Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro/MSAntivirus


  • This topic is locked This topic is locked
59 replies to this topic

#1 lost blonde

lost blonde

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 07 October 2009 - 07:21 PM

Unable to run dds..."...is not a valid Win32 application."
Unable to run Root Repeal..."could not load driver (0xc0000035)!"

Able to get the following logs...Win32kDiag:

Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\Win32kDiag.exe Log file at :
C:\Documents and Settings\Compaq_Administrator\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'... Found mount point :
C:\WINDOWS\$hf_mig$\KB904706\KB904706 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB912945\KB912945 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB915865\KB915865 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB924496\KB924496 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA Mount point destination : \Device\__max++>\^ Found mount point

: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr Mount point destination : \Device\__max++>\^ Found mount point

: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\SonicMCEBurnEngine\SonicMCEBurnEngine Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP197.tmp\ZAP197.tmp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27B.tmp\ZAP27B.tmp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC5.tmp\ZAPC5.tmp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point

: C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\helpctr\batch\batch Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\helpctr\Config\News\News Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\setup.pss\setup.pss Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\86a5d4ec598b957d3e4d2a7951b2c258\backup\backup Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Cannot access:

C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-10 00:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point
: C:\WINDOWS\Temp\Google Toolbar\Google Toolbar Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\TempRec\TempSBE\TempSBE Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point
: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished!


I apologize for the difficulty in reading it as I had to manually separate the lines as I had to bypass normal systems

cmd log:

Volume in drive C is PRESARIO
Volume Serial Number is 6CAB-E33F

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 12:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 12:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 12:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 6,720,229,376 bytes free

I'm not sure I trust the above. I have to leave this on as it will not restart thx to this thing without alot of prayer and chanting

thx for help

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 09 October 2009 - 04:17 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 09 October 2009 - 06:24 PM

Unable to run Combofix.exe
Saved it as doodah.exe
Tried again and saved as ahhah.com with changed file extension. Still did not work. I think right now I seriously need to stop whatever is stopping me from running any programs. I have fiddled with it (yes I know, not supposed to), and have managed to delete several vital virus files that have helped a bit. I no longer have to use open public to access task manager and regedit. They open without trouble now! (I've even rebooted-hey hey)

But I digress.
Thx so much for all the help that is sure to come. I hope to become a "helper" when this is all over with. Unfortunately, all slots are taken for now...I digress yet again...I have to stop doing that.

Seriously, thank you so much for your help!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 09 October 2009 - 06:32 PM

That's not totally unexpected with Combofix. But we can work around it.


Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 09 October 2009 - 07:01 PM

When I rebooted, it all came back, all that stuff I got rid of. Also I got a window to pop up that said

"Windows - No Disk

Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c"

I had to click the buttons just to get windows explorer up and running in order to find the log. I can't paste it here, so I'm having to type it in manually with the stupid "no disk" window on top of everything and a 6 year old chanting how great it is to be a...school motto. So here it is

Logfile of the Avenger 2.0 by Swandog46
http:\\swandog46.geekstogo.com
Platform: Windows XP
***************
Script file opened successfully
Script file read successfully
Backups directory opened successfully at C:\Avenger
******************
Beginning to process script file:
Rootkit scan active.
No rootkits found
File move operation "C:\eventlog.dll|C:\WINDOWS\System32\eventlog.dll" completed successfully
Completed Script Processing
*****************
Finished! Terminate.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 09 October 2009 - 09:32 PM

You're doing great! :(
You can attach the logs if you need to.


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



========================



Now delete any copy of combofix.exe that you have if you downloaded it previously.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 02:37 AM

Sorry, I went to bed. Win32diag isn't opening, but combofix is this time. It is running now-i'm on another pc.

#8 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 02:59 AM

something called Security Tool came up, should I click on "remove infections?"

#9 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 03:04 AM

Sorry, i see where it's a virus-I closed out of it and my pc appears hung

#10 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 06:55 AM

Um...It finally quit everything and now I have

"A problem has been detected and Windows has shut down to prevent damage to your computer. The problem seems to be caused by the following file:
SPCMSCOM.sys

PAGE_FAULT_IN_NONPAGED_AREA

In this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer for any new Windows updates you might need.

If problem continues, disable or remove any new hardware or software. Disable BIOS memory options such as your caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xFD3094C2, 0x00000001, 0xFBFE7617, 0x00000000)

*** SPCMDCON.SYS - Address FBFE7617 base at FBFE5000, DataStamp 3d6dd67c"



Oh, and I'll be gone this morning on a Cub Scout thingy but will be back this afternoon
thx

Edited by lost blonde, 10 October 2009 - 06:55 AM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 10 October 2009 - 08:33 AM

Oh, and I'll be gone this morning on a Cub Scout thingy but will be back this afternoon
thx

Me too! :(
We're selling popcorn in front of Lowes for a couple hours today.

It does appear that you've got some corruption in your system. We may need to do a repair installation at some point, so you should locate your Windows XP disc.

Was Combofix able to run completely and create a log, If so it should be located at C:/Combofix.txt
Please post it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 10:07 AM

Me too! :(
We're selling popcorn in front of Lowes for a couple hours today.


Cool!

I left it on the blue screen. Should I reboot in order to check for the log?

Edited by lost blonde, 10 October 2009 - 10:09 AM.


