Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did a virus move/delete explorer.exe? Anyway to resolve?


  • This topic is locked This topic is locked
19 replies to this topic

#1 aggiegrant

aggiegrant

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 19 September 2010 - 06:55 PM

I recieved a virus suspicious.mystic along with Trojan.FakeAV!gen30 the other day. When I restarted my computer, windows loaded and the screen was totally black with no icons/taskbar.

I am running Windows 7, 32 bit.

I have read several topics concerning this and ran the following antivirus/spam programs (TDSS Rootkill, Malware bytes, ATF and Super). I believe that Explorer.exe somehow got corrupted and after the virus scans, it was totally deleted off my computer (or hidden somewhere?).

I have gone into the task manager and tried to run explorer.exe and I get an error that the file does not exist. I checked in the C:\windows file and it is not there.

Is there anyway to fix this? Replace Explorer.exe?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 PM

Posted 19 September 2010 - 07:12 PM

Have you set 7 to show hidden files?

http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

Have you tried safe mode?

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
Chewy

No. Try not. Do... or do not. There is no try.

#3 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 20 September 2010 - 08:01 PM

Thank you for the reply.

I followed the tutorial on showing hidden files, but since I cannot access my desktop, I had to run a search in the Task Manager for "control panel". It pulled up this:
C:\Windows\System32\control.exe
After trying to run this, which I assume is the control panel application, it gave me an error that "windows cannot find (insert long garbled file name, I assume a DLL file?) to run control.exe
So, in essence, I was not able to show hidden files.

As for safe mode, I am able to boot in safe mode but the situation does not change. Still a black screen, no Explorer.exe, etc.

Any more words of advice are appreciated.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 PM

Posted 20 September 2010 - 08:19 PM

Start > Run > CMD >Right Click and Run as administrator > SFC/ SCANNOW

Let's see if we can get some more expert help here

Do you have a windows 7 disk?

http://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/
Chewy

No. Try not. Do... or do not. There is no try.

#5 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 21 September 2010 - 07:26 PM

I ran the SFC /SCANNOW and it stated that some errors had been fixed once I reboot. After reboot, everything is still the same. No desktop, no explorer.exe, etc.

I do have a windows 7 disk.

Next Steps?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 PM

Posted 21 September 2010 - 07:42 PM

http://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/

Would you try the repair option first?


Chewy

No. Try not. Do... or do not. There is no try.

#7 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 21 September 2010 - 07:49 PM

Tried the repair option. Stated "No problems found".

Any other suggestions?

Edited by aggiegrant, 21 September 2010 - 07:51 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 PM

Posted 21 September 2010 - 08:11 PM

I am going to red flag this thread by refering the problem to our experts in unbootable computers caused by this rootkit.

Help should arrive, but be patient please.


Chewy

No. Try not. Do... or do not. There is no try.

#9 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 21 September 2010 - 08:28 PM

Thanks Chewy for your help. I will await the reply.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:14 PM

Posted 23 September 2010 - 04:36 PM

On this XP computer there's a copy of explorer.exe in

C:\WINDOWS\system32\dllcache
Chewy

No. Try not. Do... or do not. There is no try.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 PM

Posted 23 September 2010 - 05:11 PM

In the Task Manager, Applications tab, while holding down the Ctrl key, click on New Task. That should open an MSDOS window. At the prompt type the following and press Enter:

Dir /a C:\Explorer.exe /s

That should list the copies of Explorer.exe in your computer.

Is there a copy in the C:\Windows folder? If not, copy one of the others found into the C:\Windows folder.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 23 September 2010 - 09:46 PM

I ran the scan and found several folders that had the Explorer.exe. When I copied one of these into my c:\windows folder, my Norton antivirus automatically removed it and said it was a "suspicious.mystic" threat. I went into the details and excluded this file from being quarenteened so that Norton wouldn't remove it.

After a reboot and my desktop is back! Should I be worried that Norton picked up Explorer.exe as this threat? Since this file has been excluded from any future scans by Norton, does this cause some concern in case any future attacks happen to hit the Explorer.exe file?

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 PM

Posted 23 September 2010 - 10:44 PM

QUOTE(aggiegrant @ Sep 23 2010, 10:46 PM) View Post
I ran the scan and found several folders that had the Explorer.exe. When I copied one of these into my c:\windows folder, my Norton antivirus automatically removed it and said it was a "suspicious.mystic" threat. I went into the details and excluded this file from being quarenteened so that Norton wouldn't remove it.

After a reboot and my desktop is back! Should I be worried that Norton picked up Explorer.exe as this threat? Since this file has been excluded from any future scans by Norton, does this cause some concern in case any future attacks happen to hit the Explorer.exe file?

Not yet. Please follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 aggiegrant

aggiegrant
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:14 PM

Posted 24 September 2010 - 08:22 PM

I have run Combofix.exe. Below is the C:\ComboFix.txt. Is everything good to go?

ComboFix 10-09-24.03 - Grant 09/24/2010 20:03:29.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3293.2371 [GMT -5:00]
Running from: c:\users\Grant\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Public\Documents\Server\admin.txt
c:\users\Public\Documents\Server\server.dat
c:\windows\TEMP\logishrd\LVPrcInj03.dll
D:\Autorun.inf

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-25 01:08 . 2010-09-25 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-24 02:33 . 2009-10-31 06:00 2614272 ----a-w- c:\windows\explorer.exe
2010-09-23 08:02 . 2010-09-23 08:02 -------- d-----w- c:\windows\PCHEALTH
2010-09-22 11:23 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-22 03:09 . 2010-09-22 03:09 -------- d-----w- c:\users\Grant\AppData\Local\Adobe
2010-09-18 08:17 . 2010-09-18 08:17 -------- d-----w- c:\users\Grant\AppData\Local\Apple
2010-09-16 00:04 . 2010-09-24 02:39 -------- d-----w- c:\programdata\RegCure
2010-09-15 23:17 . 2010-09-15 23:17 -------- d-----w- C:\$WINDOWS.~BT
2010-09-15 00:58 . 2010-09-15 00:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-14 23:18 . 2010-09-14 23:18 -------- d-----w- c:\users\Grant\AppData\Roaming\Malwarebytes
2010-09-14 23:18 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 23:18 . 2010-09-16 00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-14 23:18 . 2010-09-14 23:18 -------- d-----w- c:\programdata\Malwarebytes
2010-09-14 23:18 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-14 02:22 . 2010-09-14 02:22 -------- d-----w- c:\users\Grant\AppData\Roaming\121B72745C79BC6679958C5B92C5CD89
2010-09-08 00:09 . 2010-09-08 00:09 -------- d-----w- c:\users\Grant\AppData\Roaming\eMusic
2010-09-08 00:09 . 2010-09-08 00:09 -------- d-----w- c:\users\Grant\AppData\Local\eMusic
2010-09-08 00:09 . 2010-09-08 00:09 -------- d-----w- c:\program files\eMusic Download Manager
2010-09-07 23:47 . 2010-09-07 23:47 -------- d-----w- c:\program files\iPod
2010-09-07 23:47 . 2010-09-16 00:17 -------- d-----w- c:\program files\iTunes
2010-09-07 23:44 . 2010-09-07 23:44 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-04 13:42 . 2010-09-04 13:42 -------- d-----w- c:\users\Grant\AppData\Roaming\Motive
2010-09-04 13:42 . 2010-09-16 00:17 -------- d-----w- c:\program files\ATT-SST
2010-09-04 13:40 . 2010-09-16 00:00 -------- d-----w- c:\program files\Common Files\Motive
2010-09-04 13:40 . 2010-09-04 13:42 -------- d-----w- c:\programdata\Motive
2010-09-03 21:22 . 2010-09-03 21:22 -------- d-----w- c:\users\Grant\AppData\Roaming\SSDir
2010-09-03 21:22 . 2009-07-14 01:14 537600 ----a-w- c:\windows\system32\PlasmaView32l.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\programdata\Dell\DSL\DSLCheck.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 02:48 . 2009-11-16 00:16 108824 ----a-w- c:\users\Grant\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-24 02:46 . 2009-11-18 23:37 -------- d-----w- c:\program files\Norton Utilities 14
2010-09-24 02:38 . 2009-06-04 19:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-24 02:24 . 2010-03-20 00:05 118864 ----a-w- c:\users\Grant\AGbillsOFXLOG.DAT
2010-09-23 08:02 . 2009-06-23 00:38 -------- d-----w- c:\programdata\Microsoft Help
2010-09-23 00:03 . 2010-03-20 00:05 559280 ----a-w- c:\users\Grant\AGbillsOFXOLD.DAT
2010-09-17 11:38 . 2010-05-13 02:24 -------- d-----w- c:\program files\Google
2010-09-16 00:17 . 2010-08-18 02:30 -------- d-----w- c:\program files\QuickTime
2010-09-16 00:17 . 2010-08-18 02:24 -------- d-----w- c:\program files\Bonjour
2010-09-16 00:17 . 2010-03-21 22:35 -------- d-----r- c:\program files\Skype
2010-09-16 00:17 . 2009-07-11 00:30 -------- d-----w- c:\program files\Winamp
2010-09-16 00:17 . 2009-06-26 00:39 -------- d-----w- c:\program files\uTorrent
2010-09-16 00:17 . 2009-06-24 01:40 -------- d-----w- c:\program files\Apple Software Update
2010-09-16 00:17 . 2009-06-24 01:04 -------- d-----w- c:\program files\Quicken
2010-09-16 00:17 . 2009-07-11 00:30 -------- d-----w- c:\users\Grant\AppData\Roaming\Winamp
2010-09-16 00:17 . 2009-07-03 12:34 -------- d-----w- c:\users\Grant\AppData\Roaming\ICAClient
2010-09-16 00:17 . 2009-06-26 00:39 -------- d-----w- c:\users\Grant\AppData\Roaming\uTorrent
2010-09-15 00:40 . 2009-07-13 23:12 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2010-09-07 23:47 . 2009-06-24 01:39 -------- d-----w- c:\program files\Common Files\Apple
2010-09-04 01:29 . 2009-06-04 19:17 -------- d-----w- c:\programdata\Dell
2010-08-22 19:55 . 2010-08-22 19:55 -------- d-----w- c:\program files\Elaborate Bytes
2010-08-22 18:30 . 2010-08-22 18:30 -------- d--h--r- c:\users\Grant\AppData\Roaming\SecuROM
2010-08-22 15:21 . 2010-03-21 22:35 -------- d-----w- c:\users\Grant\AppData\Roaming\Skype
2010-08-22 15:17 . 2010-03-21 22:36 -------- d-----w- c:\users\Grant\AppData\Roaming\skypePM
2010-08-22 14:29 . 2010-08-22 14:16 -------- d-----w- c:\program files\Common Files\BioWare
2010-08-22 14:18 . 2010-01-30 20:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-22 14:18 . 2010-01-30 20:59 -------- d-----w- c:\program files\AGEIA Technologies
2010-07-29 06:30 . 2010-08-11 02:12 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 02:12 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-06-30 06:25 . 2010-08-11 02:12 978432 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-07-14 65024]
"NortonUtilities"="c:\program files\Norton Utilities 14\RMTray.exe" [2009-09-14 279912]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-20 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-20 167960]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^Users^Grant^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
backupExtension=Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 19:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 13:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 02:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 136176]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\program files\Dell Support Center\HWDiag\bin\pcd5srvc.pkms [2008-11-04 22904]
R3 WatAdminSvc;WatAdminSvc;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [2010-08-31 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100923.001\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe [2007-06-26 537840]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [2010-07-27 315392]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-28 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-02-23 112128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]

