TechSpot

My computer is not screwed anymore

By sweetmooch
Jul 24, 2008
  1. okay i have a laundry list of problems going on.. My start button is missing all sorts of stuff.. My clock is wrong and says viris alert next to it...I have a button on my computer that allows me to get to my computer, but my c: and d: drive are missing.. my desktop screen flashes active desktop recovery. alt ctrl del doesn't work..says it's disabled by my admin (i am the admin and i didn't disable it)..if i right click and go to screen properties its some menu i haven't seen before with no options on it.. HELP...the only way i am sending you this is through my sisters computer...HIjackthis didn't work either...other malware programs go to fix the problems and can't because it says my admin won't let me delete anything out of my registry.


    SOLUTION***

    ComboFix

    Download ComboFix to your desktop.
    Double click combofix.exe & follow the prompts.
    A window will open with a warning.
    When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    ---------------------------------------

    SmitfraudFix

    Download SmitFraudFix to your deskop
    reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    Double-click SmitfraudFix.exe
    Select 2 and hit Enter to delete infect files.
    You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)

    -------------------------------------

    * Click here to download HJTsetup.exe
    Save HJTsetup.exe to your desktop.
    Doubleclick on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


    THANKS TO XXDANIELXX
     
  2. sweetmooch

    sweetmooch TS Rookie Topic Starter

    combo fix log

    ComboFix 08-07-23.5 - Galipeau 2008-07-24 12:44:24.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.354 [GMT -4:00]
    Running from: C:\Documents and Settings\Galipeau\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\vsadd-in
    C:\WINDOWS\eqvwamkl.dll
    C:\WINDOWS\erfb.exe
    C:\WINDOWS\erms.exe
    C:\WINDOWS\fdkowvbp.dll
    C:\WINDOWS\kvxqmtre.dll
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\qndsfmao.dll
    C:\WINDOWS\system32\bypjyjfi.dll
    C:\WINDOWS\system32\ctetqmwr.dll
    C:\WINDOWS\system32\dmtslnht.dll
    C:\WINDOWS\system32\fccDsstq.dll
    C:\WINDOWS\system32\gctvojfd.dll
    C:\WINDOWS\system32\gplvfrqh.dll
    C:\WINDOWS\system32\gzmrot-uninst.exe
    C:\WINDOWS\system32\hqrfvlpg.ini
    C:\WINDOWS\system32\ISBIRYxx.ini
    C:\WINDOWS\system32\ISBIRYxx.ini2
    C:\WINDOWS\system32\jkikcsvq.dll
    C:\WINDOWS\system32\launcher.exe
    C:\WINDOWS\system32\ljJdcDwW.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\nateumrq.dll
    C:\WINDOWS\system32\nhvtjlhl.dll
    C:\WINDOWS\system32\nqstv.bak1
    C:\WINDOWS\system32\nqstv.ini
    C:\WINDOWS\system32\pxzyka.dll
    C:\WINDOWS\system32\qvsckikj.ini
    C:\WINDOWS\system32\rrnylwai.dll
    C:\WINDOWS\system32\thnlstmd.ini
    C:\WINDOWS\system32\uqngup.dll
    C:\WINDOWS\wnslvxtf.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
    .

    2008-07-22 20:15 . 2008-07-22 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
    2008-07-22 20:15 . 2006-11-09 16:04 73,288 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
    2008-07-22 19:37 . 2008-07-22 22:06 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-22 18:35 . 2008-07-22 19:36 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-07-22 18:35 . 2008-07-22 18:36 <DIR> d-------- C:\Program Files\Common Files\PC Tools
    2008-07-22 18:35 . 2008-07-22 18:35 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\PC Tools
    2008-07-22 18:35 . 2008-07-22 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
    2008-07-22 18:35 . 2008-07-16 10:43 160,648 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
    2008-07-22 18:35 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-07-22 18:35 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-07-22 18:35 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-07-22 18:35 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-07-22 18:10 . 2008-07-22 18:10 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-07-22 12:55 . 2008-07-24 12:41 110,425 --a------ C:\WINDOWS\BM4fffd4af.xml
    2008-07-22 12:55 . 2008-07-22 18:57 44,061 --ahs---- C:\WINDOWS\system32\qcwbgutw.ini
    2008-07-22 12:53 . 2008-07-22 12:53 323,648 --a------ C:\WINDOWS\system32\xxYRIBSI.dll
    2008-07-22 12:47 . 2008-07-17 06:14 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
    2008-07-22 12:46 . 2008-07-22 12:46 110,080 --a------ C:\WINDOWS\system32\lphcrqkj0epc7.exe
    2008-07-22 12:46 . 2008-07-22 22:00 90,838 --a------ C:\WINDOWS\system32\phcrqkj0epc7.bmp
    2008-07-22 12:46 . 2008-07-22 07:23 86,016 --a------ C:\WINDOWS\grswptdl.exe
    2008-07-22 12:46 . 2008-07-22 22:00 60,928 --a------ C:\WINDOWS\system32\blphcrqkj0epc7.scr
    2008-07-21 03:00 . 2008-07-21 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-07-20 14:44 . 2008-07-20 14:44 <DIR> d-------- C:\Program Files\foobar2000
    2008-07-20 14:44 . 2008-07-20 17:34 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\foobar2000
    2008-07-20 14:43 . 2008-07-20 14:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
    2008-07-20 14:37 . 2008-07-20 14:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
    2008-07-20 14:36 . 2008-07-20 14:36 <DIR> d-------- C:\Program Files\InterActual
    2008-07-20 14:36 . 2008-07-20 14:36 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\Roxio
    2008-07-20 14:28 . 2008-07-20 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
    2008-07-20 14:25 . 2008-07-20 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
    2008-07-20 14:24 . 2008-07-20 14:24 <DIR> d-------- C:\Program Files\SmartSound Software
    2008-07-20 14:24 . 2008-07-20 14:28 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
    2008-07-20 14:24 . 2008-07-20 14:28 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
    2008-07-20 14:24 . 2008-07-20 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
    2008-07-20 14:23 . 2008-07-20 14:29 <DIR> d-------- C:\Program Files\Roxio
    2008-07-20 14:23 . 2008-07-20 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
    2008-07-18 15:30 . 2008-02-22 07:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
    2008-07-18 15:29 . 2008-07-18 15:29 <DIR> d-------- C:\Program Files\Alcohol Soft
    2008-07-17 22:21 . 2008-07-17 22:21 121 --a------ C:\WINDOWS\bdagent.INI
    2008-07-17 22:19 . 2008-07-17 22:19 81,984 --a------ C:\WINDOWS\system32\bdod.bin
    2008-07-17 22:18 . 2008-07-17 22:21 <DIR> d-------- C:\Program Files\BitDefender
    2008-07-17 22:17 . 2008-07-17 22:21 <DIR> d-------- C:\Program Files\Common Files\BitDefender
    2008-07-16 20:48 . 2007-01-11 22:17 421,888 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-22 23:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-07-20 18:35 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\uTorrent
    2008-07-20 18:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-07-20 18:23 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-07-20 18:14 --------- d-----w C:\Program Files\MagicISO
    2008-07-18 19:27 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-07-18 19:27 --------- d-----w C:\Program Files\Alcohol 120
    2008-07-17 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
    2008-07-17 00:58 --------- d-----w C:\Program Files\Apple Software Update
    2008-07-17 00:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-07-17 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-07-17 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-09 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-07-01 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
    2008-06-12 03:20 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-12 03:19 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\AdobeUM
    2008-06-10 21:12 --------- d-----w C:\Program Files\Iomega
    2008-06-10 21:05 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\Leadertech
    2008-06-05 16:20 --------- d-----w C:\Program Files\MSBuild
    2008-06-05 16:17 --------- d-----w C:\Program Files\Reference Assemblies
    2008-06-05 16:12 --------- d-----w C:\Program Files\Java
    2008-01-22 02:19 94,080 -c--a-w C:\Documents and Settings\Galipeau\Application Data\ezplay.sys
    2008-01-22 02:19 81,920 -c--a-w C:\Documents and Settings\Galipeau\Application Data\ezpinst.exe
    2008-01-22 02:19 47,360 -c--a-w C:\Documents and Settings\Galipeau\Application Data\pcouffin.sys
    2007-12-14 15:06 22,328 ----a-w C:\Documents and Settings\Galipeau\Application Data\PnkBstrK.sys
    2007-12-29 18:23 80 -csh--r C:\WINDOWS\system32\BF9CE85D2E.dll
    .
     
  3. sweetmooch

    sweetmooch TS Rookie Topic Starter

    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:09:21, on 7/24/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [4ccce733] rundll32.exe "C:\WINDOWS\system32\dogbnxmq.dll",b
    O4 - HKLM\..\Run: [BM4fffd4af] Rundll32.exe "C:\WINDOWS\system32\tvddgxvr.dll",s
    O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
    O21 - SSODL: evgratsm - {DD82A666-5565-480E-BA6F-0F27879C682B} - C:\WINDOWS\evgratsm.dll (file missing)
    O21 - SSODL: eqvwamkl - {C8A1A028-AD5A-40BC-B788-8ABC51450B20} - C:\WINDOWS\eqvwamkl.dll (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
    O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    --
    End of file - 2712 bytes
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...