Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please - unable to run dds.scr - Google redirect


  • This topic is locked This topic is locked
14 replies to this topic

#1 Cb72hub

Cb72hub

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 10:06 AM

Hi,

I was forwarded to this forum from 'Am I infected?...'.
http://www.bleepingcomputer.com/forums/ind...p;#entry1184992

I was instructed to download and run dds.scr file. For some unknown reason, it's not working. The black window flashes and disappears.
I'm running McAfee Securitycenter and disabled the virus and script writing functions with no improvement.

Through the "Am I infected?" forum, I've run -
1. Dr. Web CureIt
2. MBAM
3. ATF Cleaner
4. SAS

I performed Spybot S&D before finding these forums.

Is one of these blocking the DDS program?

Thanks in advance for your help.

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:09:17 AM

Posted 22 March 2009 - 11:37 AM

I have moved your post back to AII forum for additional help.
One needs a log to get help in the HJT forum.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 22 March 2009 - 12:44 PM

Hello, please
Rerun MBAM and we'll go from there.

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mod
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 01:15 PM

Hi,

Thanks for your help.

MBAM did find something.... here is the log.
I'll be back after reboot.




Malwarebytes' Anti-Malware 1.34
Database version: 1885
Windows 5.1.2600 Service Pack 3

3/22/2009 2:13:50 PM
mbam-log-2009-03-22 (14-13-50).txt

Scan type: Quick Scan
Objects scanned: 83376
Time elapsed: 12 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\lcwtbr.rtf (Trojan.Daonol) -> Quarantined and deleted successfully.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 22 March 2009 - 01:29 PM

Hello Gunnar, that was a good one to get off. What was the original issue you had that led you to want to run dds?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 01:40 PM

I was directed back here from HJT forum.
My first two attempts to run MBAM did not find anything. (see the linked thread in 1st post)

I'll give Google a try this evening (EST).

Is there a place I can find more info about this Trojan? Should I be concerned of breach of sensitive information?

Thanks for your help.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 22 March 2009 - 02:04 PM

Hi about which trojan exactly as there were many.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.


Some info on Trojan.Daonol.A

Let's also start a Rootkit scan.

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 06:46 PM

Hi,

I'm just getting back to this. Now I'm having problems with the browser staying open. Each time I try to go to any site other than Google, the browsers (Firefox and IE) crash. I'll download the programs onto a thumbdrive and load onto infected computer.

I'll post again when complete.

#9 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 07:09 PM

Below is the GooredFix log. I'm running the Avira now.

GooredFix v1.92 by jpshortstuff
Log created at 19:55 on 22/03/2009 running Option #1
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor"

#10 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 22 March 2009 - 07:23 PM

Here is the Avira log:


Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started Sunday, March 22, 2009 - 19:59:24 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 71.30 GB
- Working disk free size : 1.58 GB (2 %)
--------------------------------------------------------------------------------------------------------

Scan task finished. No hidden objects detected!

--------------------------------------------------------------------------------------------------------
Files: 0/126428
Registry items: 0/405213
Processes: 0/45
Scan time: 00:19:25
--------------------------------------------------------------------------------------------------------
Active processes:
- jkbdxvme.exe (PID 2040) (Avira AntiRootkit Tool - Beta)
- System (PID 4)
- smss.exe (PID 952)
- csrss.exe (PID 1004)
- winlogon.exe (PID 1028)
- services.exe (PID 1072)
- lsass.exe (PID 1084)
- svchost.exe (PID 1268)
- svchost.exe (PID 1360)
- svchost.exe (PID 1400)
- EvtEng.exe (PID 1440)
- S24EvMon.exe (PID 1488)
- WLKEEPER.exe (PID 1552)
- svchost.exe (PID 1608)
- svchost.exe (PID 1736)
- spoolsv.exe (PID 1964)
- AppleMobileDeviceService.exe (PID 1716)
- MemeoService.exe (PID 1728)
- mDNSResponder.exe (PID 1816)
- CSHelper.exe (PID 1848)
- dvpapi.exe (PID 1864)
- IntuitUpdateService.exe (PID 1908)
- jqs.exe (PID 2044)
- CommandService.exe (PID 236)
- McSACore.exe (PID 260)
- mcmscsvc.exe (PID 376)
- McNASvc.exe (PID 572)
- McProxy.exe (PID 712)
- Mcshield.exe (PID 748)
- MpfSrv.exe (PID 816)
- MSCamS32.exe (PID 440)
- HPZipm12.exe (PID 1008)
- RegSrvc.exe (PID 1576)
- svchost.exe (PID 2112)
- ZCfgSvc.exe (PID 3496)
- alg.exe (PID 476)
- 1XConfig.exe (PID 3528)
- SynTPLpr.exe (PID 3844)
- SynTPEnh.exe (PID 228)
- iFrmewrk.exe (PID 1996)
- tfswctrl.exe (PID 2620)
- hpwuSchd2.exe (PID 2316)
- explorer.exe (PID 3960)
- mcsysmon.exe (PID 644)
- avirarkd.exe (PID 2824)
========================================================================================================
- Scan finished Sunday, March 22, 2009 - 20:18:49 PM
========================================================================================================

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 22 March 2009 - 07:37 PM

Ok this is tough, let's do an Onloine scan. If no luck we'll do an HJT log.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 23 March 2009 - 05:28 AM

Kaspersky did not find anything additional. The results are below.
Interesting observation - I was able to go to Kaspersky website using the infected computer and run the scan. When I tried to go to bleepingcomputer to post results, the browser crashed. Tried 3 times.

I also tried to start the DDS scan but black window still flashes and disappears.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 00:58:42
Records in database: 1952916
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
Z:\

Scan statistics:
Files scanned: 113563
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:27:19

No malware has been detected. The scan area is clean.

The selected area was scanned.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 23 March 2009 - 09:47 AM

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Cb72hub

Cb72hub
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 23 March 2009 - 07:35 PM

Just following up.... RSIT did work and I posted the log in HJT forum.
Before I forget, I want to express my appreciation for the time, knowledge, and patience you and Quietman7 (from 1st thread) have provided. I'm amazed by the number of people you help.

You guys and gals are great.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:17 AM

Posted 23 March 2009 - 07:44 PM

Thanks for that. You're welcome from all of us.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users