Jump to content

Welcome Guest to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Feel free to browse the site as a guest. However, you must log in to reply to existing topics or start a new topic of your own, and enjoy all this forum has to offer. Additionally, if you can assist another member by sharing your knowledge, please post a reply! Best of all - Registration and all assistance, is FREE! Learn more about How it Works. Infected? Malware Cleaning Guide. What are you waiting for?
Create an Account Login to Account

BackDoor.MaosBoot arghhh please help


  • Please log in to reply

#1
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
Hello, and thank you for your help.

My Dell computer running Windows XP has contracted some type of virus that as best as I can tell is called BackDoor.MaosBoot.

I have read through these forums and have been unable to come up with the solution on my own.

I have also gone through this web page and done everything as instructed up to this point: http://www.geekstogo...uide-t2852.html

The virus really slooooows down my computer, and also does not allow me to use internet explorer or firefox properly-- when I search through Google, any link I click is immediately taken over and sent to some random advertisement.

When I run Malwarebytes, it identifies a virus but I believe is unable to remove it. Malwarebytes identifies the following:
1. C:\\windows\system 32\uacinit.dll
2. HKE_LOCAL_MACHINE\SOFTWARE\UAC

I posted the Malwarebytes log at the bottom of this post.


I read that Dr. Web Antivirus might take care of this, however to this point it hasn't.

Here is the summary of events using Dr. Web Antivirus. I have tried pretty much every combination of yes/no, delete/move, etc. and so far nothing has worked:

Dr. Web Anti-Virus 8/29/09 Express Scan

Object: Master Boot Record HDD2

Status: BackDoor.MaosBoot

Window pops up and asks:
“To cure one or several infections, a restart may be required. Do you want to cure with restart?”

I then click yes,
Asks if i want to cure and choices are yes to all, yes, no, and close, i believe.

I click “yes to all,” and nothing happens, object remains in box.

I click “Select all” below, green dot comes up by Master Boot Record HDD2, click Cure, with “move incurable” in side menu, and nothing happens. (I’ve also tried “delete incurable” and nothing happens.)

I click to close the application, and a window pops up: “Are you sure you want to close the application? The list of detected threats contains objects to which no actions were applied. It is recommended to neutralize them before closing the application.”

From here, I have done both options.
If I click “no,” then I go back to the initial dr. web screen with the Master Boot Record HDD2 listed there still. My only option then is to do a complete scan. I have done the complete scan a few times and still the virus persists.

If I click “yes,” the application closes. I then try a computer restart but alas the bug is still on my computer as evidenced by its behavior in internet explorer and that Dr. Web continues to find it.

The most recent time I tried to run Dr. Web Antivirus my computer froze up. I was unable to save a scan log from either express scan or full scan at my last attempt, but could of course try again as necessary.


I should note that I am not sure if "uacinit.dll" is related to "BackDoor.MaosBoot"



I greatly appreciate any advice and please try to bear with me as I am not particularly computer savvy but I will make the process as easy on us as possible.

Thank you.












_______________________
Malwarebytes Log:

Windows 5.1.2600 Service Pack 3

8/24/2009 1:34:21 AM
mbam-log-2009-08-24 (01-34-21).txt

Scan type: Quick Scan
Objects scanned: 109965
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.





______________________________
McAfee Results:

McAfee scan 8.29.09 (cannot save or show actual log):
Generic Rootkit.d!rootkit (Trojan)

File: NTOSKRNL-HOOK

Status: removed


Interestingly, mcafee reports removing this previously 3 additional times in the past month...

Edited by fritz101, 29 August 2009 - 03:03 PM.

