Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 2863

Page 1
2
3
Next

You are currently viewing page 1 of this multi-page discussion thread

Sep 20th, 2009

Computer infected; No spyware removal programs working

Expand Post »

My computer is infected and barely any options are working. I read 'Read me before posting' file and these are my results thus far;

I downloaded ATF Cleaner, and that was successful. Enabled viewing of folders, downloaded Microsoft Malicious Software Removal and that didn't work.

Malwarebytes will not work. I even tried to rename it to .com and still will not run.

I also have visible pop-ups from PreciseAd, and when I try to open Malware or HiJackThis it says I do not have proper permission to access file.

I don't know what to do.. Any help would be appreciated.

Similar Threads

WARNING your in danger! your computer is in infected by spyware??? in Viruses, Spyware and other Nasties
"Your computer has been infected" in Viruses, Spyware and other Nasties
computer infected by SPYWARE!! in Viruses, Spyware and other Nasties
IE error your computer infected spyware in Viruses, Spyware and other Nasties
In Desperate Need of Help with hijack this log file; computer full of spyware in Viruses, Spyware and other Nasties

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Sep 20th, 2009

Re: Computer infected; No spyware removal programs working

Click to Expand / Collapse Quote originally posted by bizz2 ...

I don't know what to do.. Any help would be appreciated.

Try this:

Please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

-- As with any program that somebody on the web tells you to run, this is a "run at your own risk" proposition...

PP

Last edited by PhilliePhan; Sep 20th, 2009 at 10:48 pm. Reason: Run at own risk.....

PhilliePhan

Moderator

Reputation Points: 171

Solved Threads: 106

Central Scrutinizer

Offline

1,575 posts
since Dec 2006

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Thanks for your help so far! I get this error when I followed your instructions in the previous post:

Quote ...

'echofindWPP' is not recognized as an internal or external command, operable program or batch file.

C:\PKBTEMP\plcy1.txt
C:\PKBTEMP\plcy3.txt
C:\PKBTEMP\plcy4.txt

Any other ideas? Online scanner actually worked, I used Kaspersky Online Scanner and got this log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 21, 2009 02:45:22
Records in database: 2864965
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 94629
Threats found: 21
Infected objects found: 36
Suspicious objects found: 0
Scan duration: 02:09:22

File name / Threat / Threats count
C:\Documents and Settings\Brandon\Desktop\youtube_downloader_hd_setup.exe Infected: Virus.Win32.Induc.a 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Incomplete\T-3545425-gimme more acapella.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Incomplete\T-3877632-piece of me acapella.mp3 Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Paramore - Misery Business.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: Trojan-Downloader.NSIS.Agent.bk 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: not-a-virus:AdWare.Win32.Agent.oma 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: Trojan-Downloader.Win32.Zlob.bjhe 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: Trojan-Downloader.Win32.Zlob.bgzo 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: Trojan-Downloader.Win32.Zlob.bfea 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sim City 4 Deluxe.zip Infected: Trojan-Downloader.Win32.Zlob.bfeb 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: Trojan-Downloader.NSIS.Agent.bk 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: not-a-virus:AdWare.Win32.Agent.oma 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: Trojan-Downloader.Win32.Zlob.bjhe 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: Trojan-Downloader.Win32.Zlob.bgzo 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: Trojan-Downloader.Win32.Zlob.bfea 1
C:\Documents and Settings\Brandon\My Documents\FrostWire\Saved\Sims City 4.zip Infected: Trojan-Downloader.Win32.Zlob.bfeb 1
C:\Documents and Settings\Brandon\Shared\what about that janet jackson 192kb.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
C:\Program Files\Youtube Downloader HD\YouTubeDownloaderHD.exe Infected: Virus.Win32.Induc.a 1
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wsia 1
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir Infected: Backdoor.Win32.Small.ejx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wsia 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Infected: Trojan.Win32.Pakes.npu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Trojan.Win32.Inject.ajdy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.foc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xfvadbpntxx.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.oma 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Infected: Trojan.Win32.FraudPack.tqu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Backdoor.Win32.UltimateDefender.ike 1
C:\scmhux.exe Infected: Trojan.Win32.Stuh.achw 1
C:\WINDOWS\system32\busozudi.dll Infected: Trojan.Win32.Stuh.achw 1
C:\WINDOWS\system32\dllcache\beep.sys Infected: Backdoor.Win32.UltimateDefender.igv 1
C:\WINDOWS\system32\gelapaze.dll Infected: Trojan.Win32.Stuh.achw 1
C:\WINDOWS\system32\joyabihu(2).dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\mewezilu(2).dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\WINDOWS\system32\zivamuvo.dll Infected: Trojan.Win32.Stuh.achw 1
C:\wpfpqa.exe Infected: Packed.Win32.TDSS.y 1

Selected area has been scanned.

