Posts by PhilliePhan

ERUNT is on board and running.

So you were able to use it to backup the registry with no problems?

I did the above and nothing happened. The cursor simply dropped down as though it wanted another command.

Right - The log will be at C:\log.txt . Just navigate to that and post the Log.txt.

Actually, let's do this:
Fire up another command prompt and type or Copy&Paste the commands in red (being careful of the spaces if you type them):

REG QUERY "HKEY_CLASSES_ROOT\Exefile\Shell\Open" >>C:\Log.txt
Hit ENTER
REG QUERY "HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command" >>C:\Log.txt
Hit ENTER
Notepad C:\Log.txt
Hit ENTER

This will add to the existing C:\log.txt and should pop the log right up for you - copy and paste the contents for me.
-- This is curious - the values look OK in the OTL log + you are able to run the programs, just not form those locations.

Hang in there :)
PP

I would still do a backup of the registry before you do anything but you most likely would do that anyway.

That is definitely something to consider if we do anything drastic there. ERUNT is a good tool for that.

I'm retired, so any time you can help, I'll be here. Thanks!

Great - these problems sometimes take a while to figure out. With any luck, we'll both learn something in the process :)

Open a command prompt and type:
assoc >>C:\log.txt ENTER

Please copy&paste the C:\log.txt for me.

Note: the command is assoc <space>>>C:\log.txt

Let's see what that says - I think I might be barking up the wrong tree, though.

-- Did you try changing the file associations via Folder Options > File Types Tab?

I'll check it tonight when I get home.

PP:)

A software pgm that monitored startup programs. I tried it; didn't like it and removed it.

Looks like that left some damage in a critical part of the registry. Let's do this:

Open a command prompt and type or Copy&Paste the following:

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Userinit" /D "C:\WINDOWS\system32\userinit.exe," /F

Then, hit Enter and then REBOOT your machine and let me know if that helped.

Probably best to copy&paste, if possible so there are no errors.

If you type it, be advised that there are spaces in the command and all the punctuation is necessary:

REG <space> ADD <space> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" <space> /V <space> "Userinit" <space> /D <space> "C:\WINDOWS\system32\userinit.exe," <space> /F

Let me know how that all shakes out and if you had any problems along the way - I'll have to check back Wednesday evening EST.

Best Luck :)
PP

Yes, I tried System Restore as one of my first efforts to cure the problem. I tried all of the available dates listed...to no avail.

Two quick questions:

-- What is this?
C:\Program Files\Soluto

-- Can you get a command prompt?
START > RUN > type CMD and hit Enter

I've run this same machine for 11 years and figured out how to solve any and all problems to date, but this one has me beating my head against the wall. I'll await further instructions from PhilliePhan.

I am going to need some time to run through the log - bit overextended at the moment.
With any luck, one of the other volunteers can chime in. If not, no worries - I will get back to you as soon as I am able.

-- Did you try a System Restore? Is that a viable option for you? Do you need help with that?
In cases such as this, it is usually a good place to start.

Hang in there :)
PP

Far too complicated for this old man. I guess I'm a hopeless cause, huh? Thanks for your time, anyway.

Nah - nobody is hopeless :)

Hang in there - we can talk you through most of this stuff, if need be.

-- Did you try System Restore and restoring your computer to a time when all was working as it should?
That would be a good step - let us know if you need help trying that.

Also, try this:
Download OTL.exe to the Desktop.
-- Run it and click Scan All Users and then hit Quick Scan and post me the Two resulting logs. They should open automatically in notepad. They should also be saved next to OTL.exe

Just copy and paste them into the thread here for us.

PP:)

If this is the wrong forum, I apologize. I have absolutely no clue as to where this query should go.

I moved your post to the Spyware forum - seems a good place to start.

See if you are able to run the tools in the linky below and post the scanlogs.

http://www.daniweb.com/forums/thread134865.html

Let us know if you run into any problems. I or another volunteer will check back as time permits.

Cheers :)
PP

OK - That worked as it should have.

I'm going to need to find some time to go through the logs a bit more thoroughly to see what, if anything, remains to be removed.

How is the compy running now?

PP:)

when I moved the window another OTL log had popped up, strange because I had stopped OTL. Now that I've thought about it, that might have been avast! starting back up - I had stopped it for an hour. Here's the log:

OTL produces Two logs on it's initial run - The OTL Log and the Extras Log. I probably should've been clearer instead of just asking for the "logs."

