Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It closes down my browser, re-routes pages..


  • Please log in to reply
26 replies to this topic

#1 dreygenfli

dreygenfli

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 13 January 2010 - 08:37 PM

We are running Windows XP.

When I start up my account on my computer, I get an error saying Google Installer encountered a problem and had to close.

If we go into firefox, and type in a page, the browser often reroutes to another page, such as hxxp://www.physicos.com/search.php

When i start up firefox i get a message that asks if i want to make it my default browser. it always was and this is something the bug changed. even if i click yes it asks next time i start firefox.

Eventually the browser freezes and the mouse moves around but we can't click anything and have to shut down the computer. I typed most of this from safe mode.

If we try to use Internet Explorer (not our usual practice) it simply shuts down after you surf off the homepage. My husband has seen some popups on his account, and the bug installed a bunch of dirty icons on our desktop....

THANK YOU TO WHOMEVER HELPS. IT IS Soooo APPRECIATED,


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Sara at 20:19:44.00 on Wed 01/13/2010
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2613 [GMT -5:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Citrix\GoToAssist\514\G2AProcessFactory.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Sara\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2090106
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2090106
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2090106
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [APVXDWIN] "c:\program files\panda security\panda antivirus pro 2010\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda antivirus pro 2010\Inicio.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: avldr - avldr.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~3\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sara\applic~1\mozilla\firefox\profiles\wa27taqw.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: keyword.URL - hxxp://www.ffgoo.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\sara\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.ffgoo.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

============= SERVICES / DRIVERS ===============

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-1-6 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-1-6 43608]
S0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2010-1-12 28552]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-12 133104]
S2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k panda --> c:\windows\system32\svchost -k Panda [?]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-22 10384]
S2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda antivirus pro 2010\PsCtrlS.exe [2010-1-12 173312]
S2 PAVDRV;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2010-1-12 84024]
S2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda antivirus pro 2010\PavFnSvr.exe [2010-1-12 169216]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S2 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]
S2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda antivirus pro 2010\PAVSRV51.EXE [2010-1-12 291584]
S2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda antivirus pro 2010\psksvc.exe [2010-1-12 28928]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-6 30192]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-1-6 141376]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-1-6 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-1-6 235840]
S3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]

============== File Associations ===============

JSEFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*
VBEFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*
VBSFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*

=============== Created Last 30 ================

2010-01-13 12:35:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 02:44:49 0 d-----w- c:\program files\Trend Micro
2010-01-13 02:23:14 0 d-----w- c:\program files\CCleaner
2010-01-13 02:04:16 250 ----a-w- c:\windows\system32\PavCPL.dat
2010-01-13 02:03:54 54832 ----a-w- c:\windows\system32\pavcpl.cpl
2010-01-13 02:03:46 446464 ----a-w- c:\windows\system32\HHActiveX.dll
2010-01-13 02:03:34 87296 ----a-w- c:\windows\system32\PavLspHook.dll
2010-01-13 02:03:34 55552 ----a-w- c:\windows\system32\pavipc.dll
2010-01-13 02:03:34 518400 ----a-w- c:\windows\system32\PavSHook.dll
2010-01-13 02:03:34 193792 ----a-w- c:\windows\system32\TpUtil.dll
2010-01-13 02:03:34 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL
2010-01-13 02:03:29 84024 ----a-w- c:\windows\system32\drivers\pavdrv51.sys
2010-01-13 02:03:29 58672 ----a-w- c:\windows\system32\avldr.dll
2010-01-13 02:03:29 0 d-----w- c:\windows\system32\PAV
2010-01-13 02:03:28 0 d-----w- c:\program files\Panda Security
2010-01-13 02:03:27 0 d-----w- c:\docume~1\sara\applic~1\Panda Security
2010-01-13 02:03:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2010-01-13 02:01:26 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-11 23:53:39 0 d-----w- c:\program files\Malware Defense
2009-12-29 00:08:44 38 ----a-w- c:\windows\avisplitter.ini
2009-12-29 00:08:44 178176 ----a-w- c:\windows\system32\unrar.dll
2009-12-29 00:08:43 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-12-29 00:08:43 839680 ----a-w- c:\windows\system32\lameACM.acm
2009-12-29 00:08:43 414 ----a-w- c:\windows\system32\lame_acm.xml
2009-12-29 00:08:43 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2009-12-29 00:08:43 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-12-29 00:08:43 118784 ----a-w- c:\windows\system32\ac3acm.acm
2009-12-29 00:08:42 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-12-29 00:08:42 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2009-12-29 00:08:40 0 d-----w- c:\program files\K-Lite Codec Pack
2009-12-28 23:41:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2009-12-28 23:41:32 0 d-----w- c:\program files\Citrix
2009-12-28 12:07:23 0 d-----w- c:\program files\iPod
2009-12-28 12:07:18 0 d-----w- c:\program files\iTunes
2009-12-28 11:58:47 18144 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 01:30:29 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-01-10 21:12:22 70752 ----a-w- c:\windows\system32\nvModes.dat
2009-11-06 15:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 15:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-01-06 18:26:26 76 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 20:20:49.57 ===============

Attached Files


Edited by dreygenfli, 14 January 2010 - 11:09 AM.
Deactivate link to protect readers. ~ OB


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 15 January 2010 - 10:16 PM

Hello dreygenfli smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Please pay attention to what shows when it finishes as there have been cases where people could not find the log to post. The main thing is to see if it says it has found some files and removed them.



Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 16 January 2010 - 04:28 PM

Thank you soo much for helping, first of all. I ran TDSSKiller as you instructed, however a black box popped up for a split second and the log file is not found anywhere on the computer. the other issue is I cannot get onto bleeping computer from the infected computer. the browser will not go to the forum. have to check the instructions from my phone and do them on the computer....tricky!!

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 16 January 2010 - 05:32 PM

How did you manage to get the file onto your computer that is infected? And have you tried Safe Mode with Networking to get to the site?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2010 - 10:37 AM

QUOTE(thewall @ Jan 16 2010, 05:32 PM) View Post
How did you manage to get the file onto your computer that is infected? And have you tried Safe Mode with Networking to get to the site?


My husband was surfing around his forums and regular internet surfing and got one of those browsers that looks like it is scanning all of your drives and it prompts you to run a scan on the computer. I believe he clicked yes - then our regular antivirus program (AVG) opened up and uninstalled itself (or the virus uninstalled it). Ever since we have had the issue.
I cannot even get onto bleeping computer via safemode.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 18 January 2010 - 02:12 PM

Sorry about that, my question was not very clear. I meant how did you manage to get TDSSKiller onto your infected machine after I asked you to run it. I'm trying to figure out how we can transfer files if we need to. Do you have another computer you can use and a pen drive if needed?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 18 January 2010 - 02:16 PM

QUOTE(thewall @ Jan 18 2010, 02:12 PM) View Post
Sorry about that, my question was not very clear. I meant how did you manage to get TDSSKiller onto your infected machine after I asked you to run it. I'm trying to figure out how we can transfer files if we need to. Do you have another computer you can use and a pen drive if needed?


Oh! I can check this forum from my phone then typed in the link to download TDSKiller on the infected machine. I also have access to another machine and pen drive.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 18 January 2010 - 02:44 PM

We're going to try to get ComboFix onto your computer and I am trying to figure out the best way to do so. Since you have XP it will be necessary to download the Recovery Console also so I believe the best way would be to do it with a pen drive.

What you can do is download both the ComboFix file to the pen drive and then see if your infected computer will recognize the pen drive and upload them to your Desktop. If so then you can go ahead with instructions which will involve the installing of the RC. If you are not able to do so let me know.

If anything I write is not clear or you have any questions don't hesitate to ask me. Also if you think it will be easier to try to access CF like you did the TDSSKiller file then go ahead and do so, it is just imperative the Recovery Console is loaded up when CF starts it's routine.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 January 2010 - 10:07 AM

I sent the file to my email and downloaded it to the computer, but if the file is named "combofix.exe" it won't run at all ..when it has another name the file starts to load and then i get an error that says "installation files corrupt please download a new copy of the file"

I did however track down my pen drive, will save the exe on there today and see if i can put it on the infected system's desktop. Should I rename it before putting it on the PC?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 19 January 2010 - 10:47 AM

Yes, that might be a good idea, just something you can remember.

One other thing I just thought of. We were having some issues with the ComboFix downloads yesterday and depending on when you tried to download it that could have something to do with the problem. It was resolved yesterday evening my time so it could be what you tried first may work now, I don't know for sure but it might be worth a try to delete the earlier version and download a new one.

Edited by thewall, 19 January 2010 - 10:49 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 19 January 2010 - 11:15 AM

Sounds good, I am not home for the next day so if all goes well I will post the txt Thursday AM.

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 19 January 2010 - 11:29 AM

That will be fine, if for some reason you are going to be over 5 days just let me know so I don't lock the thread.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 22 January 2010 - 09:00 PM

combofix is running, before it created a log it found root files that I wrote down and needed to reboot. stay tuned..

Edited by dreygenfli, 22 January 2010 - 09:30 PM.


#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:17 PM

Posted 22 January 2010 - 09:27 PM

Did you use your pen drive to download the program and from there upload it to the Desktop?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 dreygenfli

dreygenfli
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 22 January 2010 - 09:33 PM

nevermind...it loaded really slowly but now combofix is running! I did move it from the pen drive to desktop. combofix found root files that it told me to write down, then it rebooted the system. now it is scanning.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users