My computer is not screwed anymore

[sweetmooch]

okay i have a laundry list of problems going on.. My start button is missing all sorts of stuff.. My clock is wrong and says viris alert next to it...I have a button on my computer that allows me to get to my computer, but my c: and d: drive are missing.. my desktop screen flashes active desktop recovery. alt ctrl del doesn't work..says it's disabled by my admin (i am the admin and i didn't disable it)..if i right click and go to screen properties its some menu i haven't seen before with no options on it.. HELP...the only way i am sending you this is through my sisters computer...HIjackthis didn't work either...other malware programs go to fix the problems and can't because it says my admin won't let me delete anything out of my registry.


SOLUTION***

ComboFix

Download ComboFix to your desktop.
Double click combofix.exe & follow the prompts.
A window will open with a warning.
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

---------------------------------------

SmitfraudFix

Download SmitFraudFix to your deskop
reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)

-------------------------------------

* Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


THANKS TO XXDANIELXX

 

[sweetmooch]

combo fix log

ComboFix 08-07-23.5 - Galipeau 2008-07-24 12:44:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.354 [GMT -4:00]
Running from: C:\Documents and Settings\Galipeau\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\vsadd-in
C:\WINDOWS\eqvwamkl.dll
C:\WINDOWS\erfb.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\fdkowvbp.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\pskt.ini
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\bypjyjfi.dll
C:\WINDOWS\system32\ctetqmwr.dll
C:\WINDOWS\system32\dmtslnht.dll
C:\WINDOWS\system32\fccDsstq.dll
C:\WINDOWS\system32\gctvojfd.dll
C:\WINDOWS\system32\gplvfrqh.dll
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\hqrfvlpg.ini
C:\WINDOWS\system32\ISBIRYxx.ini
C:\WINDOWS\system32\ISBIRYxx.ini2
C:\WINDOWS\system32\jkikcsvq.dll
C:\WINDOWS\system32\launcher.exe
C:\WINDOWS\system32\ljJdcDwW.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nateumrq.dll
C:\WINDOWS\system32\nhvtjlhl.dll
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\pxzyka.dll
C:\WINDOWS\system32\qvsckikj.ini
C:\WINDOWS\system32\rrnylwai.dll
C:\WINDOWS\system32\thnlstmd.ini
C:\WINDOWS\system32\uqngup.dll
C:\WINDOWS\wnslvxtf.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-22 20:15 . 2008-07-22 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-07-22 20:15 . 2006-11-09 16:04 73,288 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2008-07-22 19:37 . 2008-07-22 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-22 18:35 . 2008-07-22 19:36 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-22 18:35 . 2008-07-22 18:36 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-07-22 18:35 . 2008-07-22 18:35 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\PC Tools
2008-07-22 18:35 . 2008-07-22 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-07-22 18:35 . 2008-07-16 10:43 160,648 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-07-22 18:35 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-22 18:35 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-22 18:35 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-22 18:35 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-22 18:10 . 2008-07-22 18:10 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-22 12:55 . 2008-07-24 12:41 110,425 --a------ C:\WINDOWS\BM4fffd4af.xml
2008-07-22 12:55 . 2008-07-22 18:57 44,061 --ahs---- C:\WINDOWS\system32\qcwbgutw.ini
2008-07-22 12:53 . 2008-07-22 12:53 323,648 --a------ C:\WINDOWS\system32\xxYRIBSI.dll
2008-07-22 12:47 . 2008-07-17 06:14 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-22 12:46 . 2008-07-22 12:46 110,080 --a------ C:\WINDOWS\system32\lphcrqkj0epc7.exe
2008-07-22 12:46 . 2008-07-22 22:00 90,838 --a------ C:\WINDOWS\system32\phcrqkj0epc7.bmp
2008-07-22 12:46 . 2008-07-22 07:23 86,016 --a------ C:\WINDOWS\grswptdl.exe
