Sign in to follow this  
winzlo

combo fix/internet speed monitor huge problem

Recommended Posts

i used combo fix as described, when my computer rebooted it said select from list or use web service to open this blah blah... i tried to use the web it wouldnt work, now half of my programs, including ad-aware, is not working! neither is system restore(not that it was before :/ ) the kinda good news is that instead of internet speed monitor problems now i just get "windows cannot find file:///c:windows/system3 2/driver/detect.com make sure the path/address is correct" argh!! thats not even when i prompt to open anything!

 

please tell me what to do :D i know im retarded for not asking before doing, its just that im so computer illiterate i dont even know what a log is..... and if u get it with ad-aware well ummm... thats not working.... neither is combo fix

 

also i apologize for posting in this forum but this is where i found out about combo fix.... which caused a big old problem... :)

Edited by winzlo

Share this post


Link to post
Share on other sites

Hello.winzlo & Welcome

 

Hmm would this OS happen to be say XP. If so did you try using system restore? if no try going back to before you ran

ComboFix. See if this is any help if so then make sure not to fix a thing. come back here with a HijackThis logfile do it like so.

 

=======================

 

Before you run HijackThis, Make sure to update Ad-Aware run a full system scan. See what if anything is found

this link here will help you if not sure how to go about this.

 

http://www.bleepingcomputer.com/tutorials/tutorial48.html

 

=======================

 

Download HJTInstall.exe to your Desktop.

 

Doubleclick HJTInstall.exe to install it.

By default it will install to C:\Program Files\Trend Micro\HijackThis .

Click on Install.

It will create a HijackThis icon on the desktop.

Once installed, it will launch HijackThis.

Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.

Save the log to a convenient location as you'll need to post it soon.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.

Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

 

Again don't fix a thing till someone here has a look for you.

 

 

Gogo :D

Share this post


Link to post
Share on other sites

thank you very very VERY much for being willing to help me.... so frustrated.... i paid for pro because of the support for processes, ive been battling a few for awhile i bought pro yesterday(barely able to afford, just got my first check from my 2nd job) cause of the support, im assuming the support is this 24/7 forum? i was under the impression i would have been able to call somebody.... yesterday i sent a message in to support and never got a reply in my emails

 

ok before i ran combo fix, system restore wouldnt work, its been like that since i got internet speed monitor malware months back, right now after the combo fix thing none of my shortcuts work, including explorer or netscape, i think i can only get explorer up cause of the fact its in the top left when u go to the start menu

 

I CANNOT GET AD-AWARE TO OPEN, nor can i with many programs, luckily all my music files n musicmatch jukebox is still working so are my vid files along with IE and the net

 

since i cant get a log(something u get with ad-aware which i cant run im guessin?)

 

this may help:

 

my desktop background automatically changed yesterday to:

 

"WARNING! SPYWARE THREAT HAS BEEN DETECTED ON YOUR PC.

YOUR COMPUTER HAS SEVERAL FATAL ERRORS DUE TO SPYWARE ACTIVITY. YOUT IP ADRESS IS got error 127 from storage engine1 AND VIA THIS ADDRESS AN AcCESS WAS GAINED BY ANOTHER COMPUTER. IT IS STRONGLY RECOMMENDED TO INSTALL AN ANTISPYWARE SOFTWARE TO CLOSE ALL SECURITY VULNERABLILITIES"

 

(should i change passwords on this computer immediatly or should i wait until tomorrow night when i can get to another computer to access paypal etc. to change the passwords?)

 

then the internetspeedmonitor thing changed and my own pages such as the one im typing on would even change to try to sell me "ANTISPY STORM" thankfully im not that much of a computer idiot

 

when i purchased n used ad-aware pro i quarantined some more stuff, deleted more, many diff malware n spyware, ive been fighting processes, YESTERDAY WHEN THAT DESKTOP BACKGROUND CHANGED I ALSO LOST the ability to control/alt/delete it STILL tells me task manager has been disabled by administrator :D

