Completely screwed up pc - Page 2 - Computer Support & PC Help Forums

**Wolfeymole** · 07-03-2008, 02:12 PM

If you run mIRC on a continual basis then do not allow people to send you files via CCP.

Configure it to; Only accept on request.

If you are unsure of how to set it let me know.

Dee_Collins · 07-03-2008, 02:49 PM

What is mIRC and what is CCP? if you dont mind me asking, I dont really know too much about pc's

**Wolfeymole** · 07-03-2008, 03:02 PM

You have an entry in your previous post listing this;

A0148424.exe program.mIRC.616

mIRC is an acronym for Internet Relay Chat and part of that software allows CCP (Client to Client Protocol) file sharing in other words.

You must have installed mIRC software at some period Dee.

Dee_Collins · 07-03-2008, 05:12 PM

So what do I need to do now and how do I do it?

**Wolfeymole** · 07-03-2008, 05:37 PM

Can I just hark back and ask why all system files etc are on D: rather than C:

What happened to make you change the drive letter?

**AdvancedSetup** · 07-03-2008, 09:48 PM

Okay Dee, the computer should be running good enough now to do the full scan, cleanup routine.

Please follow these instructions in the exact order. You can ignore the Tea Timer as I don't think you have it running.

Your computer could be infected with Malware.

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
It is a combination of the words malicious and software.
The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Required Cleanup Steps
1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
2. Run a Temporary file and cache cleaner (ATF)
3. Run 2 Anti-Malware scanners (Listed Below)
4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
5. Clear out old System Restore points
6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.

The reason to run multiple scanners is to ensure that no single scanner is missing something.
The time it takes will vary depending on your system and your internet connection speed.
Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.
The ESET online scan should take between 1 to 3 hours.
In most cases, these scans will suffice to clean and disinfect your computer.
Heavily infected systems or slower PCs can take much longer to scan and clean.

For best results print the following instructions and bookmark this Web page
To keep this guide printer-friendly, use your cursor to highlight the contents below.
From your browser select File - Print and in the printer dialog box under "Print range"
click the Selection choice to print out these instructions for removal of malware.

__________________________________________________

STEP 1
Disable Spybot Search & Destroys' TEA TIMER: (if installed)
Run Spybot-S&D in Advanced Mode.

If it is not already set to do this Go to the Mode menu select "Advanced Mode"

On the left hand side, Click on Tools

Then click on the Resident Icon in the List

Uncheck "Resident TeaTimer" and OK any prompts.

Restart your computer.

__________________________________________________

STEP 2
Follow these instructions carefully.

Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.

You can also download it from Majorgeeks.com

When you run ATF-Cleaner, check the items as shown below for Main.

For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox

NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored

Then click on "Empty Selected".

.

__________________________________________________

STEP 3
Install and run the free version (not the Professional version) of SUPERAntiSpyware from SUPERAntiSpyware.com
Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.

You do not have to send them your e-mail address, just click next.

You can leave the automated check for updates on.

You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.

DO NOT allow SUPERAntiSpyware to protect your Home Page settings.

On the Top Left select the Scan your computer button.

Make sure there is a CHECK MARK on all Fixed Drives.

Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.

__________________________________________________

STEP 4
Install and run Malwarebytes' Anti-Malware from Malwarebytes - (direct download)
Accept all defaults for the installer

Allow the program to update the definitions

Click on the Quick Scan and click Next.

If any items are found allow it to clean them and then Reboot your computer.

__________________________________________________

STEP 5
Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner
You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.

If your computer is running Window's Vista, then you must first start Internet Explorer as an Administrator. To do so, right-click on the Internet Explorer icon in the Start Menu and select "Run as administrator" from the popup context menu.

Accept the terms and click "Start".

Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".

Click "Start" to begin the scan.

When completed restart your computer

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Free PC Help and tell us how the computer seems to be operating.

.

Dee_Collins · 07-04-2008, 08:28 AM

Quote:

Originally Posted by Wolfeymole

Can I just hark back and ask why all system files etc are on D: rather than C:

What happened to make you change the drive letter?

Basically a few years ago we had kazaa on the pc, and it really screwed things up and we had to send it it to someone to be fixed and they changed everything over to D Drive for some reason (to be honest we dont really know why)

Dee_Collins · 07-04-2008, 11:11 AM

Well Avast is now pulling something up constantly whether its spyware or a Trojan or Virus, I feel like getting a hammer out to the pc lol.........

What now, I did all that was suggested and Im still getting pop ups, they keep freezin my pc up

OK my pc seems to b wrse now, Avas was pulling something up saying the location was SuperAntiSpyware
It also keeps pulling up the following malware:

Win32:VunDrop [Drp]

D:\Documents and Settings\IAN\Local Settings\Temporary Internet Files\Content.IE5\VMHJAESJ\kb111653[1]

**Goku** · 07-04-2008, 11:21 AM

Please bear with us till our Malware experts get online, Dee. They will advise you appropriately as soon as possible. Thanks for your patience and co-operation.

-- Goku

**maynardvdm** · 07-04-2008, 11:47 AM

Hi

Can you please post the Malwarebytes log. You can find it here:

C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Thank you!

Dee_Collins · 07-04-2008, 01:24 PM

Malwarebytes' Anti-Malware 1.19
Database version: 901
Windows 5.1.2600 Service Pack 2
14:18:29 04/07/2008
mbam-log-7-4-2008 (14-18-29).txt
Scan type: Quick Scan
Objects scanned: 43251
Time elapsed: 7 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
D:\WINDOWS\system32\kedjkgwq.dll (Trojan.Vundo) -> Unloaded module successfully.
D:\WINDOWS\system32\wvUoLdcA.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{41873d7c-f89a-4392-b637-78f0fe72fb40} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{41873d7c-f89a-4392-b637-78f0fe72fb40} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\0873b249 (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\WINDOWS\system32\wvUoLdcA.dll (Trojan.Vundo) -> Delete on reboot.
D:\WINDOWS\system32\AcdLoUvw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\AcdLoUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kedjkgwq.dll (Trojan.Vundo) -> Delete on reboot.
D:\WINDOWS\system32\qwgkjdek.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\qodwkedk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\kdekwdoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

**Seth** · 07-04-2008, 01:31 PM

Hi Dee.

If you haven't already, run the scans again with SuperAntiSpyware, MalwareBytes, and Eset. Do so from Safe Mode With Networking and make sure that you run "complete or full" scans on the "C" and "D" drive.

Restart the computer after each scan, then please post a new HijackThis log.

Dee_Collins · 07-04-2008, 01:35 PM

OK Seth will do now

Dee_Collins · 07-05-2008, 09:43 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:53, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - D:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?96385411e23941a59bda1d2f2bc5bbc
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?96385411e23941a59bda1d2f2bc5bbc
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanc...instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/JS...ws-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 7725 bytes

Dee_Collins · 07-05-2008, 09:43 AM

Even in safe mode now i kep getting opo ups saying my pc is infected so download this program etc

**RandyL** · 07-05-2008, 10:49 AM

Dee if your getting these popup messages in safe mode you probably have a serious infection issue. Please wait for the techs to advise you further.

In my humble opinion I would back up everything at this point just to be safe. A reinstall may be in order.

Wait for the techs to get back to you first please.

**Seth** · 07-05-2008, 02:10 PM

Your HijackThis log doesn't show any sign of infection. However, the HT and MB logs that you posted only show the "D" drive. The default hard drive should be "C". Where is your C drive and what's installed on it?

**AdvancedSetup** · 07-06-2008, 06:29 AM

Hi Dee,

Let me review this but you need to post back the LOGS as requested each time, otherwise I don't know for sure what's going on. I'm not there at your desk seeing what you see, so I rely on these logs to let me know what's going on. THANKS.

I'll be back in a little bit with some other routines to run. If you have a printer you may want to print out the instructions that I'll provide when I get back, while you do the work.

.

**AdvancedSetup** · 07-06-2008, 07:03 AM

Please post the SUPERAntispyware log and where is the ESET/NOD32 online scanner log?

Okay.... post those logs when you can please. Then follow these instructions exactly as shown and in the order shown. Remember when done I need to see the logs.

This file should not be here if you successfully ran the CCLEANER program
D:\Documents and Settings\IAN\Local Settings\Temporary Internet Files\Content.IE5\VMHJAESJ\kb111653[1]
as this removes all the temporary cache files which this is one of them.

Please run the following below as shown.

Download and Run ComboFix from your DESKTOP (it must be saved or copied and run from the Desktop)
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Download this file from one of the three below listed places and place it at your DESKTOP :
For information regarding this download, please visit this webpage:
http://www.bleepingcomputer.com/comb...o-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Then double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end

Please have patience as this can be a long and tedious process at times to remove Malware.

Dee_Collins · 07-07-2008, 07:44 AM

Sorry for the delay but I dont work weekens and this is a work pc that is plsying up. Sorry it wasnt 100% clear t me that logs needed to be posted after each scan, as I said I dont really know that much about pc's In terms of the C Drive as I explained before in this thread we had to take the pc to be fixed to someone before and they said there was a problem with the C Drive and transferred everything over to the D Drive, something to do with Kazaa, but that was a good couple of years ago now.

So should I re-do all those scans in safe mode again and then post a log after each scan in safe mode? and is the log I need to post the Hijack this log?