GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionMy computer is pretty much destroyed.. please help EmptyMy computer is pretty much destroyed.. please help

more_horiz
Let me fill you in.. ready for this?

My computer will not start in normal mode. I have started in safe mode w/ networking and it will come on. I can not run any programs at all and I can not connect to the internet (it says.. "can not connect to the internet" when I try to repair it. When I try to open any program, a box that looks like the cmd box pops up really fast and disappears.. I quickly took at look at what it was saying real quick at the top and it said.. c:\windows\system32\ **I CAN"T SEE WHAT IT SAYS HERE BUT IT FLASHES SOMETHING THEN GOES QUICKLY TO** pump.exe and the box disappears.

PLEASE HELP!

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ok so I tried that.. and when I try to open Hijackthis it says "the system administrator does not permit this" so then I went to control panel to "accessibility options" and it says that the "parameter is incorrect" and shows c:\windows\system32\rundll32.exe

:-(

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
I think this may be your biggest challenge yet..

It will not let me open OTL, but has a slower reaction time when the cmd box comes up and it says in the address at the top of the box.. c:\WINDOWS\system32\ntvdm.exe then directly to c:\WINDOWS\system32\pump.exe and the boxes will then just close.

Another thing that caught my eye was a text would flash real quick in the cmd box and it says this "Program too big to fit in Memory"

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hello.
Try this, that pump.exe is a file association changer.

Please download exeHelper from one of the two links.
Link 1
Link 2

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
exeHelper by Raktor
Build 20091220
Run at 15:26:13 on 01/02/10
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10730464
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\temp\a.exe
Deleting file C:\WINDOWS\temp\b.exe
Deleting file C:\WINDOWS\temp\svchost.exe
Deleting file C:\WINDOWS\temp\taskmgr.exe
Deleting file C:\WINDOWS\temp\winlogon.exe
Deleting file C:\WINDOWS\system32\AVR09.exe
Deleting file C:\WINDOWS\system32\bincd32.dat
Deleting file C:\WINDOWS\system32\BtwSrv.dll
Deleting file C:\WINDOWS\system32\calc.dll
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\desot.exe
Deleting file C:\WINDOWS\system32\dddesot.dll
Deleting file C:\WINDOWS\system32\desote.exe
Deleting file C:\WINDOWS\system32\lsm32.sys
Deleting file C:\WINDOWS\system32\opeia.exe
Deleting file C:\WINDOWS\system32\plugie.dll
Deleting file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\system32\pump.exe
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Deleting file C:\WINDOWS\system32\skynet.dat
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\svohost.exe
Deleting file C:\WINDOWS\system32\sysnet.dat
Deleting file C:\WINDOWS\system32\wscsvc32.exe
Deleting file C:\WINDOWS\system32\winupdate.exe
Deleting file C:\WINDOWS\system32\winhelper.dll
Deleting file C:\WINDOWS\system32\nuar.old
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PopRock
Removing HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover!
Deleting file C:\WINDOWS\TEMP\spoolsv.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hehe, now can you run Hijack This?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
great.. coming in 5

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
It says this:

Windows Installer

"The System administrator has set policies to prevent this installation."

I am under the administrator!

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
I am also getting this message after my computer is on for about 15 min.:


NT/Authority system failed unexpectedly

and:

dcom server process launcher service authorized shutdown.. could be the other way around but I only have a certain amount of time until it shutsdown

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Try OTL please instead. Smile...

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ugh.. so the otl will come up and I click run scan.. it runs for about 10 seconds and then otl just closes

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    My computer is pretty much destroyed.. please help CF_download_FF

    My computer is pretty much destroyed.. please help CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    My computer is pretty much destroyed.. please help Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    My computer is pretty much destroyed.. please help Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ok.. here is a problem I keep running into. Combo-Fix keeps telling me that the AVG is still active. I have done everything I can to get rid of this thing. When I went to control panel and "remove" progams it would have a failure. I manually went in and deleted everything affiliated with AVG and now the program does not work (which is good), BUT combo fix still comes up saying it is active and to go at my own risk..

what do you recommend?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Go on, it's just a bug.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ok.. I'm not able to connect to the internet yet so combo wasn't able to grab what it needed.. any advice on that? (remember I am giong back and forth on a flashdrive.. the computer I am speaking to you with is not the one with the problem)

also, i just kept going with the scan and it says combo has detected the presence of rootkit activity and needs to reboot. Take the note of each file on paper.. there are about 15-20! Do you want me to write these all down!?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
OK! I am on the computer and on the internet! I haven't been able to do this in over a year!