 

i used to be able to con/alt/del and stop the process JAVAW.EXE which seemed to stop some of the internet speed monitor constant popups, WHEN USING ADWATCH(which was blocking about 200, yes around 200 things an hour) one of the bottom tabs that shows a few processes where u could right click on it for "details" JAVAW.EXE was there however it was there as J?VAW.EXE and i couldnt figure out how to get rid of it, adaware full scan wouldnt :/

 

please tell me what to do.... also is this really the only support way thats available? no phone lines or anything like that? earlier today i put in a dispute with paypal because im very very close to uninstalling and reinstalling windows and i bought pro under the impression of 24/7 customer support..... even i know that forums are open 24/7, but if you guys are the customer support and do help me then i guess ill take it as a loss(the pro thing, i definitely need to keep atleast plus on my computer) and send in a message to paypal that the issue is resolved(my dispute problem was about the lack of immediate help i was expecting.... right now im extremely concerned about identity theft

 

thanks again, god bless you for your concern and taking the time to read all of this

Share this post


Link to post
Share on other sites

Hey.winzlo

 

Sorry to hear your having all these problems. I should of had a better look at this before posting to you. I am going to have someone look at this for us, let's see what if anything they maybe able to help us with. Would you happen to have your Windows CD at hand? it maybe needed at this point. But as I said let me see what I can do for you.

 

Gogo :D

Share this post


Link to post
Share on other sites

Hi.winzlo

 

Well I put the word out for you. Now let's sit back see what if anything they can help us with. If you don't hear from me send me, a PM in case I forget. But for now I ask that you do not try fixing anything on your own please.

 

Gogo :D

Share this post


Link to post
Share on other sites

ComboFix is not intended for general use - it is a special tool used by some of the malware removal experts, but really needs to be monitored by someone who knows what they are doing. Exactly what "instruction" did you follow?

 

Let's start with this basic tool called HijackThis please - it's free and will give me a snapshot of what is running right now on your system. It's a start and the first step users are asked to follow when dealing with a difficult to remove infection for analysis (not ComboFix):

Follow the instruction here to make a HijackThis log and post it in THIS topic (you don't need to start a new topic - we'll just use this one.

http://www.lavasoftsupport.com/index.php?showtopic=13639

 

I need a HijackThis log (do NOT try to "fix" anything - that's another tool that should only be used under supervision and direction).

 

And if you ran ComboFix, I really need to see the log it made as well. It be stored on your hard drive (usually C:) and is named:

C:\ComboFix.txt

Share this post


Link to post
Share on other sites

thanks alot guys its very appreciatted, ok the directions i followed in my desperate stupidity were:

 

--------------------------------------------------------------------------------------------------------------------------------------

 

Download ComboFix from here.

**Save it to your desktop**

 

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

 

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

 

* Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

 

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.

--------------------------------------------------------------------------------------------------------------------------------------

 

 

ok now i checked i didnt see combofix.txt in my C: folder or in the combofix folder(alot of stuff in that) and it DIDNT open as when my comp restarted, something tried to open and asked what program to open with i tried selecting combofix, nothing, then i tried using a web service to open it and my internet connection wasnt working so it never worked n never did what it was trying to do(combofix)

 

ive been trying to search my computer for it(in case it was ever made), even though i can get the search thing to open unlike most programs(i wasnt even able to install eset nod32 free trial version, it told me sumthin that i understood as a missing component or driver or something that combofix temporarily did sumthin 2 before it failed to complete its job? im extremely hungry im gonna go cook lunch then ill come back and try the hijackthis and cross my fingers....

 

thanks again

Share this post


Link to post
Share on other sites

ok i tried to dl hijack this, after selecting a new folder in the c drive, it says windows cannot open this file, to open this file windows needs to know what program created it, i then selected use web service to find program to open it since i wouldnt know what to select from that list, and i got this:

 

File Type: Unknown

 

Description: Windows does not recognize this file type.

 

and yes i do still have my windows discs... however this would be the 2nd time uninstalling and reinstalling it... is that bad? i hope i dont have to do that, this time i wont have someone right here helping me/doing it for me n it took hours and i lose everything of course :) please tell me i dont have to resort to that :-/

 

thanks again for the help guys(or guy and girl to be politically correct), god bless, guess ill just check back, if u guys get me through this(even if u cant) ill tell the company when i undo my dispute(see a post above) what great help i got and from whom, thanks again, oh ya back to my question, are you guys the support team? thanks again

Share this post


Link to post
Share on other sites

Hi

 

Sounds like a file association is broke.

