Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

91 replies to this topic

### #1 gloryfalls12

gloryfalls12

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 13 August 2009 - 08:27 PM

Hi, I have been on the "Am I Infected? What do I do?" forum and trying to get my computer fixed with an adviser over there. We have tried many things to get my computer fixed, but so far, all have failed. The adviser told me that they weren't sure what else to do so they directed me to this forum.

Here are the basics of what is going on. First, it started when i was redirected to virus sites when i would type something and search in google. in addition, i would have random audio ads that would start up, but there was no way to close them (at this point, that hasn't happened in a few days). then, my computer restarted and when it came back up, my background would come up, but none of my desktop icons, start menu, nothing else would come up. i'm still actually having to just press ctrl alt delete and run everything through taskmanager. also, when i try to run malwarebytes or just about any other program, it may run for a few seconds or minutes, but it always shuts down whatever program i'm trying to run and then it locks me out of it by saying "windows cannot access the specified device, path, or file. you may not have appropriate permissions to access the item" whenever i try to run the program again after it has been shutdown. and yes, i've already tried renaming the programs to get them to run but it still shuts those down as well.

with this, i tried running the dss program, and it'll pop up and give the info about only having to run it twice and then delete it, but it never actually starts scanning. so the person that was helping me out in the other forum told me to just past the last sophos log that i had.

here is the sophos log:

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/11/2009 at 1:12:39 AM
User "J" on computer "JOE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\J\Local Settings\Temp\rasvsnet.tmp
Hidden: file C:\RECYCLER\S-1-5-21-2962745199-1698438534-2317628482-1006\Dc100.net
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0048082.dll
Hidden: file C:\WINDOWS\system32\igfxtray.exe
Hidden: file C:\WINDOWS\system32\hkcmd.exe
Hidden: file C:\Program Files\Microsoft Money 2005\MNYCoreFiles\bbdll.dll
Hidden: file C:\Program Files\utorrent\utorrent.exe
Hidden: file C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
Hidden: file C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
Hidden: file C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
Hidden: file C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Hidden: file C:\WINDOWS\$NtUninstallKB918899$\mshtml.dll
Hidden: file C:\Program Files\Trend Micro\BM\TMBMSRV.exe
Hidden: file C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\myapp.exe.exe
Hidden: file C:\WINDOWS\system32\dllcache\beep.sys
Hidden: file C:\WINDOWS\$NtUninstallKB898458$\orun32.exe
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\hpdeskjet_5400_seriea2a2\hpfig3xu.dll
Hidden: file C:\Program Files\QuickTime\QTSystem\QuickTimeAudioSupport.qtx
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP291\A0024648.dll
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0048083.exe
Hidden: file C:\WINDOWS\system32\wisdstr.exe
Hidden: file C:\WINDOWS\system32\scecli.dll
Hidden: file C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrpamp.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0048085.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP325\A0048084.exe
Hidden: file C:\Documents and Settings\J\Desktop\RootRepeal.exe
Hidden: file C:\WINDOWS\cru629.dat
Hidden: file C:\WINDOWS\system32\cru629.dat
Hidden: file C:\VIPRERESCUE\VIPRERescueScanner.exe
Hidden: file C:\Program Files\DivX\DivX\DivX EKG.exe
Hidden: file C:\WINDOWS\system32\DivX.dll
Hidden: file C:\Program Files\DivX\DivX Player\DivX Player.exe
Hidden: file C:\Documents and Settings\J\Local Settings\Temp\y.exy
Hidden: file C:\Documents and Settings\J\Desktop\mhb86mss.exe
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\CoreFoundation.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\Foundation.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\GoogleContactSync.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\icuin36.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\ISSupport.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\OutlookSyncClientHelper.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServices.dll
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\upgradedb.exe
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\YahooSync.exe
Hidden: file C:\Documents and Settings\J\Desktop\Desktop Stuff\PROJECTS & PAPERS\CG Cache\Adobe Premiere 6.5.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP265\A0015479.old
Hidden: file C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP258\A0014619.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP285\A0021592.exe
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\YahooSync.app\Contents\Resources\Formatter.bundle\Contents\Windows\Formatter.exe
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP291\A0024651.dll
Hidden: file C:\RECYCLER\S-1-5-21-2962745199-1698438534-2317628482-1006\Dc5.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\syssetup.dll
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP318\A0031959.dll
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP258\A0014425.exe
Hidden: file C:\WINDOWS\system32\dumprep.exe
Hidden: file C:\WINDOWS\explorer.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\mtxparhd.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\acgenral.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\nv4_disp.dll
Hidden: file C:\WINDOWS\system32\nv4_disp.dll
Hidden: file C:\WINDOWS\system32\mtxparhd.dll
Hidden: file C:\WINDOWS\system32\drivers\tmactmon.sys
Hidden: file C:\WINDOWS\system32\drivers\tmcomm.sys
Hidden: file C:\WINDOWS\system32\drivers\tmevtmgr.sys
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP258\A0014537.dll
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP313\A0030731.exe
Hidden: file C:\RECYCLER\S-1-5-21-2962745199-1698438534-2317628482-1006\Dc110\winlogon.exe.exe
Hidden: file C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSO.DLL
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP263\A0015238.dll
Hidden: file C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP323\A0032017.dll
Stopped logging on 8/11/2009 at 2:42:31 AM

