Sign in to follow this  
jeepbug

My computer is infected with Malware. Please help to remove.

Recommended Posts

My work computer is infected. The computer is displaying windows cannot find 'C:\DOCUME~1\Admin\LOCALS~1\Temp\dwn.exe'. Could not load or run specified in the registry- make sure file exists. I googled this and it is saying it is malware. The computer will not connect to the internet. Please help!

Share this post


Link to post
Share on other sites
Since it is a work computer I wonder if there is a computer support at the work that can help you. It is rather common that companies dislike seeing logs from their computers on internet. I am not sure that all tools I use to clean a computer are safe to use on a computer configured for domain usage etc.

If you want help to clean the computer you must be able to transfer tools and log files between the infected computer and a computer with internet access.

Start by doing Step #1 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url]
If you have Ad-Aware installed do Step #2.
Do Step #3.

Instead of Step #4 do:

Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
Double-click on the DDS tool to run it.

When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save them to your desktop and paste their content into your answer.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' post='124635' date='Jan 6 2011, 06:30 AM']Since it is a work computer I wonder if there is a computer support at the work that can help you. It is rather common that companies dislike seeing logs from their computers on internet. I am not sure that all tools I use to clean a computer are safe to use on a computer configured for domain usage etc.

If you want help to clean the computer you must be able to transfer tools and log files between the infected computer and a computer with internet access.

Start by doing Step #1 on the page [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url]
If you have Ad-Aware installed do Step #2.
Do Step #3.

Instead of Step #4 do:

Save DDS to your desktop: [url="http://download.bleepingcomputer.com/sUBs/dds.scr"]http://download.bleepingcomputer.com/sUBs/dds.scr[/url]
Double-click on the DDS tool to run it.

When finished, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save them to your desktop and paste their content into your answer.[/quote]

Share this post


Link to post
Share on other sites
I paste the DDS log here to make it easy to go back and compare with it later. I will be back with an answer as soon as I have studied the logs.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Admin at 9:51:36.40 on Tue 01/11/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2370 [GMT -6:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EzDental\SystemTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EzDental\eSyncReminder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\EzDental\WebSyncReminder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:50370
uURLSearchHooks: FCToolbarURLSearchHook Class: {4219427b-0228-4356-a78b-eb7668d37d07} - c:\program files\inboxdollars\Helper.dll
uURLSearchHooks: H - No File
uWinlogon: Shell=explorer.exe,c:\documents and settings\admin\application data\microsoft\windows\shell.exe
uWindows: Load=c:\docume~1\admin\locals~1\temp\dwm.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: InboxDollars BHO: {6ffb615d-e8ce-4add-8d9f-31c4be9c26e4} - c:\program files\inboxdollars\Toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: InboxDollars: {47980628-3844-42aa-a0dd-e2d86bba9600} - c:\program files\inboxdollars\Toolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SystemTray.exe] c:\program files\ezdental\SystemTray.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [svchost] c:\documents and settings\admin\application data\microsoft\svchost.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\esyncr~1.lnk - c:\program files\ezdental\eSyncReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\websyn~1.lnk - c:\program files\ezdental\WebSyncReminder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-10 64288]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-10 98392]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2010-5-8 110080]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1402272]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-11-22 15264]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2011-01-11 14:48:39 -------- d-----w- C:\_OTM
2011-01-11 14:43:51 388096 ----a-r- c:\docume~1\admin\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-01-11 14:43:51 -------- d-----w- c:\program files\Trend Micro

==================== Find3M ====================

2011-01-03 20:17:31 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 9:51:45.32 ===============

Share this post


Link to post
Share on other sites
1.
Please, uninstall InboxDollars. You can read about the toolbar here: [url="http://www.systemlookup.com/CLSID/71268-Toolbar_dll.html"]http://www.systemlookup.com/CLSID/71268-Toolbar_dll.html[/url]

2.
The infection has changed the proxy settings. Restore them in the following way:

Control panel - Internet Options - Connections - LAN settings
Click on Advanced
Remove content in such a way that all fields belonging to the header "Servers" are empty.
Click OK
If anything in the field Address, remove it.
Uncheck "Use a proxy server..."

Restart the computer and check if you have internet connection.

3.
Upload this file to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] using the "Upload a file" function and post back the link to the scan report:
c:\documents and settings\admin\application data\microsoft\windows\shell.exe

Share this post


Link to post
Share on other sites
Are you really sure the computer is clean?
According to the DDS log, InboxDollars and the proxy server setting were not the only issues with the computer.

Share this post


Link to post
Share on other sites
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this