 

If you are running Windows XP then follow the instructions below. If you are not running XP do not follow these instructions but post back with the version of Windows you have.

 

For Windows XP first download the appropriate registry file fixes from Doug Knox's web site at

 

http://www.dougknox.com/xp/file_assoc.htm

 

Download these and unzip them into a folder.

 

COM File Association Fix (Restore the default associations for COM files)

EXE File Association Fix (Restore default association for EXE files)

 

The hardest part is to restore the exe association. Follow the instructions at the top of Doug Knox's web site on how to start Regedit from within Task Manager. Follow these instructions exactly and Regedit should start.

 

NOTE: If your EXE file associations are corrupted, it can be difficult to open REGEDIT, or to even import REG files. To work around this, press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter.

 

Now inport the two reg files you downloaded above in turn. In regedit select file then select import and browse to each reg file in turn. If prompted to confirm merge select yes to accept. If you are using Ad-watch then ensure you allow Ad-watch to accept these changes.

 

Now try to run HijackThis and if it works post a log.

 

Many thanks

Share this post


Link to post
Share on other sites

Agrees with Ad-Astra's observation - follow his instruction to get that fixed.

 

And no, we're not the support team - The Support Center is here:

http://www.lavasoft.com/support/supportcenter/

They do tech support for Ad-Aware (not malware removal)

 

But, since that machine is infected (and, apparently file associations not working)- we need to get that squared away first and then if Ad-Aware still doesn't work will send you to the Support Center for assistance to get it going.

 

Many of today's infections will hamper and interfere with Ad-Aware on a fresh install. Best to get rid of the malware first once we find out what it is

Share this post


Link to post
Share on other sites

ok tried the exe fix first, followed the directions at the top extracted to my c drive, then double clicked it, added the info to my registry, then opened it with notepad n got this, have no clue what to do :)

 

Windows Registry Editor Version 5.00

 

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

 

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]

@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

 

[HKEY_CLASSES_ROOT\exefile]

@="Application"

"EditFlags"=hex:38,07,00,00

"TileInfo"="prop:FileDescription;Company;FileVersion"

"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

 

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]

@="%1"

 

[HKEY_CLASSES_ROOT\exefile\shell]

 

[HKEY_CLASSES_ROOT\exefile\shell\open]

"EditFlags"=hex:00,00,00,00

 

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

 

[HKEY_CLASSES_ROOT\exefile\shell\runas]

 

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]

@="\"%1\" %*"

 

[HKEY_CLASSES_ROOT\exefile\shellex]

 

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

 

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

 

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]

@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

 

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]

@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

 

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

 

 

 

AND YES alot of things arent working, when the malware tries to open it cant cause the driver isnt there... is there a way i can undo COMBOFIX? hopefulle i can get this exe fix thing to work :/ thanks again everyone

Share this post


Link to post
Share on other sites

task manager wasnt working even before i ran combo fix... i tried the exe first, i already posted on how far i got till i was clueless about what to do, and i did read the directions on the top of that page, thanks again

 

and nope im definetly not gettin that thing runnin, ill try the other now and if i get any farther ill reply shortly, ive upped my security settings but my computers still under attack big time... put it like this 3 times i tried to run search, all 3 times i had to hit the button on my computer to turn it off after it wouldnt allow me to do anything

 

please tell me what i do now? thanks again everyone

Edited by winzlo

Share this post


Link to post
Share on other sites

You didn't need to open the registry fix in notepad. But if you ran the registry fix file as instructed and you got the prompt to merge to the registry (and then answered, yes). You should now be able to run HijackThis to produce a log. Would you do that now please? Run HijackThis and post a log from it here

Share this post


Link to post
Share on other sites

IT WORKED! yes! you guys are awesome! i didnt even know that exe thing did anything! thanks so much! ill try the other one n see if i can regain access to task manager if thats what that ones for?

 

heres the log, thanks again jane and everyone else!!!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:29, on 2007-11-12

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\vvgeowbv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\MMJB.EXE

C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_director.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmjbburn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)

O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)

O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)

O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)

O2 - BHO: (no name) - {9ADEF81F-61F1-300D-DA5C-3BE679A25F92} - C:\WINDOWS\system32\bzu.dll (file missing)

O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)

O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)

O2 - BHO: aivskurq.msdn_hlp - {BF442538-BE32-4055-A549-2F3B699F55EB} - C:\WINDOWS\system32\aivskurq.dll

O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)

O2 - BHO: (no name) - {C4B1AF23-6398-6438-BF2F-3C7611180095} - C:\WINDOWS\system32\mqdg.dll (file missing)

O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)

O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)

O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)

O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)

O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)

O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{5A17690B-9F65-4F58-80C3-B36E93AB2BCF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 9060 bytes

 

 

ok i just did the COM fix... what was that for? if it was for task manager its still disabled ;)

Edited by winzlo

Share this post


Link to post
Share on other sites

Thanks for the HijackThis log - it is showing a Vundo infection and that is likely what is blocking the Ad-Aware, and also causing all the problems. It's not a real easy one to remove.

 

Download this free tool (SREng) we'll use to fix all file associations then we need to move on to getting rid of the infection causing the problems and that's going to take some diagnostics and multiple steps to fix.

 

First, make a new folder on your desktop called SReng to put the file into.

 

Then Please download SRENG

http://www.kztechs.com/eng/download.html

 

1. Extract it to folder you made on the Desktop & double click SREng.exe to run it

 

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

 

3. Click on the [scan] button

 

4. When finished, click on the [save Reports] button & save the log to Desktop

 

5. Post the contents of the log in your next reply.

................................................

Could you next please run this free tool to make a log

 

Download Combofix and save it to your desktop.

 

**Note: It is important that it is saved directly to your desktop**

 

--------------------------------------------------------------------

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

--------------------------------------------------------------------

 

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Share this post


Link to post
Share on other sites
Thanks for the HijackThis log - it is showing a Vundo infection and that is likely what is blocking the Ad-Aware, and also causing all the problems. It's not a real easy one to remove.

 

Download this free tool (SREng) we'll use to fix all file associations then we need to move on to getting rid of the infection causing the problems and that's going to take some diagnostics and multiple steps to fix.

 

First, make a new folder on your desktop called SReng to put the file into.

 

Then Please download SRENG

http://www.kztechs.com/eng/download.html

 

1. Extract it to folder you made on the Desktop & double click SREng.exe to run it

 

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

 

3. Click on the [scan] button

 

4. When finished, click on the [save Reports] button & save the log to Desktop

 

5. Post the contents of the log in your next reply.

................................................

Could you next please run this free tool to make a log

 

Download Combofix and save it to your desktop.

 

**Note: It is important that it is saved directly to your desktop**

 

--------------------------------------------------------------------

 

1. Close any open browsers.

 

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

--------------------------------------------------------------------

 

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

 

CHECK IT OUT! thanks to the help from you guys after doing the exe n com fixes i tried system restore for like a month ago, didnt work, so i tried the restore point from before combo fix did what it did i guess? pretty much everything seems to be working, adaware... oh by the way spybot search n destroy which is working again finds something with the words task manager in it, when i fix that task manager works, but then the darn thing comes back, i just updated spybot n immunized 56 new things... im hopin it was one of them

 

now the thing is, internet speed monitor still cant bring up its pop ups because of whatever combofix previously did(however other malware occasionally gets on past ad-watch which is blocking like 200 things a minute or something) when i run a smart scan on adaware it finds like 14 entries with hi tac levels like 5's, 7's 8's and 9's

 

combo fix is on my desktop right now, is it supposed to look like a red circle with a black X in the center?

