Computer is jacked

	Advanced Search

Welcome to Omgili,
Omgili (Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.

This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.


	Computer is jacked I keep getting blue screens and internet search redirects. Computer seems slow as well. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:25:51 PM, on 8/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Michael Lombardo\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://creed.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {33BF5F4E-5758-40D9-927F-9DD476CA9635} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {914420b2-7455-4722-b1e1-d206e32cb176} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Michael Lombardo\Local Settings\Temp\{CF7D4B29-91D3-408E-91FB-5538CE643D1A}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Documents and Settings\Michael Lombardo\Local Settings\Temp\{C0638AD1-493A-4A96-A3D7-A9922E5818F3}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Broadband Networking.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195967445578 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1195967416390 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing) O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NFAgent - Unknown owner - C:\Program Files\system\smss.exe (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 12332 bytes Please help!!


	Hello bidi00 , and welcome to BleepingComputer.com ! I will be handling your log to help you get cleaned up. We apologize for the delay in responding to your request for help. Here at BleepingComputer.com we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far. If you do not make a reply witin the next 5 days, we will need to close your topic. Please take note of some guidelines for this fix : I will start working on your malware issues, this may or may not solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine. Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request. The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself. If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes . I would much rather clarify instructions or explain them differently than have something important broken. Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated . After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post. NOTE : In the upper right hand corner of the topic you will see a button called Options . If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification , followed by clicking Proceed , you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here . Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link. If you still require assistance, please post a new set of logs from DDS and a description of any remaining problems or symptoms you may still have. If for any reason you did not post a DDS log please refer to this page and in step #6 there are instructions on downloading and running DDS. If you have any problems, just let me know in your next reply or simply post a HijackThis log. Then, please check for rootkits with RootRepeal : Download RootRepeal to your Desktop. Direct Download ( Recommended ) RootRepeal.exe - Primary Mirror RootRepeal.exe - Secondary Mirror RootRepeal.exe - Secondary Mirror RootRepeal.exe - Secondary Mirror Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down) RootRepeal.zip - Primary Mirror RootRepeal.zip - Secondary Mirror RootRepeal.zip - Secondary Mirror Rar Mirrors (Only if you know what a RAR is and can extract it) RootRepeal.rar - Primary Mirror RootRepeal.rar - Secondary Mirror Extract RootRepeal.exe from the archive (if you did not use the Direct Download mirror). Physically disconnect your machine from the Internet as your system will be unprotected. Close/Disable all applications, especially your security programs (antivirus, antimalware and firewall programs). Refer to this link if you are unsure how. Double-click RootRepeal's icon on your Desktop ( RootRepeal.exe ) to run RootRepeal. Click the Report tab. Click the Scan button. Check all seven boxes: Drivers Files Processes SSDT Stealth Objects Hidden Services Shadow SSDT Click OK Check the box for your main system drive (usually C:), and press OK Allow RootRepeal to run a scan of your system. NOTE : This may take some time. Once the scan completes, click the Save Report button. Save the log as RootRepeal.txt to the Desktop. Reconnect to the Internet. Post the log's entire contents in your next reply, please. So for your next reply, I would like to see: the DDS logs: DDS.txt Attach.txt (attached) the RootRepeal report ( RootRepeal.txt ) a description of any remaining problems Thanks again and we apologize for the delay. With kindest regards, htv8