No Worries :)

At quick glance, I don't see much. Though, it looks like you've tried a number of tools before we started here.

-- Fire up OTL.exe again and copy and paste the text in Red into the Custom Scans/Fixes Box:

:OTL
O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
O3 - HKU\S-1-5-21-1131580844-927001921-2767165888-1008\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1131580844-927001921-2767165888-1008\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-1131580844-927001921-2767165888-1008\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
[2010/07/20 05:42:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\otihizajifoha.dll
[2010/07/20 03:40:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oxikoziyequ.dll
[2010/07/20 01:38:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\uvipologo.dll
[2010/07/19 23:36:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\osixuzayahejozu.dll
[2010/07/19 21:34:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ikocifal.dll
[2010/07/19 19:32:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\icehuroz.dll
[2010/07/19 17:30:25 | 000,000,000 | ---- | C] …

I'll try ComboFix again. I'll let it run from now at 5pm until tomorrow morning and report back - unless it runs.

OK - I'll keep my fingers crossed. Doesn't sound promising, though....

Not being able to boot to Safe Mode hurts a bit, but I guess we're stuck there.

If Combofix fails to complete after being left to run, then try this:
Download OTL.exe to the Desktop.
-- Run it and click Scan All Users and then hit Quick Scan and post me the resulting logs (if it runs).

Back on Monday evening EST.

PP:)

looks like a marathon on this one, thanks again for hanging in there...

No worries :)

We can try a different tool - but do this first:

-- See if DDS will run and post the log.

Then, let's try running combofix again - but DO NOT touch the computer after combofix has been started. Don't click anything or touch anything. Combofix can be finicky that way.
Let it run for as long as you can - heck overnight, if need be, and let's see if it completes.

Be sure to start it with the command:

"%userprofile%\desktop\svchost.com" /killall

If it doesn't run, we'll try something else.

I doubt malware is interfering with it since AVP Tool ran clean....

Anyhoo, give that a go and let me know.

PP:)

Directory of C:\RECYCLER\S-1-5-21-1131580844-927001921-2767165888-1008\Dc10

Great - all that's showing is in the recycle bin.

Let's go ahead and DL a new copy and give that a whirl.

If your compy is running slowly, you might have to give combofix extra time to run.

Hopefully it will run and show us if we are missing anything. Post me the long once it finishes.

-- Did you find out what was causing cpu spike?

PP:)

I'll delete them all but thought that might influence the thinking on this? I'll wait before any actions just in case - up to 153 while I typed this.

Are those all files in the combofix folder? If so, delete the folder and combofix.exe on the desktop.

Just to be on the safe side, open a command prompt (start>run>cmd) and type or copy&paste:

dir /a /s %systemdrive%\combofix*.* >>C:\Log.txt

dir <space>/a<space> /s<space> %systemdrive%\combofix*.* <space>>>C:\Log.txt

Let it run until it finishes and post me the C:\log.txt

PP:)

I guess we're ready to run combofix?

Yeah.... Let's see if it'll run now. I'll just copy and paste the instructions again:

-- First, delete your current copy of combofix if it is still on the ill compy.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your Desktop as that.

Once svchost.com is on the Desktop, Click START --> RUN --> and enter or copy&paste the following command in red exactly as shown to start combofix:

"%userprofile%\desktop\svchost.com" /killall

NOTE the space if you type it--> "%userprofile%\desktop\svchost.com" <space>/killall

With any luck that will run and produce a log for us and we can pick it up there.

Let me know how it shakes out.

PP:)

I'm adding this after reboot: explorer.exe is there and runs!! we're making progress. There is definitely something running, Task Mgr performance curve is spiking up to 50% usage with no inputs. every 30 seconds or so.

Since I found explorer.exe and it runs, I'm going to wait for more input from you before trying anything else. Not even trying RunThis again, as I said above - I know you're in another time zone, so will run mbam and maybe Kaspersky to see if I can flush out what's running and post the reports.

OK - RunThis.bat did not finish, but it got far enough to swap explorer.exe back in and change the winlogon shell value back to explorer.exe. (Though that doesn't show in the truncated Peek.txt)
RunThis.bat will probably take longer to run on your compy - give it 5 minutes.

