MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 09-11-11, 20:34
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Broken file extensions

I had a virus that was redirecting my search links. I went through initial malware protocols and it appears to be resolved, but it left me with a broken file extension (specifically .exe files). I was using a workaround to temporarily allow me to run applications so I have been able to generate most of the required logs. I was not able to get a mgtools log. I double clicked, got a brief pop-up box then nothing. No log generated. Here are the rest.
Attached Files
File Type: txt SASlog.txt (763 Bytes, 2 views)
File Type: txt mbamlog.txt (901 Bytes, 1 views)
File Type: txt combofix.txt (23.3 KB, 5 views)
File Type: txt RRlog.txt (568 Bytes, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 09-11-11, 20:37
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

Hi and welcome to Major Geeks, tgudroe!

Let's see if this can fix it. And I will review the rest of your logs.

Please download exeHelper by Raktor.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file named exeHelperlog.txt will be created in the directory where you ran exeHelper.com
  • Attach the exeHelperlog.txt file to your next message. (How to attach items to your post)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Reply With Quote
  #3  
Old 09-11-11, 20:51
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
See the download links under this icon:
  • Double-click MessengerDisable.exe
  • Place a check-mark in Uninstall Windows Messenger
  • Click Apply
  • Click Exit

Now we need to make use of ComboFix by sUBs
  • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
    • If it is not on your desktop, the below will not work.
  • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
RegLock::
[HKEY_USERS\S-1-5-21-220523388-879983540-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:0a,a6,8c,c8,d0,c3,d6,95,aa,96,fa,7a,b0,64,47,31,6e,4e,ee,d3,93,
   99,e0,79,69,42,4a,6a,5b,d4,cc,0b,a1,3f,8a,8f,db,39,1d,08,32,17,13,cc,96,11,\
"rkeysecu"=hex:5c,a5,1e,2b,49,09,ae,85,5d,ac,6d,89,c7,4a,3b,6c
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
  • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
  • At this point, you must exit all browsers now before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  • This shall launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • Allow ComboFix to update itself if prompted.
  • When it finishes, a log will be produced at C:\ComboFix.txt
    Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
  • Attach this log to your next message. (How to attach items to your post)

Now download the following: DebugMGT.bat to your desktop.
Reply With Quote
  #4  
Old 09-12-11, 18:42
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Broken file extensions

So after booting up my computer today, it appears that just going through the pre-posting steps has resolved the issue. I did continue with the requested programs though. When I ran combofix, it asked me to update and then restarted. Not sure if that makes a difference. Here are the logs.
Attached Files
File Type: txt exehelperlog.txt (414 Bytes, 2 views)
File Type: txt combovixlog.txt (14.2 KB, 3 views)
File Type: txt mginfo.txt (24.7 KB, 4 views)
Reply With Quote
  #5  
Old 09-12-11, 20:21
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

Please download The Avenger by Swandog46 to your desktop.
  • See the download links under this icon:
  • Open avenger.zip and extract avenger.exe to your desktop
  • Run avenger.exe by double-clicking on it.
  • Click OK at the warning to continue to use The Avenger.
    Note: Do not change any of the check box options!
  • Shut down your protection software now to avoid possible conflicts.
  • Copy everything in the code box below, and paste it into the Input script here: text-field.
    Code:
    Files to delete:
    C:\{044CB556-4BAE-4FCF-B9AC-B1EC155BE9AA}.dll
    C:\{1CBD4EC1-4187-4AAC-B8D5-CAFAB0504257}.dll
    C:\{4D7CA135-CF94-49BF-B149-2A2F4516ED5C}.dll
    C:\{77F6F136-522D-4967-9613-1CD5D961D873}.dll
    C:\{7FF30AB7-EF5A-4CC6-B367-5BF36028929E}.dll
    C:\{A9DBD395-0E85-4F25-9ABC-52DC55AB1B38}.dll
    C:\{B17AEC53-5C76-4AAA-A069-CFBC3BBD5186}.dll
    C:\{C2F84D37-734F-416E-BA9A-A842A3E46C07}.dll
    C:\{DB819BC5-6B6A-4ED2-ABC1-C8BED08FFF08}.dll
    C:\{EE7253A7-0D2C-4563-9F48-A64343459199}.dll
    C:\Documents and Settings\Travis\Desktop\kb5npgdj.exe
    C:\Documents and Settings\Travis\Desktop\popcinfot.dat
  • Now click the button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
  • Attach avenger.txt to your next message. (How to attach items to your post)