  • 0

Advertisement


#2
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.
  • Click on the Download EXE button.
  • The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
  • Take note of the name of the file (please don't change it), and then save it directly to your desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
  • Click Ok.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it to a location where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave
  • 0

#3
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
hello!

thanks for your help.

i've spent a couple hours on this...

no matter what i do in regular mode, i cannot get GMER to complete a scan.

i got it part way through once, then it simply froze.

i've tried multiple other times and once i get to my desktop screen the computer simply freezes-- i cannot run any programs. i will keep trying.

i then tried in safe mode. on the second try i believe i completed the GMER scan, but i could not save as the screen dynamics, no matter what i did with downsizing the GMER program, would not allow me to see the save button. in other words, the GMER screen was too big and bulky to fit on my monitor in safe mode so i could not save to GMER.txt.

Any other ideas or thoughts on this would be of course greatly appreciated. Thanks again.
  • 0

#4
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Skip GMER for the moment. Try to run ComboFix according to my instructions above in normal mode, and if you are unable to, then give it a shot for me in safe mode.
  • 0

#5
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
okay--

when i start my computer in regular mode, everything is frozen and i cannot run any programs.

i am able to start in safe mode, but only through "administrator" and not through my usual log in. (two choices come up on the screen, administator or my usual account. when i click my usual account, it goes to a black screen with the "safe mode microsoft ®" etc. writing in white on top, and "safe mode" in the four corners, but will not load any of the desktop items).

when i go through safe mode to the administrator account, a few desktop links are there (recycle bin, internet explorer, malwarebytes, and a .pdf file) and i can use anything in the start menu. For some reason, when i click on internet explorer i cannot connect from this account. so i downloaded combofix through my laptop to a jump drive, renamed svchost, and transferred the file to the safemode administrator account's desktop. when i double click it, a small gray box saying "ComboFix" appears and a blue bar loads in the box, then it simply freezes and nothing else happens.

thank you.
  • 0

#6
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Alright let's try it one more way, delete your current copy of ComboFix and then download transfer and run a new one according to these instructions:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave
  • 0

#7
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
hi,

saved the file as .com and saved as type all files.

i was able to transfer the file to the desktop in safe mode, but when i double click on the file it opens only to the point of the blue bar loading in a small box that says combofix, as it did before. the computer then freezes.

i should note that my mcafee antivirus is turned off, as instructed. in addition, i'm not certain if malwarebytes is off as i cannot open it to turn it off. however, i did not see it listed in the bleepingcomputer link as a program that needs to be turned off so perhaps it doesn't matter.

i should also note that in the process of simply having my computer on to try to fix it (i haven't downloaded anything or done any web surfing), i appear to have contracted a virus called something like antivirus 2010, although of course perhaps that was already on my computer lurking previously.

thanks again for your help.
  • 0

#8
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Alright for these steps it might be best for you to download all the tools at once and transfer them to the infected PC that way you can run them all in succession.

i should note that my mcafee antivirus is turned off, as instructed. in addition, i'm not certain if malwarebytes is off as i cannot open it to turn it off. however, i did not see it listed in the bleepingcomputer link as a program that needs to be turned off so perhaps it doesn't matter.

Would you be willing to temporarily uninstall McAfee for me? It is one of the antivirus programs that interferes most with our fixes, and makes everything else harder. You can reinstall it later on when you're clean or I could help you out with some other better antivirus program options. Remove it from Add/Remove Programs in your control Panel.

Once that's done, we also need to run the McAfee Removal Tool. Download it from that link, save it to your desktop, and then doubleclick it to run it to finish removing McAfee from your PC. Once the tool completes its run, restart.

After rebooting:
  • Download Fixswen and save it to your desktop
  • Right-click on the file and choose install, and allow it to complete.

Once that's done, please delete your current copy of ComboFix as well as the folders C:\ComboFix and C:\Qoobox if they exist, and then try these instructions for me:

Please visit this webpage for download links and instructions for running ComboFix:

[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.bat. This name is important and must be exactly as I have given it to you here, including the .bat file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Then go ahead and run CF as before, you may experience errors at first, but it is likely that CF will be able to proceed regardless.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Let me know how all that goes.

Cheers,
Dave
  • 0

#9
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
hi,

1. i was able to add fixswen to the desktop.