---------------------------------

Another user on my computer had downloaded Frostwire.. Go figure a P2P program providing viruses? I actually uninstalled that horrendous software earlier... Any other ideas? Thanks so much for your help in advance!

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Click to Expand / Collapse Quote originally posted by bizz2 ...

Thanks for your help so far! I get this error when I followed your instructions in the previous post:

My fault - I whipped that together a bit quickly.

Try again with this one: FindWPP.zip

Post the log.

Also - When did you run Combofix? If you can find a log at C:\combofix.txt, please post that as well.

PP

PhilliePhan

Moderator

Reputation Points: 171

Solved Threads: 106

Central Scrutinizer

Offline

1,575 posts
since Dec 2006

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Mon 09/21/2009
12:59 AM

EXE KEY MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

CHECKING SELECT POLICIES KEYS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,\
00,53,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,\
54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,\
00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,00,6d,00,73,00,73,00,74,00,\
79,00,6c,00,65,00,73,00,00,00
"InstallTheme"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,54,00,\
68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,\
00,74,00,68,00,65,00,6d,00,65,00,00,00
"DisableRegistryTools"=dword:00000000

LOOKING FOR REPLACED FILES
Looking for cngaudit.dll

Mon 09/21/2009
01:02 AM

EXE KEY MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

CHECKING SELECT POLICIES KEYS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,\
00,53,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,\
54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,\
00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,00,6d,00,73,00,73,00,74,00,\
79,00,6c,00,65,00,73,00,00,00
"InstallTheme"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,54,00,\
68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,\
00,74,00,68,00,65,00,6d,00,65,00,00,00
"DisableRegistryTools"=dword:00000000

LOOKING FOR REPLACED FILES
Looking for cngaudit.dll

No matches found.
Looking for eventlog.dll

C:\WINDOWS\I386\
eventlog.dl_ Tue Aug 10 2004 3:00:00p ..... 30,131 29.42 K

C:\WINDOWS\SYSTEM32\
eventlog.dll Tue Aug 10 2004 3:00:00p A.... 62,464 61.00 K

C:\WINDOWS\SOFTWA~1\DOWNLOAD\DD9AB5~1\
eventlog.dll Sun Apr 13 2008 8:11:54p A.... 56,320 55.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 148,915 bytes 145.42 K
Looking for imm32.dll

C:\WINDOWS\I386\
imm32.dl_ Tue Aug 10 2004 3:00:00p ..... 46,094 45.01 K

C:\WINDOWS\SYSTEM32\
imm32.dll Tue Aug 10 2004 3:00:00p A.... 110,080 107.50 K

C:\WINDOWS\SOFTWA~1\DOWNLOAD\DD9AB5~1\
imm32.dll Sun Apr 13 2008 8:11:54p A.... 110,080 107.50 K

3 items found: 3 files, 0 directories.
Total of file sizes: 266,254 bytes 260.01 K
Looking for logevent.dll

C:\WINDOWS\SYSTEM32\
logevent.dll Tue Aug 10 2004 3:00:00p A.... 55,808 54.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 55,808 bytes 54.50 K
Looking for netlogon.dll

C:\WINDOWS\I386\
netlogon.dl_ Tue Aug 10 2004 3:00:00p ..... 181,419 177.16 K

C:\WINDOWS\SYSTEM32\
netlogon.dll Tue Aug 10 2004 3:00:00p A.... 407,040 397.50 K

C:\WINDOWS\SOFTWA~1\DOWNLOAD\DD9AB5~1\
netlogon.dll Sun Apr 13 2008 8:12:02p A.... 407,040 397.50 K

Looking for scecli.dll

Mon 09/21/2009
01:31 AM

FindWPP is running from C:\Documents and Settings\Doug.BISIGNANO\Desktop\FindNowPP

EXE KEY MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

CHECKING SELECT POLICIES KEYS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:00000143
"NoDrives"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,\
00,53,00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,\
54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,\
00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,00,6d,00,73,00,73,00,74,00,\
79,00,6c,00,65,00,73,00,00,00
"InstallTheme"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,52,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,00,54,00,\
68,00,65,00,6d,00,65,00,73,00,5c,00,52,00,6f,00,79,00,61,00,6c,00,65,00,2e,\
00,74,00,68,00,65,00,6d,00,65,00,00,00
"DisableRegistryTools"=dword:00000000

LOOKING FOR REPLACED FILES
Looking for cngaudit.dll

Looking for eventlog.dll
Looking for imm32.dll
Looking for logevent.dll

Looking for netlogon.dll
Looking for scecli.dll

LOOKING FOR SUSPICIOUS FILES

Looking for windows Police Pro.exe

No matches found.
Looking for dddesot.dll

No matches found.
Looking for wisdstr.exe

No matches found.
Looking for desote.exe

No matches found.
Looking for svchasts.exe

No matches found.
Looking for ppp4.dat

No matches found.
Looking for sysnet.dat

No matches found.
Looking for bincd32.dat

No matches found.
Looking for ppp3.dat

No matches found.
Looking for desot.exe

No matches found.
Looking for wispex.html

No matches found.
Looking for qcfbc.wbg

No matches found.
Looking for windows Police Pro.exe

No matches found.
Looking for svchast.exe

No matches found.
Looking for dbsinit.exe

No matches found.
Looking for braviax.exe

No matches found.
Looking for bennuar.old

No matches found.

EXE KEY STILL MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

SUSPECT REG KEYS

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

---------- C:\PKBTEMP\SYSKEYS.TXT
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

---------- C:\PKBTEMP\SYSKEYS.TXT
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

---------- C:\PKBTEMP\SYSKEYS.TXT

Last edited by bizz2; Sep 21st, 2009 at 2:39 am. Reason: Log information came up

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Oh, and ComboFix was just downloaded on my computer. No log recorded, I searched for it. I tried to run ComboFix and an error came up saying I had to restart Windows and retry installation. Should I do this?

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Click to Expand / Collapse Quote originally posted by bizz2 ...

Oh, and ComboFix was just downloaded on my computer. No log recorded, I searched for it. I tried to run ComboFix and an error came up saying I had to restart Windows and retry installation. Should I do this?

I think you have one of the nastier variations of this malware...

Let's try this first and see where we are:

Please Download Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com...Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

Be sure to wait until it says "finished."

PP

PhilliePhan

Moderator

Reputation Points: 171

Solved Threads: 106

Central Scrutinizer

Offline

1,575 posts
since Dec 2006

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

This is what I got:

Running from: C:\Documents and Settings\Doug.BISIGNANO\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Doug.BISIGNANO\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1059.tmp\ZAP1059.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1083.tmp\ZAP1083.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10E0.tmp\ZAP10E0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16C.tmp\ZAP16C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPECA.tmp\ZAPECA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF79.tmp\ZAPF79.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\I386\SPR\SPR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome\chrome

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\defaults\preferences\preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\root\root

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-3355230566-3326683260-3698635536-1006\S-1-5-21-3355230566-3326683260-3698635536-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Click to Expand / Collapse Quote originally posted by bizz2 ...

This is what I got:
Running from: C:\Documents and Settings\Doug.BISIGNANO\My Documents\Downloads\Win32kDiag.exe

That log is incomplete - are you sure it ran until it said "finished?"
Look again and make sure you pasted the whole log.

Better yet, upload it as an attachment.

If what you posted is the entire log, I'll need you to run it again and make sure it says Finished before you post the log. There should be much more to it....

Also, you need to move Win32kDiag to the Desktop - makes it easier for me when we run it again....

Hang in there

PhilliePhan

Moderator

Reputation Points: 171

Solved Threads: 106

Central Scrutinizer

Offline

1,575 posts
since Dec 2006

Permalink

Sep 21st, 2009

Re: Computer infected; No spyware removal programs working

Yeah, I realized it was incomplete. I ran it again and for like five minutes now it is just staying on the last line of what I posted previously, "Cannot access: C:\WINDOWS\system32\eventlog.dll"

Still letting it sit there though, is that normal?

EDIT: Nevermind, has continued. Sorry, I'll post it once it is complete!

Last edited by bizz2; Sep 21st, 2009 at 3:51 am. Reason: more info

bizz2

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Sep 2009

Page 1
2
3
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: google and bing search links redirecting to unrelated sites

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Computer not doing so well :( (hijackthis included)

DaniWeb Message

Cancel Changes

User Name
Password