Ok new topic

Adding in context from another post. ~ OB

Im using SpywareDr. Ive done multi scans and click on the fix, only to have the same to malware programs show up ever time. And they are, beside the ADWARE.ADVERTISING COOKIES, AND APPLICATION TRACKING COOKIES IS ROUGE ANTISPYWARE.MALWARE DEFENCE registry key HKEY_LOCAL_MACHINE\SOFTWARE\MALEWARE DEFENCE.
The other one is ROGUE ANTI SPYWARE.PERSONEL ANTIVIRUS HKEY_LOCAL_MACHINE\SOFTWARE\PALADIN ANTIVIRUS.

I went to http:www.bleepingcomputer.com/forums/topic 34773.html, and started following the instructions. It seemed to go fine untill I tried to run the GMER.exe file. First time it ran over a hr and half then all of a sudden my computer rebooted. Second time it ran for a long time also but I kept moving the mouse every now and then thinking my computer rebooted from inactivity the first time but that didnt work either the program and the computer froze up. Other attempts to run the program have pretty much been the same. While ive never got the program to complete I have noticed a lot of files with the word
PRAGMA in it. One such file is SYSTEM32\DRIVERS\PRAGMAHWUHVLXIPO.SYS (***HIDDEN***) And another one is C:\WINDOWS\PRAGMAUXTKOIBFND\PRAGMAD.SYS (***HIDDEN***)

I do get a warrining at the begining of running the program which states, WARNING GMER HAS DETECTED SYS MOFIFICATION BY ROOTKIT ACTIVITY. DO YOU WANT FULLY SCAN YOUR SYSTEM?
I have tried to start in safe mode but that freezes up also. Last driver on the bottom of the frozen page is MULTI(0)DISK(0)PARTITION(1)\WINDOWS\SYSTEM32\DRIVERS\MUP.SYS

Any help will be greatly appreciated TY.

End of added information. ~ OB

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 19:09:53.17 on Sun 04/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1219 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

c:\windows\system32\svchost -k dcomlaunch
c:\windows\system32\svchost -k rpcss
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k networkservice
c:\windows\system32\svchost.exe -k localservice
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
c:\windows\system32\svchost.exe -k localservice
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\svchost.exe -k localservice
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
c:\windows\system32\svchost.exe -k httpfilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DISC\DISCover.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator.ROYS.000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uStart Page = hxxp://yahoo.com/
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268590854390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-3-9 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-3-9 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-3-9 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-9 233136]
R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\hp\dvdplay\000.fcl [2006-11-1 6656]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-9 112592]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-9 365280]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-9 1141712]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-11-1 82048]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-3-9 70408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-3-9 33552]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-11-1 468768]
S1 wcsifcsl;wcsifcsl;\??\c:\windows\system32\drivers\wcsifcsl.sys --> c:\windows\system32\drivers\wcsifcsl.sys [?]

=============== Created Last 30 ================

2010-04-19 02:05:17 0 ----a-w- c:\documents and settings\hp_administrator.roys.000\defogger_reenable
2010-04-14 20:02:36 206 ----a-w- c:\windows\system32\MRT.INI
2010-04-10 18:18:02 0 d-----w- c:\docume~1\hp_adm~1.000\applic~1\HpUpdate
2010-04-10 01:39:25 555 ----a-w- c:\windows\cdplayer.ini
2010-04-04 23:42:15 90112 ----a-w- c:\windows\system32\lfjbg13n.dll
2010-04-04 23:42:15 73728 ----a-w- c:\windows\system32\lffax13n.dll
2010-04-04 23:42:15 453120 ----a-w- c:\windows\system32\ltkrn13n.dll
2010-04-04 23:42:15 445440 ----a-w- c:\windows\system32\ltimg13n.dll
2010-04-04 23:42:15 388608 ----a-w- c:\windows\system32\lfcmp13n.dll
2010-04-04 23:42:15 265216 ----a-w- c:\windows\system32\ltdis13n.dll
2010-04-04 23:42:15 246272 ----a-w- c:\windows\system32\lfj2k13n.dll
2010-04-04 23:42:15 206848 ----a-w- c:\windows\system32\ltefx13n.dll
2010-04-04 23:42:15 1693696 ----a-w- c:\windows\system32\ltclr13n.dll
2010-04-04 23:42:15 154112 ----a-w- c:\windows\system32\ltfil13n.dll
2010-04-04 23:42:15 142848 ----a-w- c:\windows\system32\lftif13n.dll
2010-04-04 23:42:14 189976 ----a-w- c:\windows\system32\mfimgvwr.ocx
2010-04-04 23:42:06 0 d-----w- c:\program files\MFInstall
2010-03-30 20:42:44 0 d-----w- c:\program files\YEpic

==================== Find3M ====================

2010-03-17 02:05:28 80 ----a-w- c:\docume~1\hp_adm~1.000\applic~1\wklnhst.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-08 21:35:18 9 ----a-w- C:\confin.sys
2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2010-01-21 23:21:07 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21:07 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21:06 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21:05 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-20 00:04:00 178333 ----a-w- c:\windows\hpwins20.dat
2007-06-27 01:48:16 32 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 19:12:08.70 ===============

Edited by Orange Blossom, 20 April 2010 - 08:30 PM.

Now my computer is almost totaly unusable. All I get is popup security warnings. Like APPLICATION CANNOT BE EXECUTED. THE FILE WUAUCLT.EXE IS INFECTED. DO YOU WANT TO ACTIVATE YOUR ANTIVIRUS SOFTWARE NOW? I keep clicking no but it keeps poping up every 10 seconds or so.
Another one is ANTIVIRUS SOFTWARE ALERT. Then in the box it says ATTENTION ! SPYWARE ALERT.
Plus its now opening my browser and opening up in adult.com. When I didn't even have my browser open to begin with.
I've had to log into bleepingcomputer on my lap top.. HELP
Plus in the lower right hand corner im getting a pop up ANTIVIRUS SOFTWARE ALERT.
in the top box it says. INFILTRATION ALERT, VIRUS ATTACK, YOUR COMPUTER IS BEING ATTACKED BY AN INTERNET VIRUS. IT COULD BE A PASSWORD-STEALING ATTACK, A TROJAN - OR SIMILAR.
Bottom box says, DETAILS ATTACK FROM: 119.35.97.224, PORT 59879 ATTACKED PORT 14361 THREAT: WIN32/NUQEL.E

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the Malware Response Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 22 April 2010 - 06:18 AM.

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Hi mole, im here. I didn't check yesterday sorry. It seems my computer has gotten worse after trying to run gemr with only sections checked. I think that was the one I was told to click. I didn't post the new problem because I got the impression that my post would go to the back of the line.
So now my computer is now giving me a message that the file is either infected or corrucpt. No matter what file I try to open. Even notepad. Plus I still get the popups warning of spyware and malware comming up every min or so. There is one txt file that I was able to save I think from running the DDs program that im now not able to access.
I do have a external hard drive I use for back up. I was wondering if I should try to save that txt file to that then send it to you using my laptop. I haven't even turned my desktop on since I sent the DDS file. Im now having to use my laptop. Any help will be greatly appreciate it. TY

No, that's okay for now but we will need your laptop - and a flashdrive. Have you got one?

Yes I have a 1gig flash drive. I don't know what changed since I haven't turned my computer on for about week, but today I turned it on and no popups of virus infections or any of the other things I preveiously posted about. Also im now getting a message from WINDOWS SECURITY ALERT, that says WINDOWS FIREWALLL HAS BLOCKED SOME FEATURES OF THIS PROGRAM the program it lists is UPDATES FROM HP. Publisher HEWITT PACKARD. Then I have 3 options.
KEEP BLOCKING, UNBLOCK, ASK ME LATER. I just X out of it since im not suspose to change anything. So I checked my wireless connection status and it says,
CONNECTED @54.0 MBPS SIGNAL SSTRENGTH GOOD.
Next issue is when I open IE it says INTERNET EXPLORER CANNOT DISPLAY THE WEBPAGE, error message.

Edited by fyfo, 27 April 2010 - 05:17 PM.

Okay, if you still can't download from the PC then try this fix first.

We Need to Repair Your Internet Connection

1. Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
2. Copy the file to the desktop on the non working machine.
3. Double Click on on your desktop.
4. Push the button.
5. Allow your system to reboot.

Please let me know if your connection is restored in your next reply


If not, download Combofix onto your flash drive and plug it in. Then follow the instructions to run it.

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Comfix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

No it did not connect so im going to the combofix now. Got it downloaded to the flash drive. i'l edit this post and post the file you want.

Edited by fyfo, 27 April 2010 - 09:13 PM.

Installed combofix onto the infected computer. The first time I tried to run it, computer froze up. Then a blue screen saying that windows had to stop because of a dangerous progeram. So I rebooted the computer and try to run combofix again. This time I got two messages.
1) Error - Win32 only. Incompatible OS. Combofix only works for workstations with windows 2000 and XP. Clicking OK was my only option, so I did.
2)Disclaimer of warraqnty on software. (10-04-26.05)
Then I got a message that it found spyware doctor, even tho its now in my sys tray. So I reinstalled spyware doctor then dissabled it. Then tryed to run combofix again. Got message. C\32788R22FWJFW\swxcacls.cfxxe is not a valid win32 application. Options are OK. Ive stoped there and left the message on the screen untill I hear from you.

Definitely malware interference.

Can you delete the Combofix file and then run the following programs


First

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• Please post the resulting log in your next reply.

Finally

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Comfix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


If that fails let me know and we'll try a different method.

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le

Sorry I check my email for your responces and didnt get one till yesterday fri the 30th. I'll get right onto your last susjestions today. Again sorry.
PS how do I PM you?

Click the drop down menu arrow above my avatar which appears when you hover over the name. Click Send Message

Edited by m0le, 01 May 2010 - 03:30 PM.

Ok like I said in my post on April 28 2010 at 2:21 I had left that message on the computer. After getting you last post I clicked ok and was prepaired to follow your last instructions. But what happened after clicking OK I got a message saying spyware DR was still running, even tho I followed the instructions on closing it down. So I brought it back up and this time went through all the intille guards and dissabled every single one of them, plus went through all the other settings and uncheked them, then I had to reboot my computer for the new settings to take affect. When rebooted combofix autoran, giving a message of combofix decteced the presence of rootkit activity and needs to reboot, note the files as we may need it later. Files are,
C:\windows\system32\drivers\PRAGMApntxtlmmpm.dll
" " " \PRAGMAbqovmxamsr.dat
" " " \PRAGMAvrrdppjyhd.dll
Then machine tried to reboot but before it did I got a blue screen windows message, WINDOWS IS SHUTTING DOWN TO PREVENT DAMAGE,
IRQL_NOT_LESS_OR _EQUIL, etc, etc Had to power off the machine manual.
Reboot: message saying PLEASE WAIT COMBOFIX IS PREPARING TO RUN, AUTO SCAN. So as this was what we were trying to do I let it run.
C:\ComboFix.txt.

That's a rootkit, PRAGMA. Please rerun Combofix with the following script as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run ESET's online scanner

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.