#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 10 October 2009 - 04:16 PM

Yes, reboot. It should reboot normally, but take note of any error messages that you get.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 lost blonde

lost blonde
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 10 October 2009 - 04:56 PM

System Tool could not find or open the shell. I don't remember exactly. Also, there is no desktop, just a red screen. I am not able to run taskmgr, it blinks and goes away. I am no longer able to use Wordpad for the txt log files. I had almost given up, when I went to start-my computer and was able to open the txt file in mozilla. Heh, heh

here is combofix.txt

ComboFix 09-10-08.04 - Compaq_Administrator 10/10/2009 3:43.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.680 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ooga.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

"c:\program files\internet explorer\iexplore.exe ... is infected"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\services.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Compaq_Administrator\Application Data\.#
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\wuauclt.exe.lnk
c:\documents and settings\NetworkService\ntuser.dll
c:\windows\kb913800.exe
c:\windows\ovilitac.dll
c:\windows\system32\AVR09.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\fimofago.dll
c:\windows\system32\fomasopi.exe
c:\windows\system32\fulivapo.dll
c:\windows\system32\images
c:\windows\system32\levukote.exe
c:\windows\system32\lidaneki.dll
c:\windows\system32\ligijowe.dll
c:\windows\system32\majudohi.dll.tmp
c:\windows\system32\nukavuso.dll.tmp
c:\windows\system32\nunajimo.exe
c:\windows\system32\pegatijo.dll
c:\windows\system32\plUGie.dll
c:\windows\system32\pufalulo.dll
c:\windows\system32\sikemaha.exe
c:\windows\system32\sodewozi.exe
c:\windows\system32\vesoyuwu.dll
c:\windows\system32\voyutepu.dll
c:\windows\system32\voyuwuzo.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wuauclt.ini
c:\windows\system32\wutilowu.dll
c:\windows\system32\yayutoto.dll.tmp
c:\windows\system32\yiyolawo.dll
c:\windows\system32\zayisevi.dll
c:\windows\win32k.sys
d:\program files\iWin Games\iWINgameshookie.dll
E:\Autorun.inf
F:\Autorun.inf

Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\regedit.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it :(
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

Infected copy of c:\windows\pchealth\helpctr\binaries\msconfig.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\msconfig.exe

Infected copy of c:\windows\system32\calc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\calc.exe

Infected copy of c:\windows\system32\cleanmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cleanmgr.exe

Infected copy of c:\windows\system32\dxdiag.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\dxdiag.exe

Infected copy of c:\windows\system32\mspaint.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\mspaint.exe

Infected copy of c:\windows\system32\sndrec32.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sndrec32.exe

Infected copy of c:\windows\system32\sndvol32.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sndvol32.exe

Infected copy of c:\windows\system32\sol.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sol.exe

Infected copy of c:\windows\system32\spider.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\spider.exe

Infected copy of c:\windows\system32\taskmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\taskmgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_iWinGamesInstaller


((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-10 00:14 . 2009-10-10 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\89253633
2009-10-03 16:17 . 2009-10-03 16:17 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Magic Academy 2
2009-09-22 17:09 . 2009-09-22 17:09 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\bfgbar
2009-09-16 11:43 . 2009-09-16 12:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2009-09-16 11:43 . 2009-09-16 11:43 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Merscom
2009-09-13 13:35 . 2009-09-13 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishSavedGames
2009-09-13 12:35 . 2009-09-13 12:35 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Sanna
2009-09-10 11:49 . 2009-09-10 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FarmFrenzy3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\wuauclt.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 16:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli nen1in.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\Microsoft Games\\Viva Pinata\\Viva Pinata.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\iWin Games\\iWinGames.exe"=
"d:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2009 11:53 AM 64160]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 8:39 PM 297752]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/4/2009 10:28 AM 78104]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2008 9:27 AM 335240]
S2 AntiPol;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S3 easter;easter;c:\windows\system32\drivers\easter.sys [10/7/2009 8:11 PM 34816]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]
S3 oopd;oopd;\??\c:\windows\system32\drivers\oopd.sys --> c:\windows\system32\drivers\oopd.sys [?]
S3 tatertot.scr;tatertot.scr;c:\windows\system32\drivers\tatertot.scr.sys [10/6/2009 5:12 PM 34816]
.
Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436373716-449175363-267983759-1008Core.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 14:54]

2009-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436373716-449175363-267983759-1008UA.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 14:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {EBBF2DBB-C105-4732-90A1-BA3ABEBCA368} - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\{EBBF2DBB-C105-4732-90A1-BA3ABEBCA368}
.
.
------- File Associations -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-71534626 - c:\documents and settings\All Users\Application Data\71534626\71534626.exe
HKLM-Run-Pruvaxeqeta - c:\windows\ovilitac.dll
HKLM-Run-bupujuzis - c:\windows\system32\pegatijo.dll
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-janazadupo - yiyolawo.dll
SharedTaskScheduler-{8c8db1e2-c326-4fd7-96ea-cfc50486da2e} - c:\windows\system32\pegatijo.dll
AddRemove-WT074873 - c:\program files\HP Games\Wedding Dash - Ready



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 03:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(768)
c:\windows\nen1in.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\ooga\hidec.exe
c:\windows\ehome\ehmsas.exe
c:\documents and settings\All Users\Application Data\89253633\89253633.exe
c:\ooga\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-10-10 3:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 07:54

Pre-Run: 8,104,198,144 bytes free
Post-Run: 8,086,118,400 bytes free

218

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:42 AM

Posted 11 October 2009 - 08:16 AM

Yikes! No wonder you're having problems. You've got quite a mess there.

See if this will work now.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


===================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Note: If you have problems with DrWeb shutting down before it completes the scan you can perform a custom scan and select individual folders to scan. In that case start with C:\Windows\System32


Please post the contents of the log from DrWeb in your next reply.



=====================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users