# Solved: explorer.exe virus/malware?!



## mallwo27 (Jan 22, 2009)

Hi there,

I am trying to fix a laptop for someone which appears to have got infected with a virus or some sort of malware.

The problem is that the explorer.exe is crashing and restarting every few seconds.

I have tried a number of things to fix it but without using exploer theres only so much i can do!!. I started with copying and renaming the explorer.exe to test.exe and running this but the problem still occured. I have also tried replacing the explorer.exe with the test.exe in the winlogon shell key within regedit - nope - so i tried replacing the whole shell... again still no joy.

I found 2 executable files on the c drive which according to some research i did are viruses, so I removed them... still no joy though. The files where 
C:\mywyxngk.exe
C:\yjqcq.exe

The problem also occurs in safe mode and I am un able to run a system restore... it all sets up OK but won't actually start the restore 

I know a little bit about computers but I am all out of ideas!! is there anyone that could possibly help me please?!!!!

I have managed to install HJT onto the infected computer and the log is below.

Many thanks in advance,
Mark

--------------------------------------------
Hi Jack This Log........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:31, on 22/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\CMD.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\aWolIAtu.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: C:\WINDOWS\system32\hgfdge4unjdfdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\David\lsass.exe
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1204842285671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204842273484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: aWolIAtu - C:\WINDOWS\SYSTEM32\aWolIAtu.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 5809 bytes


----------



## karbo (Sep 3, 2003)

I would get rid of the MyWebSearch toolbar if I were you. It's often related to malware or at least adware.

*O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm265YYGB*

Here's a link on how to completely remove it from your computer.


----------



## Kenny94 (Dec 16, 2004)

Hi Mark and Welcome to TSG!

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

You have several infections...*And no antivirus program*.. If you can't download SDFix.exe and Avira AntiVir? Do you have a flash drive you can use to download these?

Lets fix System Configuration Utility warning.

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - C:\WINDOWS\system32\aWolIAtu.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: C:\WINDOWS\system32\hgfdge4unjdfdg.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hgfdge4unjdfdg.dll
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [MSConfig] 
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Download *SDFix* and save it to your Desktop.



Double click *SDFix.exe* and choose *Install* to extract it to its own folder on the

Desktop. Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, a menu with options should appear; 
Select the first option, to run Windows in Safe Mode, then press "Enter". 
Choose your usual account. 

 Open the c:\SDFix folder and double click *RunThis.cmd* to start the script. 
 Type *Y* to begin the script. 
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons. 
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back to the thread with a new HijackThis log. 

*Next*

I do not see an anti-virus program installed on your computer. It is extremely important that you have an antivirus program installed and running on your computer to prevent anymore possible infections. I would like you to download and install a free antivirus program..
*Avira AntiVir Personal *

In your next reply, please include these log(s):

** Report.txt
* HijackThis log (new)*

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.


----------



## mallwo27 (Jan 22, 2009)

many thanks for your prompt response. I will try this now and let you know how i get on.


----------



## Kenny94 (Dec 16, 2004)

mallwo27 said:


> many thanks for your prompt response. I will try this now and let you know how i get on.


:up:


----------



## mallwo27 (Jan 22, 2009)

Hi - It's worked!

Your instructions were very clear and concise... I had to do a little bit of messing around in order to get the SDFix program onto the infected laptop because of the lack of the explorer.exe application but once I got it all on there it worked brilliantly.

The HiJack This log and the report from SDFix are below as requested.

Many thanks again for your help... I will definitley return to this forum for help and advice in the future! :up: :up: :up: :up: :up:

Regards,
Mark

-------------------
Hi Jack This Log file
-------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:47:23, on 22/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Documents and Settings\David\Desktop\antivir_workstation_winu_en_h.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\David\LOCALS~1\Temp\winlogin.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1204842285671
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204842273484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5950 bytes

----------------
SDFix Report File
----------------

*SDFix: Version 1.240 *
Run by David on 22/01/2009 at 15:12

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\David\Desktop\SDFix

*Checking Services *:

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

*Checking Files *:

Trojan Files Found:

C:\WINDOWS\system32\aWolIAtu.dll - Deleted
C:\336757~1 - Deleted
C:\autorun.inf - Deleted
C:\Documents and Settings\David\lsass.exe - Deleted
C:\WINDOWS\system32\TDSSbrsr.dll - Deleted
C:\WINDOWS\system32\TDSSriqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSStkdv.log - Deleted

Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll

Removing Temp Files

*ADS Check *:

*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 15:18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\David\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

*Remaining Services *:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabledelivery Manager Service"
"C:\\Documents and Settings\\David\\Local Settings\\Temp\\JT40BHIr.exe"="C:\\Documents and Settings\\David\\Local Settings\\Temp\\JT40BHIr.exe:*:Enabled:UK Provider"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:EnablednkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:EnablednkBstrB"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

*Remaining Files *:

