Thread: After Malware, IE and FF won't run
View Single Post
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: After Malware, IE and FF won't run

 
0
  #4
Sep 7th, 2008
System32 is larrrgge.. no-one will take the time to visually vet those files for you. If you are concerned about some [it is full of weird filenames, until you know what the file does...] I will give you a good online scan which has a whitelist.
Oh, please post that MBAM log.
Meantime, you have picked up a fresh infection, and some of the previous are still there. Let's try to deal with them...
==Disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Download fixwareout from http://downloads.subratam.org/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Only if your Internet connection is now not working perform this.... In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
==Start Combofix:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

FIX CHECKED ENTRIES....!!
==Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddwe.exe] C:\WINDOWS\system32\kddwe.exe
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\qpvqfmil.dll",s
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\cckgmail.dll",b
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{366FC8AC-01CE-4490-9C7B-E61DC7AA6EDA}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E69F33-EA8B-4EBA-9D48-87696E32DBDD}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O20 - AppInit_DLLs: ijzyev.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll

Delete these files:
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\system32\qpvqfmil.dll
C:\WINDOWS\system32\cckgmail.dll
C:\WINDOWS\system32\ijzyev.dll
C:\WINDOWS\system32\gjm86akm34.dll
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe

Okay, please run HT again and repost with the old MBAM, plus the fixwareout and combofix logs.
If at all possible please do not turn off your machine until we sort this infection.
Regedit should now be working for you.
Last edited by gerbil; Sep 7th, 2008 at 10:54 pm.
Deep, deep in the woods, but walking about.
Reply With Quote