 

now that i gave you my update what should i do now? do EVERYTHING listed above? give you a new hijackthis log first? let me know just give me the go ahead and hopefully ill have enough time to get it all done before work tomorrow night, its 4:!5 am i just got home and ill be sleepin in pretty late, i need my sleep.... i feel like this is all out war with this darn malware and i need a break tonight :/

 

thanks again u guys are freaking awesome

 

P.S. when system restore did its thing and went back to the restore point combofix put in, that thing from the combo fix program tried to open windows needed to know what program created it etc., THIS TIME i wrote it down, think this is it? rstrui.exe pretty sure, ive written alot down... anyway i tried to open through combofix.exe in my combofix folder in the c drive, i dont think it did anything though

Share this post


Link to post
Share on other sites

If you could just follow my directions above (last posted) instead of trying other things to "fix" we could make a lot more progress. The symptoms you describe are consistent with needing to fix the file associations and then run ComboFix which produce a log for me to review and I can direct you from there. Please don't take any other actions for now because this infection can "reinvent" itself when you are not successful in removing it entirely. That is why I need you to do those steps I asked.

 

And Yes, ComboFix icon is a red circle with a white x in it. So if you already have it, please run it now and post the log it makes, then also run Hijackthis and post a new log from it right after running ComboFix so we can advise next steps. Don't mess with system restore any further. ComboFix makes a fresh restore point but you do not need to do anything with that right now - just run ComboFix and post the log please.

 

Did you also download SREng too - that is important for any broken file associations that still need to be fixed.

Share this post


Link to post
Share on other sites
If you could just follow my directions above (last posted) instead of trying other things to "fix" we could make a lot more progress. The symptoms you describe are consistent with needing to fix the file associations and then run ComboFix which produce a log for me to review and I can direct you from there. Please don't take any other actions for now because this infection can "reinvent" itself when you are not successful in removing it entirely. That is why I need you to do those steps I asked.

 

And Yes, ComboFix icon is a red circle with a white x in it. So if you already have it, please run it now and post the log it makes, then also run Hijackthis and post a new log from it right after running ComboFix so we can advise next steps. Don't mess with system restore any further. ComboFix makes a fresh restore point but you do not need to do anything with that right now - just run ComboFix and post the log please.

 

Did you also download SREng too - that is important for any broken file associations that still need to be fixed.

 

im too fed up with all this i dont like what happened the last time i did it but lol im willing to try combofix again ill post tonight, and i dont feel the need to do the SRE thing im 100 percent sure all my file association stuff is back to normal after system restore was done, thanks again ill post after im done with this movie

Share this post


Link to post
Share on other sites

heres my combo fix log ;)

 

shoulda done it awhile ago im sorry i was really worried it would happen again without system restore and u guys know what happened a long time ago

 

ComboFix 07-12-02.7 - Owner 2007-12-04 0:05:03.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\R9M9UTAA\www.broadcaster.com

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\Documents and Settings\Owner\Application Data\YMBOLS~1

