We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Cannot run exe files - association broken after remove virus
JesseJames_2
Posts: 328 Forumite
in Techie Stuff
Tried to fix mother in laws PC
It's XP Home
Had a false microsoft anti virus application.
Removed the process with process explorer.
But it came back after a few minutes.
So looked in regedit for "TCD.exe" and removed the 3 entries by blanking the data.
However the 3 entries appeared to create the association with exe files, but I carried on regardless.
The entry was in the form - full path to exe file %0 %1
Now can't open any exe file, eg. internet explorer, regedit, etc.
I don't know how to associate exe files with the folder options as the error message suggests.
And I can't remember where in the registry the 3 entries were.
Any ideas how to associate the exe files?
It's XP Home
Had a false microsoft anti virus application.
Removed the process with process explorer.
But it came back after a few minutes.
So looked in regedit for "TCD.exe" and removed the 3 entries by blanking the data.
However the 3 entries appeared to create the association with exe files, but I carried on regardless.
The entry was in the form - full path to exe file %0 %1
Now can't open any exe file, eg. internet explorer, regedit, etc.
I don't know how to associate exe files with the folder options as the error message suggests.
And I can't remember where in the registry the 3 entries were.
Any ideas how to associate the exe files?
0
Comments
-
-
Here's the .reg file alternatively if you struggle to unzip:
http://www.users.on.net/~russ/xp_exe_fix.reg
Can also do renaming tricks on EXEs as a temporary measure (rename to .COM, .SCR, etc), sometimes Run As, sometimes running from Task Manager.
Another option is Re-Enabler:
http://www.tangosoft.co.uk/re-enable v2.html0 -
Thanks to both of you
That's it fixed - was able to run the reg file.0 -
You'll want to run Malwarebytes, and depending on which fakeAV it is, you'll need to check for a rootkit (usually TDL/TDSS variants)
http://www.malwarebytes.org/mbam-download.php
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
http://public.avast.com/~gmerek/aswMBR.htm
Always a good idea to run system restore to the day before, as you won't know exactly what has changed in the registry.
Double check all autoruns and scheduled tasks before rebooting:
http://technet.microsoft.com/en-us/sysinternals/bb963902
Doesn't hurt to clear all temp files, java cache, etc; my favourite tool has become Temp File Cleaner:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/0 -
Thanks for the links Russ
Ran them all and got the remaining viruses off the PC.
Malwarebytes and Hijack This were clean after they removed problems.
Uninstalled Malware bytes.
Was down to 20 processes running in task manager before installing AVG just now.
Just a few niggles.
1) Having problems with internet.
Chrome browser says DNS servers not responding
Other PCs on the switch are OK, so something amiss here.
So added Google DNS servers manually and now working.
2)Opening up Internet browsers or Explorer windows it sometimes takes about 5/6 seconds to open.
I can then navigate folders instantly.
Opening up a second explorer is fast.
If I wait a few minutes with an explorer window open, it takes another 5 seconds to open a folder within explorer.
3)Installed Microsoft Security Essentials online
Installed OK, but complained that cannot turn windows firewall on.
But checked and Windows firewall was showing as on.
The MSE GUI does not start on start up, but the process is showing as running.
Manually starting MSE and the GUI comes on, but immediately shuts.
At the same time the blue MSE tray icon comes on and then turns red and disappears.
PC has 1.3GB memory with 800MB free
CPU settles at 0-3%
Hard drive is not crunching
Uninstalled MSE, and then installed an offline version of AVG
This appears to work AOK and updated fine.
Before I ran Malwarebytes, 1) and 2) were already happening.
Any ideas, anything I can try to check?0 -
Might be an idea to post the logs then from Malwarebytes, and also the latest Hijackthis log so we can see for ourselves. Hijackthis doesn't itself diagnose, or even fix anything without intervention. Post the logs before getting to anything else if you don't mind.
Specifically, did TDSSkiller or aswMBR find anything amiss?
Did system restore run successfully? Try all the options in Re-Enabler linked above. Double check if security centre is running (can look in services.msc). If not, troubleshoot that. Might be like the other thread, and eventually have to resort to doing a repair reinstall (http://www.michaelstevenstech.com/XPrepairinstall.htm).
You might try HitmanPro to see if it spots anything amiss:
http://www.surfright.nl/en/hitmanpro
Also might be worth a try with Combofix, but you'll have to uninstall AVG and MSE disable the firewall for it to work. Also should run the AVG removal tool a few times
http://www.avg.com/gb-en/download-tools
http://www.bleepingcomputer.com/combofix/how-to-use-combofix0 -
First
"Specifically, did TDSSkiller or aswMBR find anything amiss?"