Now download a new MGtools to the root of your C:\ drive (not to your desktop!).
Refer to the following: Using MGtools
Attach MGlogs.zip if it creates this time. (How to attach items to your post)
Reply With Quote
Sponsored links
  #6  
Old 09-12-11, 23:22
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Broken file extensions

Here you go.
Attached Files
File Type: txt avenger.txt (2.7 KB, 2 views)
File Type: zip MGlogs.zip (177.0 KB, 1 views)
Reply With Quote
  #7  
Old 09-12-11, 23:55
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

From Add/Remove Programs (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 26 <-- old
  • Coupon Printer for Windows <-- if you do not use it.
  • Windows Internet Explorer 7 <-- suspicious since you have ie8 installed.

Now we need to make use of ComboFix by sUBs
  • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
    • If it is not on your desktop, the below will not work.
  • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Open Notepad and copy/paste the text in the below code box into Notepad:
Code:
KillAll::
DirLook::
C:\Documents and Settings\Travis\Local Settings\Application Data\DNA
C:\Documents and Settings\Travis\Desktop\KPR
File::
C:\Documents and Settings\Travis\Local Settings\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
C:\Documents and Settings\All Users\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
C:\Documents and Settings\Travis\Templates\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
C:\Documents and Settings\Travis\Local Settings\Application Data\526py1f45q3yx26sn
C:\Documents and Settings\All Users\Application Data\526py1f45q3yx26sn
C:\Documents and Settings\Travis\Templates\526py1f45q3yx26sn
C:\Documents and Settings\Travis\Local Settings\Application Data\FC9106US.exe
C:\Documents and Settings\Travis\Local Settings\Application Data\prvlcl.dat
C:\WINDOWS\system32\575041183
C:\Documents and Settings\Travis\Local Settings\temp\AxentraLog.txt
C:\Documents and Settings\Travis\Local Settings\temp\clclean.0001
FileLook::
C:\Documents and Settings\Travis\Local Settings\Application Data\FC9106US.exe
Folder::
C:\Documents and Settings\Travis\Local Settings\Application Data\ffeccyiod
C:\Documents and Settings\Travis\Local Settings\Application Data\umwcvngvb
C:\Documents and Settings\NetworkService\Local Settings\Application Data\vsvbrsnia
C:\Documents and Settings\Travis\Local Settings\temp\clclean.0001.dir.0000
RegLock::
[HKEY_USERS\S-1-5-21-220523388-879983540-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:0a,a6,8c,c8,d0,c3,d6,95,aa,96,fa,7a,b0,64,47,31,6e,4e,ee,d3,93,
   99,e0,79,69,42,4a,6a,5b,d4,cc,0b,a1,3f,8a,8f,db,39,1d,08,32,17,13,cc,96,11,\
"rkeysecu"=hex:5c,a5,1e,2b,49,09,ae,85,5d,ac,6d,89,c7,4a,3b,6c
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1DD1386C-0927-442C-B50C-C90CCCC8E4CF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"=-
  • Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
  • At this point, you must exit all browsers now before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  • This shall launch ComboFix.
    Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • Allow ComboFix to update itself if prompted.
  • When it finishes, a log will be produced at C:\ComboFix.txt
    Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
  • Attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon
  • Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment


Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:
  • This will automatically update all the logs inside MGlogs.zip
  • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
Reply With Quote
  #8  
Old 09-14-11, 18:38
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Broken file extensions

Tried to run combofix twice. The first time it asked me if I wanted to update, i clicked yes, it restarted and hung on a blue window. I left it for 2 hours and nothing changed. The second time it didn't even give me the blue window. I ran the other scans.
Attached Files
File Type: txt TDSSKiller.2.5.22.0_14.09.2011_19.17.45_log.txt (43.5 KB, 1 views)
File Type: txt MBRCheck_09.14.11_19.20.24.txt (10.8 KB, 2 views)
File Type: zip MGlogs.zip (192.7 KB, 4 views)
Reply With Quote
  #9  
Old 09-14-11, 18:41
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Broken file extensions

computer seems to be running normally.
Reply With Quote
  #10  
Old 09-14-11, 18:58
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

Copy the bold text below to Notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1DD1386C-0927-442C-B50C-C90CCCC8E4CF}]
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now we need to make use of The Avenger by Swandog46.
  • Run avenger.exe by double-clicking on it.
  • Click OK at the warning to continue to use The Avenger.
    Note: Do not change any of the check box options!
  • Shut down your protection software now to avoid possible conflicts.
  • Copy everything in the code box below, and paste it into the Input script here: text-field.
    Code:
    Files to delete:
    C:\Documents and Settings\Travis\Local Settings\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
    C:\Documents and Settings\All Users\Application Data\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
    C:\Documents and Settings\Travis\Templates\20p3ovnf4xr7113t28jw2ia45ds3kj676tg48011yyx
    C:\Documents and Settings\Travis\Local Settings\Application Data\526py1f45q3yx26sn
    C:\Documents and Settings\All Users\Application Data\526py1f45q3yx26sn
    C:\Documents and Settings\Travis\Templates\526py1f45q3yx26sn
    C:\Documents and Settings\Travis\Local Settings\Application Data\FC9106US.exe
    C:\Documents and Settings\Travis\Local Settings\Application Data\prvlcl.dat
    C:\WINDOWS\system32\575041183
    C:\Documents and Settings\Travis\Local Settings\temp\AxentraLog.txt
    C:\Documents and Settings\Travis\Local Settings\temp\clclean.0001
    Folders to delete:
    C:\Documents and Settings\Travis\Local Settings\Application Data\ffeccyiod
    C:\Documents and Settings\Travis\Local Settings\Application Data\umwcvngvb
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\vsvbrsnia
    C:\Documents and Settings\Travis\Local Settings\temp\clclean.0001.dir.0000
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions | {3f963a5b-e555-4543-90e2-c3908898db71}
  • Now click the button.
  • Click Yes to the prompt to confirm you want to execute.
  • Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
  • Your PC should reboot, if not, reboot it yourself.
  • A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
  • Attach avenger.txt to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:
  • This will automatically update all the logs inside MGlogs.zip
  • Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.
Reply With Quote
Sponsored links
  #11  
Old 09-15-11, 19:23
tgudroe tgudroe is offline
Private E-2
 
Join Date: Sep 2011
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Broken file extensions

registry addition was successful. Here are the logs
Attached Files
File Type: txt avenger.txt (4.9 KB, 1 views)
File Type: zip MGlogs.zip (191.7 KB, 2 views)
Reply With Quote
  #12  
Old 09-15-11, 19:49
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,175
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Broken file extensions

Ok, latest logs look good.

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis if it present
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
File Extensions durkinjt Software 6 02-26-11 15:22
cgi file extensions gapeach Malware Removal 1 10-08-04 22:47
Problem with file extensions saraigift Software 6 07-24-04 22:36
Changing File Extensions =B33F=Reaper Software 2 01-30-04 00:22
File extensions Balbanebeoulve Software 0 03-18-03 15:04


All times are GMT -5. The time now is 23:46.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger