Massively Infected Computer

[Fred17]

My dad's computer recently got infected with... something, to the point that the computer will load, but everything is frozen. I can only open task manager. The first sign of his problem was when his desktop was changed to blue with a box that read "This computer has been infected with spyware." I looked around the forum for solutions and found some about turning off web backgrounds, but the computer is completely frozen. Even in safe mode I cannot get any anti-virus or spyware programs to run. I was able to install hijack this in safe mode and run it using task manager while normally logged in. Any help at all would be appreciated. My dad is moments away from reformatting.

 

[kimsland]

Remove these files:
C:\WINDOWS\system32\lphc338j0e11t.exe
C:\WINDOWS\system32\yayaXPfE.dll
C:\WINDOWS\system32\hgGwXooO.dll
C:\WINDOWS\system32\lphc338j0e11t.exe

There may be more, but these are bad

Also have a look at:

New Preliminary Removal Instructions

 

[xxdanielxx]

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  • C:\WINDOWS\system32\lphc338j0e11t.exe
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Do the same for this file
C:\WINDOWS\SYSTEM32\yayaXPfE.dll

===========================================

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop Viewpoint Corporation
sc delete Viewpoint Corporation
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

===========================================

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {BB81FE02-F70B-46C2-82C3-DE5C6652E677} - C:\WINDOWS\system32\yayaXPfE.dll
O2 - BHO: (no name) - {DA754781-5ED3-4D46-AA4E-CFA9FCB26B79} - C:\WINDOWS\system32\hgGwXooO.dll
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en
O16 - DPF: {D3FA53A4-C575-400F-90E5-9AB568E4BC64} (MBAIFSaver Class) - http://www.mbaiforms.net/formflow/gbbrcommon/mbaicontrol2.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint

Please note any other programs that you don't recognize in that list in your next response.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\yayaXPfE.dll
  C:\WINDOWS\system32\hgGwXooO.dll
  C:\WINDOWS\system32\shellexp.exe
  C:\Program Files\Viewpoint

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

After that, Reboot, and post a new HijackThis log here in a reply