No rootkits - both programs.
System restore did not work.
I'll post the logs in a mo...0 -
Security centre was in the disabled state - now running
Ran Re-enabler - AOK, although all these were working before.
Malwarebytes found another today
Logs below
1) MWB - ran just now with 1 infection
2) Hijack This - ran just now
3) MWB - ran yesterday which had a few viruses on.
I am trying your other links just now.
Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org
Database version: 6879
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/06/2011 18:40:57
mbam-log-2011-06-17 (18-40-46).txt
Scan type: Quick scan
Objects scanned: 157619
Time elapsed: 3 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\ezebeqixiwu.dll (Trojan.Hiloti) -> No action taken.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:53:05, on 17/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1291854702265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12AD199B-99ED-4750-A343-5018CFF9EE0B}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.47,93.188.166.247
O17 - HKLM\System\CS1\Services\Tcpip\..\{12AD199B-99ED-4750-A343-5018CFF9EE0B}: NameServer = 93.188.165.47,93.188.166.247
O17 - HKLM\System\CS2\Services\Tcpip\..\{12AD199B-99ED-4750-A343-5018CFF9EE0B}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{12AD199B-99ED-4750-A343-5018CFF9EE0B}: NameServer = 8.8.8.8,8.8.4.4
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5206 bytes
Malwarebytes' Anti-Malware 1.51.0.1200
https://www.malwarebytes.org
Database version: 6705
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
16/06/2011 21:41:55
mbam-log-2011-06-16 (21-41-55).txt
Scan type: Quick scan
Objects scanned: 170609
Time elapsed: 9 minute(s), 7 second(s)
Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 16
Registry Values Infected: 9
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 30
Memory Processes Infected:
c:\documents and settings\Admin\application data\dwm.exe (Trojan.Downloader) -> 1908 -> Unloaded process successfully.
c:\WINDOWS\Vmalya.exe (Trojan.Downloader) -> 208 -> Unloaded process successfully.
c:\documents and settings\Admin\application data\microsoft\conhost.exe (Trojan.Agent) -> 144 -> Unloaded process successfully.
Memory Modules Infected:
c:\WINDOWS\jtmthusu.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MOUSEDRIVER (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tmijogiseyi (Trojan.Hiloti) -> Value: Tmijogiseyi -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YDZ1QVAGOJ (Trojan.Downloader) -> Value: YDZ1QVAGOJ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\win (Trojan.Agent) -> Value: win -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\init (Trojan.Agent) -> Value: init -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\DOCUME~1\Admin\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.165.47,93.188.166.247) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{12AD199B-99ED-4750-A343-5018CFF9EE0B}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.165.47,93.188.166.247) Good: () -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\jtmthusu.dll (Trojan.Hiloti) -> Delete on reboot.
c:\documents and settings\Admin\application data\dwm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Documents and Settings\Admin\Local Settings\Temp\Vlq.exe (Trojan.Downloader) -> Delete on reboot.
c:\WINDOWS\Vmalya.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Documents and Settings\Admin\Local Settings\Temp\Vll.exe (Trojan.Downloader) -> Delete on reboot.
c:\documents and settings\Admin\application data\conima.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\kx0378r.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\lssas.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\manager.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\0.2905359784054694.exe (Backdoor.Cycbot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\0.9664368237650729.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\rsoxmwenca.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\aeoxmsnrwc.tmp (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vli.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vlj.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vlk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vlm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vln.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vlo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\Vlp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\application data\tcd.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\temporary internet files\Content.IE5\NXNWUXKR\xvidsetup[1].exe (Adware.Hotbar) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\0.7818756726220346.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\0.551640440847503.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\local settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\documents and settings\Admin\application data\mousedriver.bat (Trojan.Agent) -> Quarantined and deleted successfully.0 -
-
The trojan left behind a DNS hijack. I would definitely run Combofix, as it's had a full package there and it's likely there's a rootkit as well. Make sure 'security center' under services.msc is set to 'Automatic (delayed start).
Go back into Hijackthis, and Check and Fix the following:
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1291854702265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.47,93.188.166.247
O17 - HKLM\System\CS1\Services\Tcpip\..\{12AD199B-99ED-4750-A343-5018CFF9EE0B}: NameServer = 93.188.165.47,93.188.166.247
They are Ukraine IP addresses: 93.188.166.247, etc.
You really should uninstall Java unless it's specifically required by a program.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350K Banking & Borrowing
- 252.7K Reduce Debt & Boost Income
- 453.1K Spending & Discounts
- 243K Work, Benefits & Business
- 619.9K Mortgages, Homes & Bills
- 176.5K Life & Family
- 256K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- Read-Only Boards