C:\WINDOWS\system32\TDSSofxh.dll Found

File Backups: - C:\DOCUME~1\David\Desktop\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c909c63b4fa217757574b9dcdd658c3\BIT466.tmp"
Tue 20 Jan 2009 3,202,259 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\13845fb1668dcf3e1108eea4eb534172\BIT475.tmp"
Tue 20 Jan 2009 436,978 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2006c93acdb066bdfcaef21319037e32\BIT478.tmp"
Tue 20 Jan 2009 8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\BIT46E.tmp"
Tue 20 Jan 2009 1,533,660 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3845068ed327bc2e46e418df87819139\BIT473.tmp"
Tue 20 Jan 2009 8,822,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\38f348c87f8c2315e0e711a1f264b063\BIT46C.tmp"
Tue 20 Jan 2009 247,411 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cddf1f85ad64aea830346cc75b2bb06\BIT474.tmp"
Tue 20 Jan 2009 7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\BIT477.tmp"
Tue 20 Jan 2009 10,718,926 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5f8bbff06b2da0a7956609cdcd5aa176\BIT471.tmp"
Tue 20 Jan 2009 606,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\60e28f2fefe55b8867c36eb78f0d8fdc\BIT45F.tmp"
Tue 20 Jan 2009 8,838,082 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7510764a379c454f8a63fd524057d801\BIT476.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7779524ce1b472c62f1b0f1a192676ad\BIT467.tmp"
Tue 20 Jan 2009 2,064,289 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94a59580b29774d63166bdd411779e\BIT46B.tmp"
Tue 20 Jan 2009 7,568,097 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7faa20870c6776cd1f316e4a996e02a0\BIT45D.tmp"
Tue 20 Jan 2009 4,198,322 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9042a53c4572f5a2c03d7cf3c7b8c660\BIT46D.tmp"
Tue 20 Jan 2009 2,131,121 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\916bfa969481cdaef14e1805a5f36838\BIT45C.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9664ff6405d9e0e32778ca8618d4be26\BIT465.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97de84be36b27af6e66a0586433cda52\BIT463.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ec3943a72ea4aa7fb7b808e2b7554c8\BIT464.tmp"
Tue 20 Jan 2009 658,288 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9ee5964523257b6757b16b9f92698b0a\BIT469.tmp"
Tue 20 Jan 2009 639,856 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9f4032b7c01ffa276d9d4715007a565f\BIT50B.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b1b7c028246879bfa7b282d31a0545ca\BIT470.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5ceb6274f4d7fd206d6adab3df8e834\BIT461.tmp"
Tue 20 Jan 2009 9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b78797d4e2ea9a8dcbe3140f470c3736\BIT45B.tmp"
Tue 20 Jan 2009 4,002,699 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9e0a1f39e0cc4f28d528e7663acf15f\BIT46A.tmp"
Tue 20 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb1cc7c8ed3868a5a32ffb677fe0fde8\BIT468.tmp"
Tue 20 Jan 2009 9,125,335 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cfda6a5f0253f13aa506464213273105\BIT472.tmp"
Tue 20 Jan 2009 3,413,065 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e1749044d2d432721cb286a5985abcde\BIT46F.tmp"
Tue 20 Jan 2009 1,945,267 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1092d1fd4234f8be26835d1f7b0bdcb\BIT460.tmp"
Tue 20 Jan 2009 4,133,846 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f933472eb8131bfff7bb4b909a21dd8e\BIT462.tmp"
Mon 10 Nov 2008 20,480 A..H. --- "C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Journal\Cache\NB3.tmp"

*Finished!*


----------



## Kenny94 (Dec 16, 2004)

We still have infections to remove...

Please download *ATF Cleaner* by Atribune.


Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.

*Next*

Please download *Malwarebytes Anti-Malware* and save it to your desktop. _alternate link 1_ _alternate link 2_
Make sure you are connected to the Internet.
Double-click on *Download_mbam-setup.exe* to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
*Update Malwarebytes' Anti-Malware*
*Launch Malwarebytes' Anti-Malware*

Then click *Finish*.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the *OK* button to close that box and continue. _If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install._
On the Scanner tab:
Make sure the "*Perform Quick Scan*" option is selected.
Then click on the *Scan* button.

If asked to select the drives to scan, leave all the drives selected and click on the *Start Scan* button.
The scan will begin and "_Scan in progress_" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "_The scan completed successfully. Click 'Show Results' to display all objects found_".
Click *OK* to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the *Show Results* button to see a list of any malware that was found.
Make sure that *everything is checked*, and click *Remove Selected*.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. _(see Note below)_
The log is automatically saved and can be viewed by clicking the *Logs* tab in MBAM.
*Copy and paste the contents of that report in your next reply with a new hijackthis log.*
_*Note*: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware._


----------



## mallwo27 (Jan 22, 2009)

oops... 

I thought we were done and I have now given the laptop back to the owner. I will try and track him down so I can get it back and finish working on it.... it may be a bit tricky as we are on an army base in the middle east and i have no direct point of contact for him.... but hopefully he will be dropping by my office soon with some goodies to return the favour so I will try to get his laptop back and will run these programs!!

thanks again for your help! If I manage to get the computer back I will let you know how I get on with these next steps.... and then wait until you say we're done before I give it back to him again!! 

Mark


----------



## Kenny94 (Dec 16, 2004)

mallwo27 said:


> oops...
> 
> I thought we were done and I have now given the laptop back to the owner. I will try and track him down so I can get it back and finish working on it.... it may be a bit tricky as we are on an army base in the middle east and i have no direct point of contact for him.... but hopefully he will be dropping by my office soon with some goodies to return the favour so I will try to get his laptop back and will run these programs!!
> 
> ...


Sounds good! Be safe....:up:


----------

