[Essexboy]

I feel it is time that we used the Dr Web Live cd

Could you run that please and let me know the result

[Advertisements]

ok, i had to go out for a while. im going to call in the doctor. what kind of otl scan do you want me to run after im done?

[kcooker]

ok, i had to go out for a while. im going to call in the doctor. what kind of otl scan do you want me to run after im done?

[Essexboy]

Once Dr Web has run then Update combofix and run it.. If you should get errors on rebooting from Combofix then just reboot the system again to clear them

[kcooker]

So, you don't want me to run an otl scan? I almost feel a little better doing that first and having you look at the log. Is it neccessary? I noticed as the scan is going, combofix is infected. Another issue, which I hope you can help me put my computer back together, is that I'm logged on as my username admin and the pc admin. I know drivers need to . Need to be fixed and I want to set up security for the ipv6 and get a good virus and spyware. I know I'm getting aheadof myself. Do you want me to runany of the fi it or other things on dr. Web?

[Essexboy]

As Dr Web is reporting combofix as being infected we may be looking at a file infector here, does it give a name to the infection ?

[kcooker]

He scan is still going I had it scan everything. It has come up with a couple viruses, trojans and errors. The one assoc with the combofix says " prob infected with macro.script.irc.worm.virus. if you want to know any of the other stuff it says let me know. Do I run any of the other tools of dr web's?

[Essexboy]

Could you now restart the computer in normal mode please, download a fresh copy of Combofix and run that. Posting the resultant log

[kcooker]

ill redownload a copy. the thing is, the dr web was basically analyzing the files from my phone. my computer isn't my computer. it couldn't scan most of the the files - locked, directory doesn't exsit, etc. how do i get back to my pc? it is running from some wierd root and whatever it is, it changed everything around on my pc.

[kcooker]

new log
ComboFix 11-09-19.04 - main 09/19/2011 21:21:18.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4030.3143 [GMT -4:00]
Running from: c:\users\main.ComputerPC\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\main\Desktop\Internet Explorer.lnk
c:\windows\system32\drivers\etc\lmhosts
.
---- Previous Run -------
.
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2011-08-20 to 2011-09-20 )))))))))))))))))))))))))))))))
.
.
2011-09-20 01:25 . 2011-09-20 01:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-15 07:53 . 2011-09-15 07:53 -------- d-----w- c:\windows\SysWow64\Macromed
2011-09-15 06:38 . 2011-09-06 20:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----w- c:\program files\Common Files\Authentium
2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----w- c:\program files (x86)\Common Files\Authentium
2011-09-15 02:14 . 2009-07-14 01:41 257024 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpzppw72.dll
2011-09-13 23:07 . 2011-09-13 23:07 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2011-09-13 23:07 . 2011-09-13 23:07 -------- d-----w- c:\programdata\W3i
2011-09-13 23:07 . 2011-09-15 07:09 -------- d-sh--w- c:\windows\Installer
2011-09-13 04:19 . 2011-09-13 04:19 -------- d-----w- c:\programdata\HP
2011-09-12 11:40 . 2011-09-12 12:18 -------- d-----w- C:\## aswSnx private storage
2011-09-12 11:05 . 2011-09-12 11:05 -------- d-----w- c:\program files (x86)\Uniblue
2011-09-12 11:05 . 2011-09-12 11:05 -------- dc-h--w- c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-11 06:36 . 2011-09-11 06:36 -------- d-----w- c:\programdata\Malwarebytes
2011-09-11 06:36 . 2011-09-11 16:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-09-10 10:57 . 2011-09-10 04:13 -------- d-----w- c:\windows\Panther
2011-09-10 10:44 . 2011-09-10 10:44 -------- d-----w- C:\Windows.old.003
2011-09-10 09:55 . 2011-09-13 23:12 -------- d-----w- c:\windows\system32\appmgmt
2011-09-10 09:32 . 2011-09-12 12:17 -------- d-----w- C:\hijackthis
2011-09-10 08:51 . 2011-09-10 09:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-10 08:51 . 2011-09-10 09:55 -------- d-----w- c:\programdata\Lavasoft
2011-09-10 04:35 . 2011-09-13 07:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-09-10 04:19 . 2011-09-15 07:08 -------- d-----w- c:\programdata\AVAST Software
2011-09-10 04:19 . 2011-09-10 04:19 -------- d-----w- c:\program files\AVAST Software
2011-09-10 04:14 . 2011-09-13 07:31 -------- d-----w- c:\users\main
2011-09-09 20:50 . 2011-09-09 20:50 -------- d-----w- C:\Philips
2011-09-09 20:49 . 2011-09-09 20:53 -------- d-----w- C:\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-03 01:18 . 2011-07-21 12:03 12535496 ----a-w- C:\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-InstallIQUpdater - c:\program files (x86)\W3i\InstallIQUpdater\InstallIQUpdater.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-19 21:29:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-20 01:29
.
Pre-Run: 246,936,317,952 bytes free
Post-Run: 246,813,659,136 bytes free
.
- - End Of File - - 637E9A0C5D7E7C1AA17C679853D164C3


the main stuff is locked, i see. what do i do now? im on a random desktop somewhere in my pc. how do i get my pc back - operating on its terms not some random root?

[Essexboy]

I must admit I cannot see what is causing the problem... My recommendation would be to totally wipe the drive and then reinstal windows 7 fresh

Wipe the drive with Dban this will clear the entire hard driive of everything
Then when you reinstall windows it will create all the partition data

Foirst though remember to back up all your data

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Essexboy]

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  C:\Windows\assembly\tmp\U\*.* /s
  CREATERESTOREPOINT
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[kcooker]

Problems

Did update of hp stuff and a malicious whatever strapped on and changed all my legasy hardware and drivers and made these programs that auto convert (via recovery, Norton, etc) to these changes. I have active x, the root problem - with all of these malicious net drivers, system "scripts/programs that show any yahoo how to delete and change, blah blah blah to my system and really circumvent any security. Dns(the actve dnsch or whatever) with a hijack loopy thing. It changed my dvd writable drive into a cd-rom drive. It also created a subsystem and my bios to hpqoem. It created (x86) system. Now I can't even get windows to load. Now my [bleep] keyboard doesn't work, so ill get a new one while you recover from my rant.

Things I did find

Lovely thing I found after copying all the root hw/driver crap -
CM_DEVCAP_SURPRISEREMOVALOK

VGA System?

VOLMGRX

A couple malicious programs installed with a program

Active x with a media suite avs - now default
acronis taken over

Lan and ras networks

NVIDIA gonna crazy -
Nvd3dumx.dll, nv3dum,nvwgf2umx.dll,nvwgf2um

WILDSVCM.EXE
CVHSVS.EXE

Wbem

The system32 and win64wow

Ok, I'll stop now. Even w drive wiping and new stuff the registry remains and I know I have a virus. In my mem.

Just frustrated and ranting.

You know I adore you...

KC

[kcooker]

Also
Os is nt

And I have a virus/Trojan MOZ_PLUGIN_PATH

[Essexboy]

MOZ_PLUGIN_PATH that is related to a programme where you can change the FF plugin directory

CM_DEVCAP_SURPRISEREMOVALOK this one allows you to remove USB drives safely

Please be cautious when you check out file names on the net as not everything written is truthful