c:\windows\system32\drivers\cmosa.sys
2009-03-22 12:23 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2009-03-22 12:18 . 2009-03-22 12:18 <DIR> d----c--- C:\SavedPetz
2009-03-22 11:46 . 2009-03-22 11:46 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-22 11:46 . 2009-03-22 11:46 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-22 11:45 . 2009-03-22 12:14 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-22 11:45 . 2007-08-31 12:13 1,421,736 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2009-03-22 11:45 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\drivers\hidserv.dll
2009-03-22 11:45 . 2007-08-31 12:15 18,856 --a------ c:\windows\system32\drivers\nuidfltr.sys
2009-03-21 14:27 . 2004-08-27 02:54 <DIR> d-------- c:\documents and settings\Test\WINDOWS
2009-03-21 14:27 . 2005-10-21 17:37 <DIR> d-------- c:\documents and settings\Test\Application Data\You've Got Pictures Screensaver
2009-03-21 14:27 . 2005-10-21 17:38 <DIR> d-------- c:\documents and settings\Test\Application Data\SampleView
2009-03-21 14:27 . 2009-03-21 14:27 <DIR> d-------- c:\documents and settings\Test
2009-03-17 19:41 . 2009-03-17 19:41 <DIR> d-------- c:\program files\AIM Music Link
2009-03-17 08:24 . 2009-03-17 08:24 <DIR> d-------- c:\documents and settings\volcomst0ne56\Application Data\AdobeUM
2009-03-15 13:49 . 2009-03-15 13:49 <DIR> d-------- c:\documents and settings\volcomst0ne56\Application Data\acccore
2009-03-15 13:49 . 2009-03-15 13:49 21 --a------ c:\windows\atid.ini
2009-03-15 13:31 . 2009-03-15 13:31 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-03-15 13:26 . 2009-03-15 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-03-15 13:25 . 2009-03-15 13:49 <DIR> d-------- c:\program files\AIM6
2009-03-15 13:25 . 2009-03-15 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-15 13:25 . 2009-03-19 20:01 1,430 --ah-c--- C:\IPH.PH
2009-03-15 13:03 . 2009-03-15 13:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 14:40 --------- d-----w c:\program files\Common
2009-03-22 19:23 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 19:18 --------- d-----w c:\program files\Sierra
2009-03-22 19:18 --------- d-----w c:\program files\Google
2009-03-22 19:17 --------- d-----w c:\program files\Encore
2009-03-22 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-22 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-03-18 23:22 --------- d-----w c:\program files\Lx_cats
2009-03-15 20:25 --------- d-----w c:\program files\Common Files\AOL
2009-03-15 20:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-15 17:41 --------- d-----w c:\program files\Microsoft Money 2005
2009-02-13 21:32 10,696 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-02-11 19:20 --------- d-----w c:\documents and settings\lsaludares\Application Data\AdobeUM
2008-09-09 08:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"LXCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-26 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [2009-03-22 29344]
R2 ZipMagic Task Manager;ZipMagic Task Manager;c:\progra~1\Allume\ZipMagic\MXTask.exe -Service --> c:\progra~1\Allume\ZipMagic\MXTask.exe -Service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f1c61b5-4474-11da-a9dd-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 07:46:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\progra~1\Allume\ZipMagic\MXTask.exe
c:\progra~1\Allume\ZipMagic\MXTask.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-03-28 7:48:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 14:48:27

Pre-Run: 224,414,367,744 bytes free
Post-Run: 225,025,630,208 bytes free

193 --- E O F --- 2009-03-20 04:09:57



New HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:16 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 4710 bytes
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 28th, 2009, 12:12 pm

Hi
Looking better

No Anti-virus
Looking over your log, it seems you don't have any evidence of anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

Your computer must have only ONE anti-virus program installed at any time. Having more than one anti-virus program installed & active will cause program conflicts, false virus alerts, and system crashes.

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Rootkit::
C:\WINDOWS\system32\TDSSfpmp.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f1c61b5-4474-11da-a9dd-806d6172696f}]
[-HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
[-HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys]
[-HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.


I'd also like to see a new Gmer log so run Gmer again please.

To post in next reply:
Combofix log
Malwarebytes log
New Gmer log
New HijackThis log
Let me know how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 28th, 2009, 2:24 pm

Things are looking better! I can use the other Windows accounts without them freezing up at the start. :) I can run other .exe files. :) I also installed Avast Antivirus and fixed the things on HJT you told me to.