.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 02:24]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-13 02:24]

2010-09-24 c:\windows\Tasks\Norton AntiVirus - Grant - Full System Scan.job
- c:\program files\Norton Internet Security\Engine\17.8.0.5\navw32.exe [2010-09-23 19:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: $talisma_url$
DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} - hxxp://www.cyberlink.com/prog/win7/js/UpdateAdvisor.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\program files\Dell Support Center\HWDiag\bin\pcd5srvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275147936-1129527027-4272702304-1000\Software\SecuROM\License information*]
"datasecu"=hex:ab,2e,fb,58,c7,ba,cb,44,f7,e6,82,78,e6,64,cf,2b,2c,79,d4,a4,10,
14,89,d4,38,19,b9,7e,08,06,c5,7c,e2,15,8a,c1,3d,d8,70,57,f0,4d,3f,7e,24,8f,\
"rkeysecu"=hex:a7,29,ee,f2,60,57,a0,6a,89,67,0a,9b,f1,7f,10,e2

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\RtHDVCpl.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Norton Utilities 14\nu.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\taskhost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-09-24 20:14:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-25 01:14

Pre-Run: 371,375,054,848 bytes free
Post-Run: 371,369,574,400 bytes free

- - End Of File - - 2CCC880F277EBA4717ADD07A57090790


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,581 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:14 PM

Posted 24 September 2010 - 10:42 PM

Is explorer working now?
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
Regnull::
[HKEY_USERS\S-1-5-21-1275147936-1129527027-4272702304-1000\Software\SecuROM\License information*]

Reglock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

---------------------------------------------------
Update and run Malwarebytes Antimalware and post its report.

---------------------------------------------------
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users