-- Did you do the Reg Query to verify the shell value? I always like verification :)
-- Did you Delete C:\windows\Phillies.exe?

Let me know.

-- I doubt a rerun of MBAM or Kaspersky will hurt anything - be sure to update them first.

-- If you want to have a closer look at what is eating cpu, you can download Mark Russinovich's Process Explorer
I use this instead of Task Manager. Much more detailed.
-- When you run it, click Options and select "Replace Task Manager." 'Course you don't have to replace Task Manager to use Process Explorer.... …

what is the logfile called?

That's odd - It ran just fine on my XP machine before I zipped it.

-- That stuff in the DOS window is expected. It copied what I wanted to copy and didn't find the two malware files I was looking for.

The log should just pop up - You can find it at C:\peek.txt. There should also be a newly created C:\PEEKTEMP Folder and C:\FDSV.exe and C:\FCIV.exe.

-- Let me know if all 4 are there.

-- Then, DELETE all 4 of those and then give RunThis.bat another go. Let it run for about five minutes - way long enough for it to finish.
As long as the cursor is blinking in the DOS box, let it go for a few minutes.

It probably accomplished what we needed it to do, but the fact that it doesn't finish could indicate more damage on the compy that we haven't yet seen.

Let me know how that shakes out.

What you can also do is check to see if C:\Windows\Explorer.exe is there now.
Then, with a command prompt (start > run > cmd) type or copy and paste:

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Shell"

The result should read Shell REG_SZ Explorer.exe

If that is the case and if C:\Windows\Explorer.exe exists, then Reboot the compy and update me on how things are running.

Then, we can look at trying combofix again …

standing by....thanks!!

AllRightyThen!
Sorry for the delay - got a bit tied up.

Anyhoo, let's put explorer.exe back the way it was:

-- Please download the attached ExWin.zip and Extract the ExWin folder from the ZIP to the Desktop.
-- Open the folder and DoubleClick RunThis.bat to run it.
Should take between 15 - 45 seconds to run.
-- A log will pop up. Please post that for me and then REBOOT the compy.
-- After restarting, navigate to C:\Windows\Phillies.exe and Delete it.

Let me know how things are running and we'll go from there.

Cheers :)
PP

after getting ubuntu up and fixing winlogon, I rebooted. On the reboot, Kaspersky popped up and asked if wanted to continue where it left off. I did. it didn't find anything else and that's the report you saw.
Meanwhile, to be sure something wasn't lingering on startup, I ran kaspersky again with avast! and firewall turned off. It found this. . . .
so I ran it again and got a clean report - who knows why it didn't pick up backdoor on the first run.

OK - I see it now. Cool.
That last detection was in System Restore - we would have flushed that manually anyway. That AVP Tool is thorough!

-- I guess AVP Tool is not uninstalling itself any more? Been a while since I played with it....
You can uninstall it now. If we - or you - need it again, best to download a fresh copy of the latest version/build.

-- I am going to put together a tool to restore explorer.exe and also look at a few other things. Hang in there, I am running a bit behind today.
I was thinking it might be a good idea to replace the other copies of explorer.exe and winlogon.exe on your compy, but then I figured AVP Tool would have caught them....

I still want to try a run of combofix after we restore explorer.exe.

If I can't post back today, I'll definitely get …

one has the MSDOS logo and a rollover says shortcut to MS-DOS program - properties says created 2/1/2011 which is surprising. size 2.78 KB and size on disk 5.00 KB. if that helps. cmd line C:\WINDOWS\explorer.exe this file is not present on the computer I'm working on so maybe that's part of the problem.

I am not sure what this is - could be a remnant of an anti-malware program, I don't know. Probably safe to delete it, though.

There is no explorer.exe file and, indeed, when I try to open explorer.exe from Task Mgr, the error box says "file cannot be found".

Right. Explorer.exe is tricky to deal with. Under normal situations, if you try to delete it, you cannot because it is running. If you rename it, a new copy is instantly restored.
But, when we switched it out for Phillies.exe, that freed the infected explorer.exe up to be removed by Avast! -- That is what I think happened.
Eventually we will reverse the process and switch explorer.exe back in....

There is another explorer file and strangely a rollover gives no popup - doesn't on this machine either so I guess that's normal. just an observation. properties says it's Windows Explorer Command, 4.00 KB

When you run it, you'll see that that is the Windows file explorer (or something like that - can't remember) that allows you to navigate directories and files.

2/9/2011 8:29:35 AM Detected: Backdoor.Win32.Shiz.dfc C:\WINDOWS\system32\dll
2/9/2011 8:30:27 AM Detected: …

Many thanks, PP.
Will work on your recommendations.

You're welcome :)

I cannot locate the AVP scanlog. I don't see any Kaspersky folders or anything that looks like it could be AVP. Do you know where they should be?
I don't a Windows CD - this is an HP machine, should be on the D: drive?

AVP should have installed to the Desktop Folder - yeah, odd place, but as far as I recall it does that and then uninstalls itself. Perhaps it is still there.

-- Ideally, we would need an XP CD - something we can boot and do a repair with.

Lets give this a try:

Fire up ubuntu and navigate to C:\WINDOWS\ServicePackFiles\i386\winlogon.exe and confirm that it exists.
-- If that is there, then DELETE the C:\Windows\System32\winlogon.exe
-- Then, copy winlogon.exe from servicepackfiles\i386 to system32 folder.

See if that stops the boot loop and allows the compy to boot to Windows.

Let me know.

Also: You can use ubuntu to back up any sensitive data on the ill machine. But, of course, you need to be careful not to spread the infection. Generally documents / video / pictures will be ok. Stay away from backing up programs and executables and the like....

PP:)

PP, you're gonna love it, I have a couple of machines running ubuntu and I've just loaded the live disk into the machine we're working on...and it's up and running. External monitor came on line with no problem.

Excellent! We are back in business!

-- You're online with no problems on ill machine?

I was hoping AVP Tool would replace the infected winlogon.exe, but I expect it deleted it.
-- Did you get a "prompt for action" any time during the scan?
-- I'd like to see if we can get a scanlog from the AVP Tool run if it by chance saved it. As I recall, you had to do that manually... See if you can find a scanlog in the AVP Tool installation folder, if that remains.

-- Do you have a Windows CD for the ill machine? No worries if you don't.

Let me know the answers to the above - Also, use Ubuntu to look for C:\Windows\system32\winlogon.exe and let me know if that is there.

PP:)

I notice that MsMpEng.exe is using up a huge amount of memory
during start up process. . . .
When it reaches the lower figure - which takes some time - things then start
to make progress.

MsMpEng.exe monitors/scans a lot of processes on boot, so there will be some slowdown.
It could be in conflict with perhaps another scanner or program - if this behavior started recently, you could check recently installed software. Or, use msconfig to weed out a startup that is causing MsMpEng.exe to hang.
You could also use a startup manager to disable unnecessary items --> http://www.mlin.net/StartupCPL.shtml

I would leave MsMpEng.exe alone as it is a vital cog in system defense....

Cheers :)
PP

The system is now stuck in a restart loop. The external monitor gets the startup signal but after 2 seconds goes black and get a "monitor going to sleep" box and amber power lamp.

Blehh!! Worst case scenario - I was a bit worried about that, especially given the monitor situation and those specific infected files.

Ok - let's regroup:

-- What happens when you hit F12 at boot? Are you able to change boot order if necessary?
-- Do you have your Windows CD?
-- I guess the main question is can you boot from CD?

-- Try to create the Ubuntu Live CD as per the instructions in the linky.
Try to boot it, but don't "install" it - use the "Try Ubuntu" option to run from the CD and in memory.

EDIT: I'd like to use the CD option rather than USB Stick because some machines won't boot USB and I'd like to use the USB stick for file transfer, if we are able to get that far....

If you are able to do that, with any luck we'll be able to get back on track!

PP:)

Everything seems to be running fine, thanks to you and your team's assistance.
Thanks again for everything.

You're welcome!

Our merry band of few volunteers is always happy to help :)

PP

Gerbil - I looked in the avast! virus chest and explorer.exe is sitting in there. There are other files in there as well. I tried to copy the contents of the chest for you but it won't let me.

That is interesting given that C:\Windows\explorer.exe showed in one of the earlier scans.

This fixing process could get a bit dicey - we may end up making things a whole lot worse.

Let's try this first:

Please download the Kaspersky AVP Tool to the Desktop and DoubleClick the AVP Tool setup file to run the Setup Wizard.
Follow the prompts and it should install to your Desktop Folder.

-- Fire up the AVP Tool and select the Autoscan tab.
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Click the link in the On threat detection line and select Prompt for action.

Hit the Start Scan button and off we go.
AVP Tool should Disinfect any malware it finds.
-- Note: If an object cannot be disinfected, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily. Please post that for me.
Also, let me know if you ran into any problems with these steps.
** I think AVP Tool should "self-uninstall" or prompt …

I'll post the Avast! log when it completes. And thanks again for your help here, I know you are very busy.

I try to check in on a regular basis :)

This baddie may be a bit more difficult to remove than we anticipate - there are a couple different components in play.
I have a few things I'd like to try, assuming Avast! fails.

-- Do you have a usb flash drive you can use to transfer files to the ill compy?
-- What OS is your healthy computer (in the event we need to copy some files)?

Let me know.

PP:)

Object C:WINDOWS\system32\winlogon.exe
Infection Win32:WinPatch

Don't know if it's significant.

Yes it is - good call!

That explains the explorer.exe issue - I believe that this is a newer piece of malware and it infects both explorer.exe and winlogon.exe.
I could be wrong + there could be more to the infection that I am not aware of. We can probably try to replace winlogon.exe....

But first, a couple things:

-- Are you able to Delete C:\Windows\Explorer.exe? See if you can do that.

-- Try to update Avast! and run a full scan and post me the scanlog - I'd like to see what it comes up with.....

And we'll go from there.

PP:)

explorer.exe still will not run (tried from quick launch Windows Explorer icon AND from Task Mgr) but I thought I'd report the desktop working before going further.

One note...on reboot, it takes a long time for everything to come up. However, I started excel and word and their startup times seem normal.

OK - we are making some progress.
I am encouraged that the MBAM log was clean as it is a very good tool for removing active malware.
So perhaps all that we are dealing with are remnants and the changes that they made.

I would, though, like to try combofix again:

-- First, delete your current copy of combofix if it is still on the ill compy.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your Desktop as that.

Once svchost.com is on the Desktop, Click START --> RUN --> and enter the following command in red exactly as shown to start combofix:

"%userprofile%\desktop\svchost.com" /killall

With any luck that will run and produce a log for us and we can pick it up there.

-- Did you try to run DDS as per …

File Not Found

on reboot, still no desktop...

Sorry!

That's my fault - I left out a line in the batch file. Guess that's what limited time will do to me.

-- Good catch by Gerbil.

Let's try it again.
-- Download the attached FixEx.txt
-- Rename it FixEx.bat
-- Run it and reboot and see if that works - Don't need to see a log.

If that does not work, do this:

-- Navigate to C:\Windows\ServicePackFiles\i386\Explorer.exe
-- Copy Explorer.exe to C:\ ---> C:\Explorer.exe
-- Rename C:\Explorer.exe to C:\Phillies.exe
-- Copy or Cut and Paste C:\Phillies.exe to C:\Windows Folder ---> C:\Windows\Phillies.exe (this is the line I left out of the original batch file... Doh!)
-- Delete the C:\Phillies.exe if you didn't cut and paste it.

The shell value has already been changed, so we don't need to revisit that.

-- REBOOT - Should have the desktop back now and we can move on from there.... I hope :)

PP

Allrightythen!

It looks as though we are dealing with a permissions issue. Very likely a remnant from the rootkit/malware that had infested the machine.
MBAM should have flagged this, so I imagine all that is left are the registry remnants shown in GMER. You can remove those by scanning with GMER again (Rootkit/Malware tab) and then RightClicking on the entries I highlighted before and choosing to delete them.

Before we go further, let's try to get the desktop back and functional:

Download the attached FixEx.zip.
RightClick it and extract FixEx.bat from the ZIP.

DoubleClick on FixEx.bat to run it. Let it run - shouldn't take too long.

-- Peek.txt should pop up. Please post that for me.

-- Then REBOOT and let me know if the Desktop is back and we'll try to carry on from there.

Let me know if you run into any trouble with the above steps.
I'll check back as time permits - really busy these days.

PP :)

Hi Catalana,

Just had time to give things a quick once over - hopefully Judy will have a look later.
Anyhoo, it looks like you have a rootkit in play:

Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxjihcqxoatkqclumwbvexqgcutoiwqpyx.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules (not active ControlSet)

Thanks, guys,
I'm still trying to get my hands around running things without the desktop so thanks for the patience. I can't run dds - it hangs the system - I suspect it's because Avast! is running and I can't shut it down. Tried both from Task Mgr and CodeStuffStarter.

Hopefully your setup will allow you to run Combofix - I suggest giving that a go:

Please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions in the linky very carefully to run it and then post the combofix log for us.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix! --> If Avast! cannot be disabled, no worries. Give the tool a go anyway.

Let us know if you run into any trouble along the way.

PEEK before the window popped up, a DOS window came up with "Access is denied."

Yeah - that looks like CACLS was blocked from running. The malware has probably blocked the …

In addition to what Judy said, try this:

Download the attached Look.zip.
RightClick it and extract Look.bat from the ZIP.

DoubleClick on Look.bat to run it. Let it run - shouldn't take too long.

A text log will pop up - please copy and paste that here for us.

PP:)

Good Morning Philie;

ComboFix uninstall complete. In addition, I did a search and found / removed some comboFix shortcuts and text files manually. In addition, I did go check for Karpensky, but as you indicated, it is still not available. Thanks -Alx

Hey Alex - Sorry about the wait. I'm having a rough go of it these days. We had terrible ice storm on Tuesday that knocked out power and net until a few hours ago. I can live without the internet, but no heat sucks.... ;)

Anyhoo, all I was planning to follow up on was to make sure you had your Java / Av / Windows Updates / Adobe Updates and the like up to date. They are the first line of defense. So, be sure to update all of those. With the Java, you'll need to remove all older versions as they still present a security risk if they remain on your machine.

So, if things are still running well, make sure those are up to date. Maybe throw in an MBAM scan every other week or so with updated definitions. And you're probably good to go...

Best :)
PP

Hi Phil;
Everything running fine now. I did delete those Insta Codecs from Control Panel; All working well thanks to you folks. Thanks much. Alx

You're welcome.

Normally I'd like to follow up with a Kaspersky Online Scan, but I think it is still down as they are reworking it. So, that will have to wait - you should probably keep that in mind and check them out when it is back up.

--I still need to look at your DDS attach.txt and see what needs removing/updating - I'll try to post that Tuesday evening EST.

-- Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It should also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this should reset System Restore.

Cheers :)
PP

Hope you had a great weekend. Yes, I did read your post, and just finished re-executing Combofix per your request (see logs below). Thanks again for your invaluable assistance. Alex

Happy to help :)

Weekend was quite busy - I find myself working twice as hard for half the pay these days! LOL.

That log looks better - how are things running now?

I left these alone - they are probably OK.
The first two are likely related - we see an awful lot of infected codecs these days. Not sure if that is the case here:

c:\windows\system32\ff_vfw.dll
c:\program files\InstaCodecs
c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE

Anyhoo, let me know how things are working now and we'll go from there.

PP:)

Hi guys:
I just finished deleting c:\windows\"aventura.exe", as I had created it earlier in an attempt to fix the then corrupted explorer.exe. Thanks for pointing it out. Alex

Hey Alex,

Did you see my post above to rerun combofix?

I'll be back Tuesday to have a look at the new log.

PP:)

PP, I didn't touch this thread further because Combofix has gotten away from me... but this file is sus?
c:\windows\aventura.exe

Due to my limited forum time these days, I tend to make more assumptions about questionable items that may be work-related and the like.
In this case, I assumed Alex renamed the executable and therefore knows what it is......

PP:)

Allrightythen.... I am back in business!

-- How are things running now, Alex?

Let's remove a few more things with combofix. I have left some questionable items alone (codec / some likely work-related stuff / etc...)

-- Please delete your current copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

There are several registry keys to unlock, but I'll wait for PP's thoughts on what combofix has done. Any files wrongly deleted can be reinstated from its vault. Else you just reinstall...

I am going to be away from the computer for much of the weekend - back on Monday.

Most of the combofix deletions look legit - Though some are "iffy" as Gerbil noted. One of the drawbacks to MBAM and Combofix is "collateral damage" to files in odd places.... If things are not running properly, you can restore the deleted components.
I'd scan them at Jotti or Virustotal before reinstating them. There are a few other items in the CF log that bear further scrutiny - If Judy or Gerbil don't address them, hang in there and I'll post back as soon as I am able.

PP:)

Once you have completed Gerbil's and Judy's suggestions, let's run another tool:

-- Please follow the instructions in the linky below to download Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

I will check back as time permits and we'll go from there.

PP:)

I agree with Gerbil - let's pull those out manually and then try to run the tools.

A couple thoughts:

-- Uninstall Spybot SD right away as it will get in the way of some cleaning steps.

-- Look at Add/Remove Programs and see if C:\Program Files\winvi can be uninstalled. If not, then delete the folder manually.
The same for this folder---> C:\Documents and Settings\Owner\Application Data\SysWin

-- After uninstalling SpybotSD, fix these with HijackThis:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

-- I see you are running HJT from F:\Drive - is that a USB Drive? If so, try running DDS and MBAM from the USB Drive and let us know how that shakes out.

Cheers :)
PP

Thanks for your response and assistance. Will do what you suggested, and will post the results once completed. Thanks

Great - One of us will be around.

-- You're running 32-bit Windows XP, right? All these tools should run.....
Did you update the tools you ran earlier to the latest definitions?

This stuff should have been easily removed: - Pretty sure they are all old baddies from a few years back....:

O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll

-- Plus, Sygate firewall hasn't been around for a few years either - if my memory is correct.

If Judy is not around, I'll check back Thursday evening EST.

Cheers :)
PP

None of these problems above existed as of yesterday (1/25/2011), so between then and today, all of these issues surfaced.

I tried:

- Running Ad-Aware (LavaSoft) - Says system is clean
- Running Spybot - Search and Destroy - system clean
- Ran McAfee virusScan 8.8.0i- nothing detected
- Tried Housecall 7.2 antivirus and get an error message: 1082108645:2
- Ran HighJackThis for logs below:

I should add that some of the malware showing is stuff I have not seen for a few years. Can't imagine how your scanners would miss it....

Anyhoo, the steps in the linky I provided should get most of it and we'll deal with the remnants accordingly.
Let us know if you have any trouble with the steps in the linky.

PP:)

Hope someone may be able to point me in the right direction. Thanks for your time and assistance.

At quick glance, there are some iffy entries in your HJT log.
Please follow the steps in the linky below and post the requested scanlogs:

http://www.daniweb.com/forums/thread134865.html

We are a bit short on help, but I or another volunteer will check back as time permits.

Cheers :)
PP

I read that it can come back if it stays in your registry

No - that's not going to happen.

But, if it makes you feel better, you can still rip them out of there.
-- If you are going in manually, just rightclick those and delete them.

Or, download the attached Fix.txt to the desktop,
-- Rename it Fix.reg
-- Doubleclick it and allow it to merge into the registry

That ought to take care of it.

Cheers :)
PP

I hope you can help me out :)

How do you find the stuff in the registry? (does it show on a scanner or do you go in manually?)

Try this:
Download Bill James’ RegSrch

Extract it to your Desktop and DoubleClick regsrch.vbs
-- if your AV has script blocking, you’ll need to allow this to run
When the dialog box opens, type Potato and Click OK.

You’ll need to save the log that pops up in Wordpad and then submit it for me. We can use that to pull out any remnants.

Cheers :)
PP

F2 Reg: System.ini: UserInit=userinit.exe
That's not been there before. Fixed that and ran a boot time scan with avast, which found nothing. Ran HT again and there's alot of services with (file missing), is this normal? Other than that laptop seems fine.

HijackThis has issues with 64bit Windows and that 023 (file missing) is one of them. That is usually not the case.

-- RE: F2 Reg: System.ini: UserInit=userinit.exe
No worries there - that's valid. The entry looks a bit different for 64bit as opposed to what we are used to seeing:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

For your malware scare, I'd suggest a run of MBAM as per the linky below:

http://www.daniweb.com/forums/thread134865.html

Cheers :)
PP

is there a specific site you recommend?

Actually, there is:

HDD Doctor Removal

See if you are able to follow the detailed steps in the linky above.

-- Please post the MBAM Log for me and let me know if you have any trouble along the way.
Often, when a machine is infested with one piece of malware, there is more malware present - so there are a couple other scans I'd like to try after this initial removal.

Will try to check back later tonight.

PP:)

How can I rid my computer of this??

Hi Skygirl,

-- I'm assuming you've got another compy handy that you are posting from?

-- Do you have a USB Flash Drive that you can use to transfer a few cleanup tools to the ill machine? If no flash drive, burning them to CD will work.

Let me know and we'll go from there.

Cheers :)
PP