2008-07-22 12:46 . 2008-07-22 22:00 60,928 --a------ C:\WINDOWS\system32\blphcrqkj0epc7.scr
2008-07-21 03:00 . 2008-07-21 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-20 14:44 . 2008-07-20 14:44 <DIR> d-------- C:\Program Files\foobar2000
2008-07-20 14:44 . 2008-07-20 17:34 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\foobar2000
2008-07-20 14:43 . 2008-07-20 14:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2008-07-20 14:37 . 2008-07-20 14:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-20 14:36 . 2008-07-20 14:36 <DIR> d-------- C:\Program Files\InterActual
2008-07-20 14:36 . 2008-07-20 14:36 <DIR> d-------- C:\Documents and Settings\Galipeau\Application Data\Roxio
2008-07-20 14:28 . 2008-07-20 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-20 14:25 . 2008-07-20 14:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-20 14:24 . 2008-07-20 14:24 <DIR> d-------- C:\Program Files\SmartSound Software
2008-07-20 14:24 . 2008-07-20 14:28 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-20 14:24 . 2008-07-20 14:28 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-20 14:24 . 2008-07-20 14:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-07-20 14:23 . 2008-07-20 14:29 <DIR> d-------- C:\Program Files\Roxio
2008-07-20 14:23 . 2008-07-20 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-18 15:30 . 2008-02-22 07:30 334,792 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-07-18 15:29 . 2008-07-18 15:29 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-07-17 22:21 . 2008-07-17 22:21 121 --a------ C:\WINDOWS\bdagent.INI
2008-07-17 22:19 . 2008-07-17 22:19 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-17 22:18 . 2008-07-17 22:21 <DIR> d-------- C:\Program Files\BitDefender
2008-07-17 22:17 . 2008-07-17 22:21 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-07-16 20:48 . 2007-01-11 22:17 421,888 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-22 23:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-20 18:35 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\uTorrent
2008-07-20 18:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 18:23 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-20 18:14 --------- d-----w C:\Program Files\MagicISO
2008-07-18 19:27 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-18 19:27 --------- d-----w C:\Program Files\Alcohol 120
2008-07-17 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-17 00:58 --------- d-----w C:\Program Files\Apple Software Update
2008-07-17 00:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-17 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-17 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-06-12 03:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-12 03:19 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\AdobeUM
2008-06-10 21:12 --------- d-----w C:\Program Files\Iomega
2008-06-10 21:05 --------- d-----w C:\Documents and Settings\Galipeau\Application Data\Leadertech
2008-06-05 16:20 --------- d-----w C:\Program Files\MSBuild
2008-06-05 16:17 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-05 16:12 --------- d-----w C:\Program Files\Java
2008-01-22 02:19 94,080 -c--a-w C:\Documents and Settings\Galipeau\Application Data\ezplay.sys
2008-01-22 02:19 81,920 -c--a-w C:\Documents and Settings\Galipeau\Application Data\ezpinst.exe
2008-01-22 02:19 47,360 -c--a-w C:\Documents and Settings\Galipeau\Application Data\pcouffin.sys
2007-12-14 15:06 22,328 ----a-w C:\Documents and Settings\Galipeau\Application Data\PnkBstrK.sys
2007-12-29 18:23 80 -csh--r C:\WINDOWS\system32\BF9CE85D2E.dll
.

 

[sweetmooch]

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:21, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [4ccce733] rundll32.exe "C:\WINDOWS\system32\dogbnxmq.dll",b
O4 - HKLM\..\Run: [BM4fffd4af] Rundll32.exe "C:\WINDOWS\system32\tvddgxvr.dll",s
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O21 - SSODL: evgratsm - {DD82A666-5565-480E-BA6F-0F27879C682B} - C:\WINDOWS\evgratsm.dll (file missing)
O21 - SSODL: eqvwamkl - {C8A1A028-AD5A-40BC-B788-8ABC51450B20} - C:\WINDOWS\eqvwamkl.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 2712 bytes