### #2 schrauber

schrauber

Mr.Mechanic

• Malware Response Team
• 24,794 posts
• OFFLINE
•
• Gender:Male
• Location:Munich,Germany
• Local time:11:46 PM

Posted 24 August 2009 - 11:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware

### #3 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 25 August 2009 - 04:28 PM

the problem is not fixed yet.

anyways, here is the link again to the topic i had in the "am i infected" forum with all the issues and the things that we tried but were unsuccessful at cleaning the computer: Topic Link

thanks!

### #4 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 01 September 2009 - 09:57 AM

Hello gloryfalls12 Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.

I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

* IMPORTANT !!! Save ComboFix.exe to your Desktop
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not post any logs as an attachment unless asked to do so.

Thanks,

thewall
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #5 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 02 September 2009 - 08:49 PM

i ran the scan off of my jumbdrive (since my infected computer doesn't have any connection to the internet at the moment) and it found quite a few items. then it restarted the computer, but when i logged back on, i didn't have any log popup or anything. i looked around for anything i could find, both on my jumpdrive and my computer, but could not find anything. however, i did locate the QooBox that i believe the program created. should i type out the names of those files or is there some place that i could check for a logfile?

### #6 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 02 September 2009 - 09:21 PM

I need the log if possible. Did you try doing a search for it?
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #7 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 02 September 2009 - 09:33 PM

i'm having to run everything i do on that computer from the task manager run prompt. i have no access to any desktop icons or the taskbar at the bottom of the screen, so i'm not sure how to do a search from that (plus, if i figure out how to do a search, what would the name of the text file be that i would search for?). would it work if i moved combofix from my jumpdrive onto the computer itself and ran it again?

### #8 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 02 September 2009 - 09:42 PM

ComboFix needs to be on the Desktop of the computer it is running from. Wish you had asked me before running it from the jump drive but we'll see what we have. Can you open Windows explorer on the infected machine and if you can see if the there is a C/Combofix.txt in there.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #9 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 02 September 2009 - 09:52 PM

there is a file on c:\ that is listed as combofix (not associated with any file type though and i can't right click on it to change anything) but when i try to open it, it says that "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

### #10 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 02 September 2009 - 10:00 PM

OK, try uploading CF to your Desktop and running it from there and let me know what happens.

Edited by thewall, 02 September 2009 - 10:01 PM.

If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #11 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 02 September 2009 - 10:43 PM

i am unable to get combofix to the desktop. the furtherest i can get it is to my documents then i can place a shortcut on the desktop. i may try tomorrow to go to a place where i can get internet (sometimes i get lucky) so i may be able to download the program directly to that computer and load it to the desktop and see if we have any luck that way.

i did, however, find a log in the qoobox file. not sure if it has anything to do with anything, but here it is nonetheless:

\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!

### #12 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 02 September 2009 - 10:53 PM

I'm a little confused here. I thought you couldn't connect to the Internet because of the condition you computer is in. Is it because you just don't have access right now?
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #13 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 02 September 2009 - 11:06 PM

sorry for the confusion. i posted all the info about the system and network and all at the top of this topic and a link to the other thread where i had been helped earlier, but was referred to this forum.

anyways, just to restate, i'm currently at a place where i have to log on to a network using a cisco client to input my information. usually, i would have to go to the bottom of the screen, in the taskbar, and right click the icon and open the program interface to enter my information and then proceed to logon. however, now that i don't have access to my taskbar, i can't open the interface to logon. i've tried time and time again to open it manually, but it just won't open up the interface. however, when i have the opportunity to go to a place that i can just freely access any wireless connection, then i can sometimes get online. it's all up to my computer to figure it out and get me on since i don't have access to any of the programs to pick a wireless network or anything like that.

### #14 thewall

thewall

• Malware Response Team
• 6,425 posts
• OFFLINE
•
• Gender:Male
• Location:Florida
• Local time:06:46 PM

Posted 03 September 2009 - 07:59 AM

It would be a little easier on you if you could get to a place like that. However if you can't let me know and we are going to have to download some more things onto your flash drive and transfer them over.
If I have helped you then please consider donating so I can continue the fight against malware
All donations go directly to the helper

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

### #15 gloryfalls12

gloryfalls12
• Topic Starter

• Members
• 97 posts
• OFFLINE
•
• Local time:05:46 PM

Posted 03 September 2009 - 04:37 PM

ok...shouldn't be too much of a problem, at the moment anyways. it'll just take me a little more time in between posts since i'll need to run to a place i can get internet. what's the next thing i need to do?

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users