	Thank you for taking the time to help me. Here are the logs you requested. DDS (Ver_09-07-30.01) - NTFSx86 Run by Michael Lombardo at 14:10:22.72 on Sun 09/06/2009 Internet Explorer: 6.0.2900.5512 Pseudo HJT Report uStart Page = hxxp://creed.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore BHO: {33BF5F4E-5758-40D9-927F-9DD476CA9635} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {914420b2-7455-4722-b1e1-d206e32cb176} - No File BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [Nero PhotoShow Media Manager] c:\progra~1\nero\photos~1\data\xtras\mssysmgr.exe uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [nwiz] nwiz.exe /install mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) IE: &Define - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: Look Up in &Encyclopedia - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: { 161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813 DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} - hxxp://onesite.realpage.com/coreglobal/RealpageCab/Realpage.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195967445578 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195967416390 DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38172.4487962963 DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SERVICES / DRIVERS Created Last 30 2009-08-22 20:40 55,656 a c:\windows\system32\drivers\avgntflt.sys 2009-08-22 20:16 <DIR> --d c:\program files\Avira 2009-08-22 20:16 <DIR> --d c:\docume~1\alluse~1\applic~1\Avira 2009-08-22 16:39 <DIR> --d c:\program files\Sophos 2009-08-16 20:55 <DIR> --d c:\docume~1\alluse~1\applic~1\SecTaskMan 2009-08-15 12:05 <DIR> --d C:\_OTM 2009-08-15 11:01 <DIR> A-d c:\windows\system32\images 2009-08-11 23:49 <DIR> --d c:\windows\pss 2009-08-11 20:12 45,344 a c:\windows\system32\drivers\mqf7b5e.sys 2009-08-11 18:24 128,512 -c c:\windows\system32\dllcache\dhtmled.ocx 2009-08-11 18:24 1,315,328 -c c:\windows\system32\dllcache\msoe.dll 2009-08-08 19:17 <DIR> --dsh--- c:\documents and settings\michael lombardo\IECompatCache 2009-08-08 18:57 70,380 a---h--- c:\windows\system32\mlfcache.dat 2009-08-08 18:52 <DIR> --dsh--- c:\documents and settings\michael lombardo\PrivacIE 2009-08-08 18:45 <DIR> --dsh--- c:\documents and settings\michael lombardo\IETldCache 2009-08-08 18:37 81,920 a c:\windows\system32\ieencode.dll 2009-08-08 18:37 81,920 a c:\windows\system32\dllcache\ieencode.dll 2009-08-08 18:34 594,432 -c c:\windows\system32\dllcache\msfeeds.dll 2009-08-08 18:34 55,296 -c c:\windows\system32\dllcache\msfeedsbs.dll 2009-08-08 18:34 246,272 -c c:\windows\system32\dllcache\ieproxy.dll 2009-08-08 18:34 12,800 -c c:\windows\system32\dllcache\xpshims.dll 2009-08-08 18:34 1,985,536 -c c:\windows\system32\dllcache\iertutil.dll 2009-08-08 18:33 101,376 -c c:\windows\system32\dllcache\iecompat.dll 2009-08-08 16:32 <DIR> --d c:\program files\iPod 2009-08-08 16:32 <DIR> --d c:\program files\iTunes Find3M 2009-08-24 18:32 43,520 a c:\windows\system32\CmdLineExt03.dll 2009-08-05 02:01 204,800 a c:\windows\system32\mswebdvd.dll 2009-08-03 13:36 38,160 a c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 13:36 19,096 a c:\windows\system32\drivers\mbam.sys 2009-07-25 05:23 411,368 a c:\windows\system32\deploytk.dll 2009-07-17 12:01 58,880 a c:\windows\system32\atl.dll 2009-07-13 23:43 286,208 a c:\windows\system32\wmpdxm.dll 2009-07-10 18:52 138,952 a c:\windows\system32\drivers\PnkBstrK.sys 2009-07-10 18:51 202,512 a c:\windows\system32\PnkBstrB.exe 2009-07-06 12:02 98,304 a c:\windows\system32\CmdLineExt.dll 2009-06-26 09:50 666,624 a c:\windows\system32\wininet.dll 2009-06-25 01:25 730,112 a c:\windows\system32\lsasrv.dll 2009-06-25 01:25 301,568 a c:\windows\system32\kerberos.dll 2009-06-25 01:25 147,456 a c:\windows\system32\schannel.dll 2009-06-25 01:25 136,192 a c:\windows\system32\msv1_0.dll 2009-06-25 01:25 56,832 a c:\windows\system32\secur32.dll 2009-06-25 01:25 54,272 a c:\windows\system32\wdigest.dll 2009-06-16 07:36 119,808 a c:\windows\system32\t2embed.dll 2009-06-16 07:36 81,920 a c:\windows\system32\fontsub.dll 2009-06-12 05:31 76,288 a c:\windows\system32\telnet.exe 2009-06-10 23:04 345,630 a c:\windows\system32\kungsfphrsdoun.dat 2009-06-10 09:19 2,066,432 a c:\windows\system32\mstscax.dll 2009-06-10 07:13 84,992 a c:\windows\system32\avifil32.dll 2009-06-09 23:14 132,096 a c:\windows\system32\wkssvc.dll 2009-06-07 21:41 87,608 a c:\docume~1\michae~1\applic~1\inst.exe 2009-06-07 21:41 47,360 a c:\docume~1\michae~1\applic~1\pcouffin.sys 2008-11-05 21:45 61,224 a c:\documents and settings\michael lombardo\GoToAssistDownloadHelper.exe 2005-11-02 00:45 36 a c:\documents and settings\michael lombardo\klextlock.dat FINISH: 14:27:41.64 UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-07-30.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume1 Install Date: 7/3/2004 9:18:25 PM System Uptime: 9/6/2009 2:00:33 PM (0 hours ago) Motherboard: Dell Computer Corporation \| \| Dimension 4300 ==== Installed Programs µTorrent ABBYY FineReader 5.0 Sprint Plus Action Replay Code Manager Ad-Aware Adobe AIR Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Flash Player 10 ActiveX Adobe Photoshop Album 2.0 Starter Edition Adobe Reader 7.0.8 Adobe Shockwave Player 11 Age of Empires III AgeOfCastles Anewsoft MP3 Recorder 2.0 Apple Mobile Device Support Apple Software Update ArcSoft Software Suite AutoUpdate Avira AntiVir Personal - Free Antivirus Backup Dell-Installed Programs Battlefield 1942 Multiplayer Demo Battlefield 1942 Singleplayer Demo Battlefield 2: Deluxe Edition Bonjour Call of Duty Game of the Year Edition Call of Duty® 2 CDDRV_Installer Compatibility Pack for the 2007 Office system Critical Update for Windows Media Player 11 (KB959772) Dell ResourceCD DellTouch DivX DivX Player DOM EA downloader EA SPORTS online 2007 Empire Earth II Empire Earth II: The Art of Supremacy EPSON CardMonitor EPSON Copy Utility EPSON Photo Print EPSON PhotoStarter3.2 EPSON Printer Software EPSON Scan EPSON Smart Panel EPSON SPRX600 Reference Guide FoneSync GameSpy Arcade GameSpy Software Google Earth Google Updater Guild Wars GuitarVision HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) IrfanView (remove only) iTunes Java 6 Update 15 KhalInstallWrapper LightScribe Diagnostic Utility LightScribe System Software Logitech Desktop Messenger Logitech SetPoint Macromedia Shockwave Player Malwarebytes' Anti-Malware Medal of Honor Allied Assault Medal of Honor Allied Assault Breakthrough Medal of Honor Allied Assault Breakthrough Patch v2.40 Medal of Honor Allied Assault Spearhead Medal of Honor Allied Assault Spearhead Patch 2.15 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft Age of Empires II Microsoft Age of Empires II: The Conquerors Expansion Microsoft Broadband Networking Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Encarta Encyclopedia Standard 2001 Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft Money 2001 Microsoft Office 2000 SR-1 Premium Microsoft Office 2007 Service Pack 2 (SP2) Microsoft Office Outlook 2007 Microsoft Office Outlook 2007 Trial Microsoft Office Outlook MUI (English) 2007 Microsoft Office Professional Edition 2003 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) Microsoft Office Publisher 2003 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Picture It! Publishing 2001 Microsoft Software Update for Web Folders (English) 12 Microsoft Streets and Trips 2001 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Windows Media Video 9 VCM Microsoft Works 2001 Setup Launcher Microsoft Works 6.0 Microsoft Works Suite Add-in for Microsoft Word MobileMe Control Panel Morrowind MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Nero 8 Essentials neroxml NVIDIA Display Driver NVIDIA Drivers PowerDVD QuickTime RCT3 Soaked RealPlayer Basic RollerCoaster Tycoon 2 RollerCoaster Tycoon 2: Time Twister RollerCoaster Tycoon 2: Wacky Worlds RollerCoaster Tycoon® 3 Safari Security Update for 2007 Microsoft Office System (KB969559) Security Update for Microsoft Office Word 2007 (KB969604) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953838) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956390) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958215) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960714) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB963027) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972260) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973869) Spybot - Search & Destroy TES Construction Set The Sims Life Stories Tiger Woods PGA TOUR 07 Update for 2007 Microsoft Office System (KB967642) Update for Microsoft Office Outlook 2007 (KB969907) Update for Outlook 2007 Junk Email Filter (kb972691) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) VCRedistSetup WavePad Uninstall WebFldrs XP WinAce Archiver Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Live Messenger Windows Media Format 11 runtime Windows Media Player 11 Windows XP Service Pack 3 Works Suite OS Pack Works Synchronization Yu-Gi-Oh! Power of Chaos YUGI THE DESTINY Yugioh Virtual Dueling Zoo Tycoon: Complete Collection ==== End Of File ROOTREPEAL © AD, 2007-2009 Scan Start Time: 2009/09/06 14:52 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 Drivers Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF2B12000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8C58000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB7FF0000 Size: 49152 File Visible: No Signed: - Status: - Name: SKYNEToyxckbgo.sys Image Path: C:\WINDOWS\system32\drivers\SKYNEToyxckbgo.sys Address: 0xF2E28000 Size: 151552 File Visible: - Signed: - Status: Hidden from the Windows API! Hidden/Locked Files Path: C:\WINDOWS\system32\SKYNETadvjiyba.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\SKYNETdpkrarer.dat Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\SKYNETedduwiaw.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\system32\SKYNETftdoyrne.dll Status: Invisible to the Windows API! Path: C:\WINDOWS\temp\SKYNETdwmabdrwpq.tmp Status: Invisible to the Windows API! Path: C:\Documents and Settings\Tyler Lombardo\Desktop\Yugioh Virtual Desktop 9.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} Status: Visible to the Windows API, but not on disk. Path: C:\WINDOWS\system32\drivers\mqf7b5e.sys Status: Locked to the Windows API! Path: C:\WINDOWS\system32\drivers\SKYNEToyxckbgo.sys Status: Invisible to the Windows API! Path: c:\documents and settings\michael lombardo\local settings\temp\wera8ad.dir00\safari.exe.hdmp Status: Allocation size mismatch (API: 89014272, Raw: 11862016) Path: C:\Documents and Settings\Michael Lombardo\Local Settings\Temporary Internet Files\Content.IE5\CMU78NTI\skynet-virus-t248346[1].html Status: Invisible to the Windows API! Path: C:\Documents and Settings\Michael Lombardo\Local Settings\Temporary Internet Files\Content.IE5\S9R22TF7\skynet-virus-t248346[1].html Status: Invisible to the Windows API! Path: C:\Documents and Settings\Michael Lombardo\Local Settings\Temporary Internet Files\Content.IE5\U5R0QUQT\skynet-virus-t248346[1].html Status: Invisible to the Windows API! SSDT #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "<unknown>" at address 0x82f3f4a0 Stealth Objects


	Wow, now i am infected with Windows Police Pro. Nothing wants to load, cant run malware programs. This stinks. Now Windows Antivirus Pro as well. Uuuugggg .


	Hello again, bidi00 The TDSS Trojan Horse is a backdoor/rootkit trojan. Such a piece of malware allows hackers to remotely control your computer , steal critical system information and download and execute files . Rootkits and backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal . Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: What danger is presented by rootkits? Rootkits and how to combat them r00tkit Analysis: What Is A Rootkit I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? What Should I Do If I've Become A Victim Of Identity Theft? Identity Theft Victims Guide - What to do Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully: When should I re-format? How should I reinstall? Help: I Got Hacked. Now What Do I Do? Help: I Got Hacked. Now What Do I Do? Part II Where to draw the line? When to recommend a format and reinstall? If you choose to format and reinstall, see these link for instructions: Reformatting Windows XP (by wng_z3ro ) , MIT IS&T - Windows XP: Clean Install . However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat . If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask. If you decide to go through with the cleanup, you can proceed with the steps below. Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes. Peer-to-peer (P2P) program WARNING Your log shows that you are using a so called peer-to-peer or file sharing program (in your case µTorrent ). Programs like this one allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file sharing tools as a tremendous amount of prospective victims can be reached through it. It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File Sharing, otherwise known as Peer To Peer. (P2P) and Risks of File-Sharing Technology . Avoid gaming sites, pirated software, cracking tools, keygens, and P2P file sharing programs : They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious flash ads that install viruses, trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again. Due to the reasons mentioned above, I would strongly recommend that you uninstall µTorrent. The choice to remove it is entirely up to you, however, but I strongly recommend getting rid of it. If you agree, go to Start -> Control Panel -> Add or Remove Programs and remove µTorrent . If you do not agree, please at least refrain from using any peer-to-peer programs for the remainder of my fix . It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. The RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves. Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as OpenOffice. Uninstall a program using Add or Remove Programs : Click Start on the taskbar, then click on the Control Panel icon. Double-click the Add or Remove Programs icon. A list of programs installed will be "populated"; This may take a bit of time. Uninstall the following program by clicking on its entry and selecting Remove (or Change/Remove ): AutoUpdate Download and run sUBs' ComboFix : Please download ComboFix from any of the links below. * IMPORTANT! Choose to save ComboFix to your Desktop but rename it to bidi00.exe prior to doing so. Download ComboFix (ComboFix.exe) - #1 Download ComboFix (ComboFix.exe) - #2 VERY IMPORTANT : Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE : This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. Double-click bidi00.exe and follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. NOTE : If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once installed, you should see a screen prompt that says: " The Recovery Console was successfully installed. ". Click Yes to allow ComboFix to continue scanning for malware. NOTE : Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang! When finished, ComboFix shall produce a log for you (located at C:\ ComboFix.txt ). Post the entire contents of that report in your next reply for further review, along with the Add-Remove Programs.txt log which can be found at C:\Qoobox. Quote: GENERAL WARNING : Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Also see ComboFix's disclaimer . So in your next post, please let me know what you have decided to do. If you decided to go through with the cleanup, please post the entire contents of: C:\ ComboFix.txt (the ComboFix log) C:\Qoobox\ Add-Remove Programs.txt


	Hey there, I was running combofix and before it was done the computer crashed. Now i cannot open any .exe file. No combofix, Malwarebytes, or anything. Now what do i do?


	You can't open any executable program? Can't you open Notepad ( Start -> All Programs -> Accessories -> Notepad )? Can't you open a program like Internet Explorer, Microsoft Word or your email application?


	I cannot open any program. I can however still open pictures. I also managed to get into windows media player via the "what program would you like to use" box and played videos. Not sure what to do at this point. Should back up my music, pictures, videos and docs? Reformat hard drive? Would reformatting get rid of all viruses?


	Looks like the default association for executable (.exe) and/or shortcut (.lnk) files is corrupted... Restore the default association for .exe and .lnk (shortcut) files : Download these assocation fixes: EXE File Association Fix (xp_exe_fix.zip) LNK (Shortcut) File Association Fix (linkfile_fix.zip) DIRECT download location for Windows XP File Association Fixes here . IMPORTANT: Unzip both files (extract their content). Double-click the extracted registry (.reg) files. When a window pops up asking if the information should be merged/added to the registry, accept (say Yes ). NOTE : If you are not able to import the .reg files because of the corrupted .exe file assocation, do this: Press Ctrl + Alt + Delete to open up the Task Manager. Within Task Manager, click File , then hold down Ctrl and left-click New Task (Run...) A Command Prompt window will open. Enter REGEDIT.EXE and hit Enter Registry Editor will be launched. In Registry Editor, click File -> Import... Navigate to the .reg fix file, highlight (select) it and click Open It should be merged to the registry. Repeat with the second .reg fix. Any luck with these fixes?


	Ok, so i already had fixexe.reg file on my desktop. I clicked it let it do its thing and then said yes to add files. Seems like im back up and running. Do you want me to combo fix again or run you some sort of report?


	Quote: [..] do you want me to combo fix again or run you some sort of report? Yes, please perform the instructions of Post #5 .


	I didn't have a chance to run the computer today. I will try to do so Monday or Tuesday. Thank you.


	OK, take the time you need.


	Alrighty, here is the update. I have tried to run combofix twice now (once Monday night and once Tuesday night) with no results. The program runs for at least 30 to 45 minutes and just stalls. Not sure what to do from here.


	Hello again, and sorry for the little delay; Been quite busy. Please try this... Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes. Download and run Win32kDiag : Download Win32kDiag from any of the following locations and save it to your Desktop. Download Win32kDiag (Win32kDiag.exe) - #1 Download Win32kDiag (Win32kDiag.exe) - #2 Download Win32kDiag (Win32kDiag.exe) - #3 Double-click Win32kDiag.exe to run Win32kDiag and let it finish. When it states " Finished! Press any key to exit... ", press any key on your keyboard to close the program. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic. Download and run a batch file ( peek.bat ) : Download peek.bat from the download link below and save it to your Desktop. Download peek.bat Double-click peek.bat to run it. A black Command Prompt window will appear shortly: the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post. So in your next reply, please post the entire contents of: the Win32kDiag log the peek.bat results

Discussion Title: Computer is jacked
Title Keywords: Computer jacked

Omgili Home

About

FAQ

Plugins

Usenet