2. i was able to uninstall mcafee, i think. it gave me some grief and kept showing up again, and at least initially wouldn't let me delete (of five items) "primary service," and "security center." also, the mcafee removal tool was never able to get to the end, it would simply freeze in the middle of activity. when the removal tool ran, it would state "error obtaining full permissions for cleanup. some products may not be fully removed." the most recent time it got stuck on "net stop mcafee spam killer server." the most recent time i restarted the computer however, mcafee finally was not in the add or remove program list.

3. unable to run combofix. tried saving as .bat (which shows up as cf without .bat extension but lists it as a .bat file, if that makes sense). tried running on desktop when the filename was just cf (as a .bat file) and cf.bat and either way it simply freezes after a small combofix box pops up.

please understand that only about 1 in 5 times am i able to get the computer running (in safe mode, cannot at all in regular mode) such that i can actually click on anything without it freezing.

thank you.
  • 0

#10
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
It sounds like a difficult situation, I'm consulting on this one and will get back to you.
  • 0
<

Advertisement


#11
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Alright a couple questions for you -

1. Do you have a windows XP CD?
2. Do you have a floppy disk drive in your machine?

Now a couple things to try.

FIRST:

Please go to the GMER Rootkit Scanner Download Site.
  • Click on the Download EXE button.
  • The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
  • Take note of the name of the file (please don't change it), and then save it directly to your desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked. Uncheck the boxes for Files, Registry, and Show all.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
  • Click Ok.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it to a location where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

THEN:

We need some more information from GMER - doubleclick on the program again to run it.
  • The program will run a quick initial scan, allow it to complete.
  • Then, at the top next to the Rootkit/Malware tab, click on the >>> button.
  • Click on the autostart tab and then click Scan.
  • Allow the scan to complete, then click Copy to copy the results of the scan.
  • Paste those results into your next reply.
LAST:

Please download mbr.exe to your desktop (or download it on another PC and transfer it by removable storage to the desktop of the infected PC)
  • Doubleclick mbr.exe to start it and follow the prompts.
  • When it has finished, it will create a log for you.
  • Please post the contents of that log in your next reply.
Let me know how that goes, I'm looking for the 2 GMER reports and the log from mbr.exe in your next reply.

Cheers,
Dave
  • 0

#12
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
hi,

thanks for your help and i really appreciate you sticking with it.

i hope it's okay from your end if i pick this up again in detail on 9/15?

i plan to keep the computer off till then.

thank again.
  • 0

#13
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Sure thing we can hold off until then. Let me know when you're ready to continue.

Edited by Transience, 12 September 2009 - 11:25 AM.

  • 0

#14
fritz101

fritz101

    Member

  • Member
  • PipPip
  • 13 posts
hello,

okay,

1. when i run gmer by double clicking i am unable to save the log because in safe mode no matter what i do the window is too big and i cannot see or access the save button. it does seem to be able to let me delete some processes (i have not done anything, just pointing out that the program seems to maintain some functionality).

2. when i run gmer through the autostart tab i get the following info, posted below.

3. when i run the mbr file i get the following info, posted below.

and yes i have both a windows xp cd and a floppy disk drive.

thanks again.


2. gmer through autostart:


GMER 1.0.15.15086 - http://www.gmer.net
Autostart scan 2009-09-15 00:48:29
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@TaskmanC:\RECYCLER\S-1-5-21-1941637596-3968464173-777376099-5946\msimfo32.exe = C:\RECYCLER\S-1-5-21-1941637596-3968464173-777376099-5946\msimfo32.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\WINDOWS\system32\cru629.dat c:\windows\system32\tipajile.dll,C:\WINDOWS\system32\libupune.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
0275051252346805mcinstcleanup@ = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\027505~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
ADVService@ = "C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe"
Creative Service for CDROM Access@ = C:\WINDOWS\system32\CTsvcCDA.exe
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
McNASvc@ = "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"
McShield@ = C:\Program Files\McAfee\VirusScan\McShield.exe /*file not found*/
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@DSL Connection ToolC:\Program Files\MSN\MSNIA\dslmon.exe = C:\Program Files\MSN\MSNIA\dslmon.exe
@BrStsWndC:\Program Files\Brownie\BrstsWnd.exe Autorun /*file not found*/ = C:\Program Files\Brownie\BrstsWnd.exe Autorun /*file not found*/
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@Antivirus Pro 2010"C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide = "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
@hiwowujudiRundll32.exe "C:\WINDOWS\system32\zugahohe.dll",s = Rundll32.exe "C:\WINDOWS\system32\zugahohe.dll",s
@braviaxbraviax.exe /*file not found*/ = braviax.exe /*file not found*/
@varaposonRundll32.exe "c:\windows\system32\tipajile.dll",a = Rundll32.exe "c:\windows\system32\tipajile.dll",a