C:\Program Files\akl

C:\Program Files\akl\akl.dll

C:\Program Files\akl\akl.exe

C:\Program Files\akl\curlog.htm

C:\Program Files\akl\keylog.txt

C:\Program Files\akl\readme.txt

C:\Program Files\akl\uninstall.exe

C:\Program Files\akl\unsetup.dat

C:\Program Files\akl\unsetup.exe

C:\Program Files\amsys

C:\Program Files\amsys\awmsg.dat

C:\Program Files\amsys\mfc42.dll

C:\Program Files\amsys\msvcrt.dll

C:\Program Files\amsys\unins000.dat

C:\Program Files\amsys\unis000.exe

C:\Program Files\amsys\winam.dat

C:\Program Files\Common Files\smante~1

C:\Program Files\crosof~1

C:\Program Files\crosof~1\j?vaw.exe

C:\Program Files\e-zshopper

C:\Program Files\e-zshopper\BarLcher.dll

C:\Program Files\ISM2

C:\Program Files\ISM2\ISMPack5.exe

C:\Program Files\p2pnetworks

C:\Program Files\p2pnetworks\amp2pl.exe

C:\Program Files\QdrModule

C:\Program Files\QdrModule\dic.gz

C:\Program Files\QdrModule\kwd.gz

C:\Program Files\QdrModule\QdrModule9.exe

C:\Program Files\sstem3~1

C:\WINDOWS\aconti.exe

C:\WINDOWS\adbar.dll

C:\WINDOWS\cbinst$.exe

C:\WINDOWS\daxtime.dll

C:\WINDOWS\dp0.dll

C:\WINDOWS\ecurit~1

C:\WINDOWS\eventlowg.dll

C:\WINDOWS\fhfmm-Uninstaller.exe

C:\WINDOWS\fhfmm.exe

C:\WINDOWS\flt.dll

C:\WINDOWS\hotporn.exe

C:\WINDOWS\ie_32.exe

C:\WINDOWS\jd2002.dll

C:\WINDOWS\kkcomp$.exe

C:\WINDOWS\kkcomp.dll

C:\WINDOWS\kkcomp.exe

C:\WINDOWS\liqad$.exe

C:\WINDOWS\liqad.dll

C:\WINDOWS\liqad.exe

C:\WINDOWS\liqui-Uninstaller.exe

C:\WINDOWS\liqui.dll

C:\WINDOWS\liqui.exe

C:\WINDOWS\mcroso~1.net

C:\WINDOWS\ngd.dll

C:\WINDOWS\pbar.dll

C:\WINDOWS\racle~1

C:\WINDOWS\racle~1\?racle\

C:\WINDOWS\spredirect.dll

C:\WINDOWS\system32\dpqaqlqx.bin

C:\WINDOWS\system32\ESHOPEE.exe

C:\WINDOWS\system32\kddkq.exe

C:\WINDOWS\system32\msole32.exe

C:\WINDOWS\system32\nusrmgr.exe

C:\WINDOWS\system32\sznf.ascii

C:\WINDOWS\system32\wcpisvtr.exe

C:\WINDOWS\vxddsk.exe

C:\WINDOWS\wml.exe

C:\WINDOWS\xadbrk.dll

C:\WINDOWS\xadbrk.exe

C:\WINDOWS\xadbrk_.exe

C:\WINDOWS\xxxvideo.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))

.

 

2007-11-13 01:28 . 2002-02-27 14:12 2,600 --a------ C:\xp_exe_fix.reg

2007-11-13 01:25 . 2002-02-27 14:12 2,034 --a------ C:\xp_com_fix.reg

2007-11-13 00:56 . 2007-11-13 00:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-12 16:22 . 2007-11-15 14:04 <DIR> d-------- C:\hijackthis

2007-11-11 06:53 . 2007-11-13 01:12 <DIR> d-------- C:\Program Files\amsys(2)

2007-11-11 06:53 . 2007-11-13 01:12 <DIR> d-------- C:\Program Files\akl(2)

2007-11-11 05:54 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-23 02:25 --------- d-----w C:\Program Files\DivX

2007-11-15 20:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\MegauploadToolbar

2007-11-14 04:31 18,432 ----a-w C:\WINDOWS\fkwggshm.exe

2007-11-13 05:56 --------- d-----w C:\Program Files\Lavasoft

2007-11-13 05:56 --------- d-----w C:\Program Files\AntispyStorm

2007-11-13 05:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft

2007-11-11 10:19 --------- d-----w C:\Program Files\Plaxo

2007-10-20 00:56 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2006-04-22 05:15 17,765,056 ----a-w C:\Program Files\DivXBundle.exe

2006-04-22 05:06 558,749 ----a-w C:\Program Files\uTorrent-1.5-install.exe

2006-03-06 03:54 5,846,632 ----a-w C:\Program Files\winzip100.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF442538-BE32-4055-A549-2F3B699F55EB}]

2006-11-10 23:04 21504 --a------ C:\WINDOWS\system32\aivskurq.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 12:56:10]

 

R3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys

 

*Newly Created Service* - HTTPFILTER

.

Contents of the 'Scheduled Tasks' folder

"2007-12-04 05:00:00 C:\WINDOWS\Tasks\A49B1E2293088F3E.job"

- c:\docume~1\owner\applic~1\axiswa~1\Exitsecondfilm.exe

"2007-12-03 08:00:02 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"

- C:\Program Files\AdwareAlert\AdwareAlert.ex

- C:\Program Files\AdwareAlert

.

**************************************************************************

 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-04 00:14:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-04 0:15:53 - machine was rebooted

.

--- E O F ---

 

 

 

so what do i do now? im ready no more delaying(i was worried lol) thanks again so much, strangers willing to help n get nothing out of it makes me realize that maybe theres less completely selfish scumbags in the world and more self-less people.... out here where i live its disgusting :/

 

thanks again jane and everyone else!!!!!

Share this post


Link to post
Share on other sites

Open notepad and copy/paste the text you see in the whitespace of the quotebox below into it (but not the word: quote)

 

File::

C:\WINDOWS\fkwggshm.exe

C:\WINDOWS\system32\vvgeowbv.exe

c:\docume~1\owner\applic~1\axiswa~1\Exitsecondfilm.exe

C:\WINDOWS\Tasks\A49B1E2293088F3E.job

 

Folder::

C:\Program Files\AntispyStorm

 

Save this as CFScript.txt, in the same location as ComboFix.exe

 

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

When finished, it shall produce a log for you at "C:\ComboFix.txt"

 

 

 

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

..............

Please next scan with Hijackthis to make a fresh log and post that along with the new ComboFix log from the above

Share this post


Link to post
Share on other sites

sorry jane, i was working up to 13 hour days after accepting a promotion long story short now im out of a job because the owner has no clue what he's doing n doesnt listen meanwhile asking me to help fix what he let get run to the ground...

 

so im back 100 percent... now i get error 5001 trying to use the adaware scanner

 

i had to download a new version of combofix again, now when i try to run it, after saving to desktop i get the windows message desktop/combofix.exe is not a win32 application

 

thank you so much for sticking through my first mistake than foolish apprehension then accepting an offer for a promotion which i shouldnt have :-/ im back and ready... dont know what to do... see if system restore will work to the last time u needed me to get that combofix report?

 

IM BACK 20 minutes later... used sys restore to go 3 days back, same problem with combofix.... not a win32 application ;)

Edited by winzlo

Share this post


Link to post
Share on other sites

now it wont let me connect to the internet :) im on another computer... should i use any of the programs u guys have had me download? except for combofix being that my computer says its not a win32 application ill be so grateful please help

Share this post


Link to post
Share on other sites

Hi winslo.

 

I wasn't getting my emails notices of reply so I missed seeing your response here previously - my apologies.

 

Ok, running System Restore, I hope you didn't inadvertently add back in some of the malware we removed by changing your settings to a previous time.

 

ComboFix is an old version by now. Let's delete that one and get the latest version and see what is going on now. In fact, the version of ComboFix you have is expired and should have uninstalled itself when you tried to run it. These newer versions of ComboFix automatically will uninstall after 10 days if you run it after that expiration, FYI

 

Delete ComboFix icon or exe for it if you still have it and let's start with the current version in a new download from here:

 

Download ComboFix and save it to your desktop.

 

**Note: It is important that it is saved directly to your desktop**

 

1. Close any open browsers.

 

2. Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

hi jane, i actually drove all the way out to FAU to use the libraries computers being that it will not detect the internet connection routed from my stepfathers computer.... when i turn the computer on it asks for a disc for PCI simple communications..... i dont think its supposed to be doing that? also system restore, i tried over 10 times, will not work, AT ALL.

 

hopefully tonight i can use my stepfathers comp. to check back with you, also combofix that i have downloaded wants to run something called spystorm or some crap... fortunately im not that stupid... now all i need to do is get the net back up so i can re download combofix... any suggestions?

 

when i googled PCI i found a page with a bunch of people saying the same thing about the same problem as mine or similar... the closest thing i found to a solution is someone saying they uninstalled it and now their computer is detecting their modem.... im not even sure what a modem is :wub: geeze i shoulda taken a computer course... dont worry i will as soon as i have the money to take more classes! wish me luck with the economy the way it is :wub:

 

thanks again jane

Share this post


Link to post
Share on other sites

WHY are you trying to use System Restore? That is not in any of the steps I have given you. Using System restore to a prior (infected) point may have just brought back all the problems we have already fixed. If anything, once we get this computer clean we will clear out all prior restore points and set a fresh new one. So please don't go trying to use System restore at this point, ok?

 

*sigh*

 

A modem is what connects your computer the internet. PCI is not malware so I don't what you have done to your connection but it probably isn't the malware problem.

Share this post


Link to post
Share on other sites
Sign in to follow this