Here are my new logs:

ComboFix
ComboFix 09-03-26.03 - volcomst0ne56 2009-03-28 9:43:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.709 [GMT -7:00]
Running from: c:\documents and settings\volcomst0ne56\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\volcomst0ne56\Desktop\CFScript.txt
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Test\Local Settings\Temporary Internet Files\
c:\windows\system32\TDSSfpmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-24 08:45 . 2009-03-24 08:45 <DIR> d-------- c:\program files\Trend Micro
2009-03-22 12:23 . 1999-05-07 13:24 414,944 --------- c:\windows\system32\COMCT332.OCX
2009-03-22 12:23 . 1998-11-10 10:46 328,480 --------- c:\windows\system32\ssa3d30.ocx
2009-03-22 12:23 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2009-03-22 12:23 . 2000-10-11 16:02 167,936 --------- c:\windows\system32\RcdScan.dll
2009-03-22 12:23 . 2000-05-08 20:50 29,344 --------- c:\windows\system32\drivers\cmosa.sys
2009-03-22 12:23 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2009-03-22 12:18 . 2009-03-22 12:18 <DIR> d----c--- C:\SavedPetz
2009-03-22 11:46 . 2009-03-22 11:46 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-03-22 11:46 . 2009-03-22 11:46 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-03-22 11:45 . 2009-03-22 12:14 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-22 11:45 . 2007-08-31 12:13 1,421,736 --a------ c:\windows\system32\wdfcoinstaller01005.dll
2009-03-22 11:45 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\drivers\hidserv.dll
2009-03-22 11:45 . 2007-08-31 12:15 18,856 --a------ c:\windows\system32\drivers\nuidfltr.sys
2009-03-17 19:41 . 2009-03-17 19:41 <DIR> d-------- c:\program files\AIM Music Link
2009-03-17 08:24 . 2009-03-17 08:24 <DIR> d-------- c:\documents and settings\volcomst0ne56\Application Data\AdobeUM
2009-03-15 13:49 . 2009-03-15 13:49 <DIR> d-------- c:\documents and settings\volcomst0ne56\Application Data\acccore
2009-03-15 13:49 . 2009-03-15 13:49 21 --a------ c:\windows\atid.ini
2009-03-15 13:31 . 2009-03-15 13:31 <DIR> d-------- c:\program files\Common Files\Software Update Utility
2009-03-15 13:26 . 2009-03-15 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-03-15 13:25 . 2009-03-15 13:49 <DIR> d-------- c:\program files\AIM6
2009-03-15 13:25 . 2009-03-15 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-15 13:25 . 2009-03-19 20:01 1,430 --ah-c--- C:\IPH.PH
2009-03-15 13:03 . 2009-03-15 13:03 <DIR> d-------- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 14:40 --------- d-----w c:\program files\Common
2009-03-22 19:23 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 19:18 --------- d-----w c:\program files\Sierra
2009-03-22 19:18 --------- d-----w c:\program files\Google
2009-03-22 19:17 --------- d-----w c:\program files\Encore
2009-03-22 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-22 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-03-18 23:22 --------- d-----w c:\program files\Lx_cats
2009-03-15 20:25 --------- d-----w c:\program files\Common Files\AOL
2009-03-15 20:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-15 17:41 --------- d-----w c:\program files\Microsoft Money 2005
2009-02-13 21:32 10,696 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-02-11 19:20 --------- d-----w c:\documents and settings\lsaludares\Application Data\AdobeUM
2008-09-09 08:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-26 155648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare Software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 cmosa;cmosa;c:\windows\system32\drivers\cmosa.sys [2009-03-22 29344]
R2 ZipMagic Task Manager;ZipMagic Task Manager;c:\progra~1\Allume\ZipMagic\MXTask.exe -Service --> c:\progra~1\Allume\ZipMagic\MXTask.exe -Service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 09:46:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\progra~1\Allume\ZipMagic\MXTask.exe
c:\progra~1\Allume\ZipMagic\MXTask.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-03-28 9:48:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 16:48:38
ComboFix2.txt 2009-03-28 14:48:31