I did every scan I have and saved a log.. tell me what you would like to see and in what order?

Combo.. Malware.. OTL.. exehelper.. AND Hijack

THANK YOU!

Last edited by Joey Jiggles on 3rd January 2010, 11:26 pm; edited 1 time in total (Reason for editing : forgot to add exehelper)

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Combofix log please.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ComboFix 10-01-02.05 - Tessa 01/03/2010 15:53:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.706 [GMT -5:00]
Running from: g:\georgio\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\documents and settings\Tessa\Desktop\Windows Police Pro.lnk
c:\documents and settings\Tessa\ntuser.dll
c:\documents and settings\Tessa\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Tessa\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Tessa\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Tessa\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Tessa\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
C:\pmyro.exe
c:\program files\Active Security
c:\program files\Active Security\asecurity.exe
c:\program files\Active Security\core.cga
c:\program files\Active Security\coreext.dll
c:\program files\Active Security\help.ico
c:\program files\Active Security\uninstall.exe
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat
c:\windows\Install.txt
c:\windows\system32\bafoline.dll
c:\windows\system32\bepepono.dll
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\dahurawa.dll
c:\windows\system32\degenize.exe
c:\windows\system32\dimuboja.dll
c:\windows\system32\drivers\hjgruibqwhowfl.sys
c:\windows\system32\drivers\UACwrqxewcdjn.sys
c:\windows\system32\FastNetSrv.exe
c:\windows\system32\feyiloto.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\fogebota.dll
c:\windows\system32\gifekuwe.dll
c:\windows\system32\gilumuju.exe
c:\windows\system32\hjgruidkrwvwxr.dll
c:\windows\system32\hjgruietqfubcg.dat
c:\windows\system32\hjgruioevbrgms.dat
c:\windows\system32\hjgruirqhbonbm.dll
c:\windows\system32\hjgruivbdmttpu.dll
c:\windows\system32\hjgruiwewilalb.dll
c:\windows\system32\hjgruixvuiqhjs.dll
c:\windows\system32\hjgruiylqjklyx.dll
c:\windows\system32\hukibopa.dll
c:\windows\system32\hzG6g5p.dll
c:\windows\system32\Iasv32.dll
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32\jowuhese.exe
c:\windows\system32\kuredise.dll
c:\windows\system32\kuweyohi.dll
c:\windows\system32\lajogilo.dll
c:\windows\system32\lasobemo.dll
c:\windows\system32\lolajeyo.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lubizupe.dll
c:\windows\system32\mupitera.dll
c:\windows\system32\onhelp.htm
c:\windows\system32\pufupode.dll
c:\windows\system32\ririzaki.exe
c:\windows\system32\rudajeki.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sibogaya.exe
c:\windows\system32\siremase.exe
c:\windows\system32\temp.exe
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkvpxmywpqf.dll
c:\windows\system32\UACltofxhkdqq.dat
c:\windows\system32\UACpfulbbowkn.dll
c:\windows\system32\UACqaihhrpbpj.dll
c:\windows\system32\UACuthwbdqudb.dll
c:\windows\system32\UACxhorplfmnp.log
c:\windows\system32\vewihene.dll
c:\windows\system32\wiwow64.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wohobiye.exe
c:\windows\system32\wuwiyewe.dll
c:\windows\system32\ygsuhdf83id.dll
c:\windows\system32\yigekote.dll
c:\windows\system32\yubiwojo.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiqlxmjamt
-------\Legacy_hjgruiqlxmjamt
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_6TO4
-------\Legacy_ACPI32
-------\Legacy_ANTIPPRO2009_12
-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_FIPS32CUP
-------\Legacy_I386SI
-------\Legacy_ISASDK
-------\Legacy_NICSK32
-------\Legacy_SECURENTM
-------\Legacy_SYSTEMNTMI
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Service_acpi32
-------\Service_AntipPro2009_12
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_fips32cup
-------\Service_i386si
-------\Service_isasdk
-------\Service_new_drv
-------\Service_nicsk32
-------\Service_securentm
-------\Service_systemntmi


((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 15:34 . 2010-01-03 15:34 46056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 19:27 . 2010-01-01 19:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 22:04 . 2009-05-05 20:38 -------- d-----w- c:\program files\DNA
2010-01-03 22:04 . 2009-05-05 20:38 -------- d-----w- c:\documents and settings\Tessa\Application Data\DNA
2010-01-03 22:04 . 2008-06-05 22:11 -------- d-----w- c:\documents and settings\Tessa\Application Data\Skype
2010-01-03 21:03 . 2008-06-05 22:12 -------- d-----w- c:\documents and settings\Tessa\Application Data\skypePM
2010-01-03 16:14 . 2008-12-24 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-03 16:06 . 2009-07-20 19:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-03 15:16 . 2009-10-05 20:42 0 ----a-r- c:\windows\win32k.sys
2010-01-01 18:57 . 2008-12-09 23:46 -------- d-----w- c:\documents and settings\Tessa\Application Data\U3
2009-10-13 20:56 . 2009-10-13 19:53 58 ----a-w- c:\windows\wp4.dat
2009-10-13 20:56 . 2009-10-13 19:53 4 ----a-w- c:\windows\wp3.dat
2009-07-28 07:29 . 2009-04-28 07:29 190976 --sha-w- c:\windows\system32\buvoyaki.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-01-03 323392]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-29 32881]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"lsdefrag"="C:\wqtneupy.exe" [2009-10-05 25126]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 01:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/24/2008 11:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/24/2008 11:09 AM 108552]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/17/2009 3:11 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/17/2009 3:11 AM 394632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/18/2008 6:24 PM 24652]
S2 amd64si;amd64si;\??\c:\windows\system32\drivers\amd64si.sys --> c:\windows\system32\drivers\amd64si.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [4/17/2009 3:11 AM 54928]
S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [8/4/2004 7:00 AM 2304]
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tessa\Application Data\Mozilla\Firefox\Profiles\9tht6p64.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - hȋdden: XUL Cache: {7901316A-562B-4652-AD28-50E10D51765C} - c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

BHO-{0d431961-3f1f-4098-8bdb-24eed9a9cd2e} - dimuboja.dll
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKLM-Run-Rqiqigaxe - c:\windows\ogejililun.dll
HKLM-Run-CPMef0dd71b - c:\windows\system32\mupapupe.dll
HKLM-Run-batuhegese - vewihene.dll
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
SharedTaskScheduler-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
AddRemove-Active Security - c:\program files\Active Security\Uninstall.exe
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 16:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\P*& 5*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3252)
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-01-03 17:08:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 22:08

Pre-Run: 15,725,277,184 bytes free
Post-Run: 16,780,689,408 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 7C4BB66920DFC0D11D5514E59209483B

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\win32k.sys
    c:\windows\wp4.dat
    c:\windows\wp3.dat
    c:\windows\system32\buvoyaki.dll
    C:\wqtneupy.exe

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "lsdefrag"=-

    Driver::
    amd64si

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    My computer is pretty much destroyed.. please help Cfscriptb4i

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
ComboFix 10-01-03.03 - Tessa 01/03/2010 19:02:52.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.396 [GMT -5:00]
Running from: c:\documents and settings\Tessa\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Tessa\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\buvoyaki.dll"
"c:\windows\win32k.sys"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"
"C:\wqtneupy.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}
c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}\chrome.manifest
c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}\chrome\content\_cfg.js
c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}\chrome\content\c.js
c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}\chrome\content\overlay.xul
c:\documents and settings\Tessa\Local Settings\Application Data\{7901316A-562B-4652-AD28-50E10D51765C}\install.rdf
C:\wqtneupy.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AMD64SI


((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-03 22:21 . 2010-01-03 22:21 -------- d-----w- c:\documents and settings\Tessa\Application Data\Malwarebytes
2010-01-03 22:21 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 22:21 . 2010-01-03 22:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 22:21 . 2010-01-03 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-03 22:21 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 22:18 . 2010-01-03 22:18 -------- d-----w- c:\program files\TrendMicro
2010-01-03 15:34 . 2010-01-03 15:34 46056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 19:27 . 2010-01-01 19:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 00:10 . 2008-06-05 22:11 -------- d-----w- c:\documents and settings\Tessa\Application Data\Skype
2010-01-04 00:08 . 2009-05-05 20:38 -------- d-----w- c:\program files\DNA
2010-01-04 00:08 . 2009-05-05 20:38 -------- d-----w- c:\documents and settings\Tessa\Application Data\DNA
2010-01-03 22:22 . 2010-01-03 22:22 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-03 22:18 . 2010-01-03 22:18 388096 ----a-r- c:\documents and settings\Tessa\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-03 21:03 . 2008-06-05 22:12 -------- d-----w- c:\documents and settings\Tessa\Application Data\skypePM
2010-01-03 16:14 . 2008-12-24 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-03 16:06 . 2009-07-20 19:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-01 18:57 . 2008-12-09 23:46 -------- d-----w- c:\documents and settings\Tessa\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-01-03 323392]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-29 32881]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 01:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/24/2008 11:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/24/2008 11:09 AM 108552]
R2 ISWKL;ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [4/17/2009 3:11 AM 21136]
R2 IswSvc;ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [4/17/2009 3:11 AM 394632]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/18/2008 6:24 PM 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [4/17/2009 3:11 AM 54928]
S3 mfsdisk;mfsdisk;\??\c:\windows\system32\mfsdisk.sys --> c:\windows\system32\mfsdisk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tessa\Application Data\Mozilla\Firefox\Profiles\9tht6p64.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPJPI142_06.dll
FF - plugin: c:\program files\Java\j2re1.4.2_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 19:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\P*& 5*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1524)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\shdoclc.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-01-03 19:13:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-04 00:13
ComboFix2.txt 2010-01-03 22:08

Pre-Run: 16,361,410,560 bytes free
Post-Run: 16,346,853,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=4 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 087F89269246EE15B6F485C0CBD114A8

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
AIM 6
Apple Mobile Device Support
Apple Software Update
Broadcom 440x 10/100 Integrated Controller
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
GOM Player
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java 2 Runtime Environment, SE v1.4.2_06
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.14)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
mZConfig
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Picasa 3
QuickSet
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel Audio
Skype™️ 3.8
Sound Blaster ADVANCED MB Drivers
Synaptics Pointing Device Driver
TaxCut Basic 2006
TaxCut Delaware 2007
TaxCut Premium + State 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment, SE v1.4.2_06
    Viewpoint Media Player

Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 17.
  • Select the second option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.

Please download Firefox 3.5.6 and install it. It will install over version 3.0 you currently have installed, so you won't lose any bookmarked websites.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
wow you seize to amaze me.. one more thing, you may want to take a look at my maleware.. i had like 43 hits

Malwarebytes' Anti-Malware 1.43
Database version: 3489
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/3/2010 5:31:56 PM
mbam-log-2010-01-03 (17-31-56).txt

Scan type: Quick Scan
Objects scanned: 110355
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\amd64si (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Active Security (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\addins\addins (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\jkkxvqct.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\mtsmwclu.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\nbuh.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\pjfo.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\tykcb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\wbdnoxo.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfsdisk.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GB07WXGB\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GB07WXGB\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ID8FYN01\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OMGSLF4C\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OMGSLF4C\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OMGSLF4C\w[5].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZLJBC4QU\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZLJBC4QU\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Active Security\Active Security Support.lnk (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Active Security\Active Security.lnk (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Active Security\Uninstall Active Security.lnk (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\buvoyaki.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Active Security.lnk (Rogue.ActiveSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
I just did that after I ran my malwarebytes.. any suggestions?

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Yes, but your the one behind the monitor, I can only tell from logs that it looks malware free, but that's why I asked how is the machine is now? if any problems remain? LMBO or ROFL

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
haha.. sorry

ok.. um yeah.. again you did it!

Thank you so much!

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionMy computer is pretty much destroyed.. please help EmptyRe: My computer is pretty much destroyed.. please help

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum