Posts by PhilliePhan

Thanks once again for helping me with this.

Happy to help :)

Let's do this next:

1) DELETE your current Win32kDiag and download a fresh copy to the Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
-- Click START > RUN and then Copy&Paste all of the following text in Red into the command field:
"%userprofile%\desktop\win32kdiag.exe" -f –r
-- Please post that log for me

2) Download and run MBA-M as per the linky below and have it Remove what it finds. It should get some of what Combofix missed.
http://www.daniweb.com/forums/thread134865.html

3) Reboot.

4) DELETE your current copy of Combofix.
Download a fresh Combofix and run it as you did before and post that log for me as well.

Cheers :)
PP

Thanks again -
Steph

You're Welcome! :)

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/index.php?showtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

I have tried to run hijack this, sd fix, as well as Malwarebytes' Anti-Malware 1.40, but all to no avail.

What happens when you try to run the tools?

PP :)

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,C:\WINDOWS.0\system32\sdra64.exe,

So sorry to be the bearer of bad news, but you have a nasty backdoor trojan with rootkit components.
This thing is far worse than Windows Police Pro - If you do any sort of online banking, there is a good chance your info has been compromised. Definitely check your banks, credit cards, etc. and change any passwords.

In cases such as this, I generally recommend a re-format because, even if we are able to clean the machine, you'll never be able to trust it......

PP :)

I am having the same problem and can't run anything.

To ALL posters with similar problem: PLEASE START A NEW THREAD for your problem.

It makes things much easier for the volunteers.

Thanks :)
PP

Hi Dave,

Please run MBA-M as per this linky and then post the log:

http://www.daniweb.com/forums/thread134865.html

PP:)

BTW: using Winkey+R and running MSConfig - Windows Config should allow you to disable most start-up processes, but sometimes the 3rd party utility will pull the more tricky buggers

LOL!
Hey KL, that's an argument I'm NOT going to have with you ;)

Suffice it to say that I believe that msconfig is for "diagnostic" startup rather than as a "startup manager." Frankly, HJT is a better startup manager. And I'm sure Judy will have her say . . . LOL!

@Kevin - Happy to see things are looking good :)

PP

@top10ufo:
I don't mean to demean your knowledge in any way shape or form - If I did, I apologize.

This is just not good advice, simply saying:

Try using ComboFix if you haven't already.

When you posted that, I kinda figured you were just here to spam your site. Maybe I was a bit harsh and, again, I apologize.
-- BTW, I like your website. Stuff like that interests me.

Still, I am going to stick by everything I said in this thread as being accurate.
As necrolin has noted, post#1 tends to lead away from a malware issue. The logs support that. Not sure why the OP is uninstalling AVG or running Combofix again.

All told, I think we made a pretty good mess of this thread....:-/

Cheers :)

Before running ComboFix you should have turned of System Restore

NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.

Frankly, running combofix at this stage (and improperly at that) is not called for.

However, in this case I doubt it matters.
It doesn't look like malware to me - Perhaps even a keyboard issue causing IE to open? After all, it is not opening to ads, but to home page.
Have you tried different Keyboard?

Also, try installing Firefox and seeing if the problem continues.

Cheers :)
PP

EDIT: Try banging on Ctrl + N ( the IE shortcut to open new window) to make sure they are not sticking......

I can run a MBAM scan and did do that before i posted, but is there anyway i can set my HJT to a path so it scans the E: drive and not C: ??

Oops! I am so used to writing that sentence in various forums that I didn't even think about that!
HJT would have to be installed on the infected drive. Also, there are a few other tools at our disposal if need be.

Can you post the MBA-M Log so we can see what has been detected/removed?

I'll be away for most of the weekend, but I imagine one of the other volunteers will be able to assist you further.

Cheers :)
PP

Hi Judy,

Got your message - suggest you run AboutBuster and see if it will remove those hidden streams.

http://www.malwarebytes.org/aboutbuster.php

Let me know if you have any problems after that. I'll be doing storm cleanup all weekend, but will try to have a peek as time permits.

Best :)
PP

Sounds like you have quite a mess there!

-- Are you able to run any tools in Safe Mode?

If you want, you could try this AT YOUR OWN RISK:
Run this early beta of a scanning tool I've been writing off and on for a while. It should be safe - many of the more risky components are not included in this early version.

Download PeekabooXP.zip and EXTRACT the PeekabooXP Folder to your C:\ Drive
It needs to be there to run properly.
-- You'll need to disable your AV temporarily before you run PeekabooXP. It might hang if you don't. Run it in Normal Windows Boot, not Safe Mode.
-- Open the PeekabooXP folder on the C:\ drive and DoubleClick Run This.bat and follow the prompts.
-- A log ought to pop up in notepad - post that for me.

I'll try to check back as time permits. I've got a busy weekend of home repairs ahead of me, so I may be tied up for a bit.

Best Luck :)
PP

Thanks PP,
It worked very well (it didnt run first, so I entered the cmd and found it there).
I scanned with spyware doctor+avg and they both showed clean results.
Thank you very much
:)

You're welcome!
Glad things are back to normal.

-- Your Java is a tad out of date. It is a good idea to keep an eye on that - keep it updated and remove all older versions to prevent problems with malware such as Vundo that exploit older versions.

Cheers :)
PP

Hi Greenhouse,

At quick glance, your logs look OK. Will take a closer look tonight when I have more time.

-- You should rename HijackThis.exe to analyzer.exe.
I am not sure hijackthis.exe.exe (as you have it) will escape detection by Vundo and other malware

Are you sure about the spelling of lsas? Where was it running from? Do you know the path?
C:\WINDOWS\system32\lsass.exe --> this is the legitimate (and properly spelled) lsass.exe that is showing in your HJT log......

-- You can fix this entry with HJT ---> O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
I am not sure what it is - might be benign or could be a sign of a deeper infection. Based on the logs, I am leaning toward it being benign.

PP :)

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP487\A0095385.exe -> Trojan.DNSChanger.hg : Cleaned with backup (quarantined).

That looks good - AVG Found the Trojan in System Restore and cleaned it.

-- How are things running now? Any Issues?

-- You might want to submit a final HJT log to double-check.

Cheers :)
PP

-- I like your siggy quote - Reminds me of that great Lennon song, "Whatever gets you through the night." I've quoted it numerous times....

sorry, didnt see that (never used HJT before)

No worries - It was a good suggestion! :)

And, if you hadn't gotten me thinking about it, I'd probably never have placed that questionable driver with Spyware Doctor......

PP :)

Here it is

Yup - It looks like it merged just fine :)

You can see the differences between the two peek.txt logs.

Also, if you take fixxshort.reg and change the extension to fixxshort.txt and open it, it will match the second log exactly.

PP :)