Pre-Run: 225,017,831,424 bytes free
Post-Run: 225,011,097,600 bytes free

117 --- E O F --- 2009-03-20 04:09:57


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:56 AM, on 3/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Allume\ZipMagic\MXTask.exe
C:\PROGRA~1\Allume\ZipMagic\mxtask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\ZipMagic\MXTask.exe

--
End of file - 5216 bytes


GMER
GMER 1.0.15.14957 - http://www.gmer.net
Rootkit scan 2009-03-28 11:19:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA9D276B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA9D27574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA9D27A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA9D2714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA9D2764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA9D2708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA9D270F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA9D2776E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA9D2772E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA9D278AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs zmxpzip.sys (ZipFolders File System Filter Driver/Allume Systems)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat zmxpzip.sys (ZipFolders File System Filter Driver/Allume Systems)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\InprocServer32@ C:\Program Files\Kodak\Kodak EasyShare software\bin\Escom.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\ProgID@ EasyShare.EasyShare_ImageCollection.1
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\TypeLib@ {09101CA1-D527-11D6-AD30-0050DAD88A02}
Reg HKLM\SOFTWARE\Classes\CLSID\{66A1F9DD-8EE1-E2E9-B128-746F7C312033}\VersionIndependentProgID@ EasyShare.EasyShare_ImageCollection

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----



MBAM
Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

3/28/2009 10:33:18 AM
mbam-log-2009-03-28 (10-33-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 143921
Time elapsed: 25 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\html.html (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\html.html.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Google\dfxvideo.dll.vir (Trojan.FakeAlert) -> Delete on reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Google\ggqjh22510678.exe.vir (Trojan.FakeAlert) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfub.dll.vir (Trojan.TDSS) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir (Trojan.TDSS) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoexh.dll.vir (Trojan.TDSS) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir (Trojan.TDSS) -> Delete on reboot.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpaxt.sys.vir (Trojan.TDSS) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007651.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007652.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007653.sys (Trojan.TDSS) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007655.dll (Trojan.TDSS) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007656.dll (Trojan.TDSS) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007657.dll (Trojan.TDSS) -> Delete on reboot.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP34\A0007654.dll (Trojan.TDSS) -> Delete on reboot.
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 28th, 2009, 6:44 pm

Hi

mae7 wrote:Things are looking better! I can use the other Windows accounts without them freezing up at the start. :) I can run other .exe files. :) I also installed Avast Antivirus and fixed the things on HJT you told me to.
:thumbright:

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.1
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 9 is a large program and if you prefer a smaller program you can get Foxit 3 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the Download button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
This scan is extremely thorough. It takes a while to update & scan so please be patient with it.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby mae7 » March 28th, 2009, 8:50 pm

Hi! :D I mentioned before this is my cousin's computer, and I have to return it to her today so I won't be able to post any more replies from here on. I know that we're not completely done yet, but I wont have access to this computer anymore.

But I will run the Kaspersky Online Scanner now, as well as update my Adobe Reader and Java.

If I haven't said thank you before...... THANK YOU!!!!!!!!!!!!!!! :cheers: (actually I'm speaking on my cousin's behalf)

But yes, your help is truly appreciated and thank you very much! :)
mae7
Regular Member
 
Posts: 15
Joined: March 7th, 2009, 12:19 pm

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby jmw3 » March 28th, 2009, 9:22 pm

If I haven't said thank you before...... THANK YOU!!!!!!!!!!!!!!!
No problem at all :)
I mentioned before this is my cousin's computer, and I have to return it to her today so I won't be able to post any more replies from here on. I know that we're not completely done yet, but I wont have access to this computer anymore.
Ok... no worries but I would ask you to remove the tools we've been using, they are not suitable for general malware removal and could cause damage if used inappropriately.

Remove Combofix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /u
OTCleanIt
Download OTCleanIt here & save it to your desktop.
Double click on OTCleanIt.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete DDS.scr from your desktop.

Also here's some tips to help keep the computer safe in the future... if you get the chance.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can find a tutorial here.

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
  • A short distance down the page in the centre, click on the Download button
  • Agree to the license
  • On the next page, to the right side of where it says Download Estimates, right click on the underlined word Hosts Manager choose Save Target As and download the installer Hosts20setup.exe to your desktop
  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your cousin's computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Can't run any .exe files, hijacked browser, etc.

Unread postby NonSuch » March 30th, 2009, 7:44 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 397 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware