81 replies to this topic

[ghettogirll]

I downloaded something the other day (even checked it with malware & avira before downloading was clean). After I opened said download my pc went berzerk. Search engines were sending me to different pages, etc. and malwarebytes, hijack this, and unhack me will not work. The run for a few seconds then shut down and say something about not being able to access the path or file and not having permissions to access the item. I got my search engine status back to normal with spywareblaster but still cannot run malwarebytes, etc. Also ran superspyware & avira & they showed a few malicious items but apparently not the ones the matter lol. Anyways here is a copy of win32kdiag

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\8HPW4CJRY6ELT18G\8HPW4CJRY6ELT18G

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\A3W_DATA\A3W_DATA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP127.tmp\ZAP127.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C.tmp\ZAP1C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E4.tmp\ZAP1E4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F.tmp\ZAP1F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C4.tmp\ZAP2C4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EA.tmp\ZAP2EA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP392.tmp\ZAP392.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP415.tmp\ZAP415.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E.tmp\ZAP4E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54.tmp\ZAP54.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP661.tmp\ZAP661.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Fonts\data\data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\73b2c607\cd103b1d\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\9c6bd4b6\c7eed5e3\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neoedge.services.agent.webservices\0578d1b0\355e5723\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neoedge.services.agent.webservices\1a4f6693\5c87f49d\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\00f4dcdbcc87699e75212b885cb6bebf\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\solcache\solcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ap\ap

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\Original\Original

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[Maurice Naggar]

Hello ghettogirl,

I will be assisting you in searching for malwares. For the duration, follow my guidance.

Advise me of your Windows version/edition, as well as the antivirus program installed on this system.
If you must, use another system to do download of tools, and then transfer to the Desktop of problem pc.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not ghettogirl and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=

Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  
• DDS.txt
  
• Attach.txt
  
• Save both reports to your desktop.

Please include the following logs in your next reply:
RootRepeal.txt
DDS.txt
Attach.txt

[ghettogirll]

Oh sorry I am running windows xp and I use Avira antivirus. I downloaded both items and did exactly as u said. RootRepeal is doing the exact same thing as my malwarebytes and unhack me. It runs for a few then closes and says the same thing as the others. I disabled all of the script blocking that I know of and DDS will still not give me a log file for some reason.

<NOTE>
Kindly only use the ADDReply button when starting your reply. Otherwisee, a quoted reply makes for very long scroll & read.
~ Maurice

[ghettogirll]

Oh sorry I am running windows xp and I use Avira antivirus. I downloaded both items and did exactly as u said. RootRepeal is doing the exact same thing as my malwarebytes and unhack me. It runs for a few then closes and says the same thing as the others. I disabled all of the script blocking that I know of and DDS will still not give me a log file for some reason.



Sorry about the double post lol

[Maurice Naggar]

do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Now, disconnect this pc from internet by unplugging the connection to the modem.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reconnect the connection to the modem.

Reply with copy of C:\Combofix.txt

[ghettogirll]

Again I did exactly as u said with both programs. Combofix ran perfectly until my pc rebooted then nothing. No drive light no log file no nothing. And I disabled Avira before I ran it. Grrrr

[Maurice Naggar]

Restart the system one more time. Then,

Go to Start > RUN and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

Look for C:\Combofix.txt

[ghettogirll]

It's telling me windows cannot find C:\Documents and Settings\Owner\desktop\win32kdiag.exe. Make sure u typed the name correctly and try again.

[ghettogirll]

I'm thinking maybe I need to buy a new pc.....this one is nothing but problems. Anyways, I thought I fixed the problem with Spywareblaster, but apparently not. I still cannot run any of my cleaning programs. And I had my search engine problem fixed for a day, but now it's back to the same thing. Pages are being redirected again.

[Maurice Naggar]

Please be specific about whether you used Internet Explorer or maybe if you are using Firefox or another browser!
Also, cease if you will, doing web searches. Only go to this forum or the websites I guide you to.

Let's have a try at the following:
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Then, next, get and run FixIEDef:

Use this URL to Download the latest version, and SAVE it to your Desktop !
http://downloads.mal...om/FixIEDef.exe

Double click FixIEdef.exe on your Desktop to start it.
Click OK when you get the 1st FixIEDef window.

Next, at 2nd message-window, press SCAN button.

Click OK when you see a FixIEDef alert window.
Let it scan the file system and the resgistry. Do not touch keyboard or mouse while utility is running.

Click Exit once FixIEDef displays the !!! All Finished message !!! window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Post the FixIEDef log file, located on the Desktop.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine

• Make sure you read this document to understand how to use the program.
  Trend Micro Sysclean Package README 1st
  
• Basically there are 3 parts that need to be downloaded and SAVED from these links:
  
  • Sysclean Package
    
  • Virus Pattern Files that will be a LPTxxx.ZIP file
    
  • Spyware Pattern Files this is a SSAPIPTNxxx.ZIP
    It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware) – Ssapiptn.Da5"

• Create a brand new folder to copy these files to.
  
• As an example: C:\DCE
  
• Then open each of the zipped archive files and copy their contents to C:\DCE
  
• Copy the file sysclean.com to the new folder C:\DCE as well.
  
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Reply with a copy of Sysclean.log

[ghettogirll]

Ok, I was finally able to get a log file from something lol (by the way, I normally use Mozilla Firefox as opposed to IE)...here is the requested log file

*******************************************************************************
* *
* FixIEDef Log *
* Version 1.7.22.7514 *
* *
********************************************************************************

Created at 01:47:27 on Friday, September 04, 2009

Time Zone : (GMT-05:00) Eastern Time (US & Canada)

Logged On User : Owner

Operating System : Microsoft Windows XP Home Edition Service Pack 3
OS Architecture : X86
System Langauge : English (United States)
Keyboard Layout : English (United States)
Processor : X86 Intel® Pentium® 4 CPU 1400MHz

System Drive : C:\
Windows Directory : C:\WINDOWS
System Directory : C:\WINDOWS\system32

System Drive Type : Fixed
System Drive Status : READY
System Drive Label :
System Drive Size : 76.31 GB
System Drive Free : 19.72 GB

Total Physical Memory: 511 MB
Free Physical Memory : 270 MB
Total Page File : 511 MB
Free Page File : 1054 MB
Total Virtual Memory : 2048 MB
Free Virtual Memory : 1961 MB

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! userinit.exe is Clean !!!

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\tmp.txt

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "KernelFaultCheck"

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

[Maurice Naggar]

Please do the SYSCLEAN procedure as I outlined in my earlier reply, and when done, copy and paste the Sysclean.log here.

If you continue to have issues with Firefox, use Internet Explorer for purposes of downloading tools.

Please do not do any websurfing. Only go to websites I guide you to and this forum.

[ghettogirll]

Ok, all done scanning with the above specified program. Here are the log file results....




/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-09-04, 02:26:54, Auto-clean mode specified.
2009-09-04, 02:26:55, Initialized Rootkit Driver version 2.2.0.1004.
2009-09-04, 02:26:55, Running scanner "C:\DCE\TSC.BIN"...
2009-09-04, 02:27:07, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-09-04, 02:27:07, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : F r i S e p 0 4 2 0 0 9 0 2 : 2 6 : 5 6





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : F r i S e p 0 4 2 0 0 9 0 2 : 2 7 : 0 7


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-09-04, 02:27:07, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-09-04, 02:27:39, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-09-04, 02:27:39, VSCANTM Log:

2009-09-04, 02:27:39, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:27:08
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

2009-09-04, 02:27:39, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:27:08
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

2009-09-04, 02:27:39, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:27:08
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

2009-09-04, 02:27:39, Running SSAPI scanner ""...
2009-09-04, 02:27:42, SSAPI Log:



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-09-04, 02:29:31, Auto-clean mode specified.
2009-09-04, 02:29:31, Initialized Rootkit Driver version 2.2.0.1004.
2009-09-04, 02:29:31, Running scanner "C:\DCE\TSC.BIN"...
2009-09-04, 02:29:40, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-09-04, 02:29:40, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : F r i S e p 0 4 2 0 0 9 0 2 : 2 9 : 3 2





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 8 ) [ s u c c e s s ]





C o m p l e t e t i m e : F r i S e p 0 4 2 0 0 9 0 2 : 2 9 : 4 0


E x e c u t e p a t t e r n c o u n t ( 3 0 6 0 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-09-04, 02:29:40, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-09-04, 04:23:13, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-09-04, 04:23:14, VSCANTM Log:

2009-09-04, 04:23:14, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:29:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

C:\WINDOWS\system32\aluzimaf.ini [TROJ_VUNDOINI.A]
C:\WINDOWS\system32\esavikay.ini [TROJ_VUNDOINI.A]
C:\WINDOWS\system32\esiniwil.ini [TROJ_VUNDOINI.A]
C:\WINDOWS\system32\opitafah.ini [TROJ_VUNDOINI.A]
C:\WINDOWS\system32\ukajebor.ini [TROJ_VUNDOINI.A]
113978 files have been read.
113978 files have been checked.
113931 files have been scanned.
283609 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/4/2009 04:23:13 1 hour 53 minutes 31 seconds (6811.35 seconds) has elapsed.(59.760 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-04, 04:23:14, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:29:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

113978 files have been read.
113978 files have been checked.
113931 files have been scanned.
283609 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/4/2009 04:23:13 1 hour 53 minutes 31 seconds (6811.35 seconds) has elapsed.(59.760 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-04, 04:23:14, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 9/4/2009 02:29:40
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 417 (466056/466056 Patterns) (2009/09/03) (641700)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.417

113978 files have been read.
113978 files have been checked.
113931 files have been scanned.
283609 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/4/2009 04:23:13 1 hour 53 minutes 31 seconds (6811.35 seconds) has elapsed.(59.760 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-09-04, 04:23:15, Running SSAPI scanner "C:\DCE\"...
2009-09-04, 04:56:26, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 8.19
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 09/04/2009 04:23:20

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not ghettogirll and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=

If you have any open documents, save and close them.
Close any of your open programs while you run these tools.
These next procedures will reboot/restart your system. So do not be surprised.

Keep going and do as much as possible.

I'm going to have you run a couple of tools. But first, turn off your antivirus program's "real time" monitors.

Use this as a guide if needed, but do NOT turn off the firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

=

• Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  
• Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\WINDOWS\system32\aluzimaf.ini 
  C:\WINDOWS\system32\esavikay.ini 
  C:\WINDOWS\system32\esiniwil.ini
  C:\WINDOWS\system32\opitafah.ini
  C:\WINDOWS\system32\ukajebor.ini
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  
  :Commands
  [purity]
  [emptytemp]
  [reboot]

  
  
• Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  
  
• Close any browser(s) windows that may be open.
  
• Using your mouse, click on the red-lettered button Run Fix.
  
• Once you see a message box "Fix complete! Click OK to open the fix log."
  Click the OK button
  
• The log will open in Notepad (your default text editor).
  
• Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  Please have infinite patience while Combofix runs (see below). It has many phases!
  It will prompt you with a message window when it is done.
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, it is working
You will have a message prompt, when it finishes.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the OTL MovedFiles log
and the C:\Combofix.txt

[ghettogirll]

Ok, OTL is doing the same thing as Malwarebytes. It started running, then shut down and now I cannot open it. It says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

[Maurice Naggar]

Skip the steps for OTL (for now). Continue with prior note to get and run Combofix.

[ghettogirll]

Tried to run combofix again, but it started and then shut down like last time. I tried to run it again and it said "some files could not be created. Please close all applications, reboot Windows and restart your system". So, I restarted and tried to run again but it still says the same thing. Grrrr! You are trying soooo hard to help me and really appreciate it.

[Maurice Naggar]

Do check closely as to where you saved win32kdiag.exe? we need to find it and for you to tell me exactly where. In a folder? if so which?
or if it is on the Desktop? and if you logged in with the same account as when you downloaded.

You may try to the following: Disconnect the internet connection to the modem.
Then restart / reboot the system into Safe mode. Then run Combofix this one time. If it works, I'll need a copy of C:\Combofix.txt

[ghettogirll]

Win32kdiag.exe is located in a folder named 'cleaning programs' on my desktop. And yes, I logged in under the same account that I downloaded it under.

[ghettogirll]

Am unable to run combofix in safemode. I went to the location and tried to run it but it just kept taking me back to the drive location folder for some reason.