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@DellSupport"C:\Program Files\DellSupport\DSAgnt.exe" /startup /*file not found*/ = "C:\Program Files\DellSupport\DSAgnt.exe" /startup /*file not found*/
@EasyLinkAdvisor"C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup = "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@WPDShServiceObjC:\WINDOWS\system32\WPDShServiceObj.dll = C:\WINDOWS\system32\WPDShServiceObj.dll
@gopuloganc:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll
@gozojiyowc:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll
@tilubahizc:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}C:\WINDOWS\system32\tajf83ikdmf.dll = C:\WINDOWS\system32\tajf83ikdmf.dll
@{ea19892d-1c7f-4e20-8576-b5efabc208bd}c:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll
@{41bd63d4-1036-491a-8fb8-cc1140f87c2c}c:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll
@{1f7d7fed-8bef-40da-b503-45d2f33ca9ef}c:\windows\system32\tipajile.dll = c:\windows\system32\tipajile.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{40DAD1B9-DDCF-4A31-A5D3-A03BC8881370} /*IndexingServiceExtExt Extension*/(null) =
@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} /*TrojanHunter Menu Shell Extension*/(null) =
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{4AFB2C15-9D16-4478-AEF4-C3FC539961E4} /*ZEN Vision:M Series Media Explorer*/C:\Program Files\Creative\Creative ZEN Vision M Series\ZEN Vision M Series Media Explorer\SHCTMTP.dll = C:\Program Files\Creative\Creative ZEN Vision M Series\ZEN Vision M Series Media Explorer\SHCTMTP.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@DSShellExtension /*{2C537739-793D-4214-9CF6-1371C4F1B1EB}*/(null) =
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
CTMTPMediaExplorer@{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll
McCtxMenu@{01576F39-90DE-4D6E-A068-5B20C22BAAEE} = c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
CTMTPMediaExplorer@{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
McCtxMenu@{01576F39-90DE-4D6E-A068-5B20C22BAAEE} = c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} = C:\WINDOWS\system32\tajf83ikdmf.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.avi@Location = C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Start Pagehttp://www.google.com = http://www.google.com
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://education.dellnet.com/ = http://education.dellnet.com/
@Start Pagehttp://education.dellnet.com/ = http://education.dellnet.com/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup = DESKTOP.INI

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
$McRebootA5E6DEAA56$.lnk = $McRebootA5E6DEAA56$.lnk
Amazon Unbox.lnk = Amazon Unbox.lnk
DESKTOP.INI = DESKTOP.INI
Digital Line Detect.lnk = Digital Line Detect.lnk
Exif Launcher.lnk = Exif Launcher.lnk

---- EOF - GMER 1.0.15 ----




3. mbr:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
BIOS signateure not found
  • 0

#15
Transience

Transience

    Unofficial Music Guru

  • Retired Staff
  • 2,448 posts
Sorry for the delay getting back to you let's give this a go:

1. Malwarebytes' Anti-Malware

Doubleclick mbam.exe to start the program.
  • When the program appears, click on the Update tab, then click Check for Updates.
  • If updates were found the program will download and install them, then restart itself.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
Cheers,
Dave
  • 0

Advertisement




Similar Topics: BackDoor.MaosBoot arghhh please help     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured