DDS and attach.zip OK help me now pleeeaze

[Threadgill]

Can we catch these hackers? Am I crazy? Any chance of repair?

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 17:13:07 on 2012-01-17

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: AVG Firewall *Disabled*

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.dell.com

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\16.0.912.75\npchrome_frame.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [spybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck /autofix /autoclose

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\privoxy\privoxy.exe

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

LSP: c:\windows\system32\biolsp.dll

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.08/uploader2.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/55.16/uploader2.cab

DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://aaserver/ConnectComputer/nshelp.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219157540244

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://aaserver/tsweb/msrdp.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\16.0.912.75\npchrome_frame.dll

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 wvauth

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-01-17 18:57:29 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eab44dbb-68a8-4746-bc08-3e95153efbfb}\offreg.dll

2012-01-17 18:57:23 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{eab44dbb-68a8-4746-bc08-3e95153efbfb}\mpengine.dll

2012-01-17 18:36:33 -------- d-sha-r- C:\cmdcons

2012-01-17 18:34:14 98816 ----a-w- c:\windows\sed.exe

2012-01-17 18:34:14 518144 ----a-w- c:\windows\SWREG.exe

2012-01-17 18:34:14 256000 ----a-w- c:\windows\PEV.exe

2012-01-17 18:34:14 208896 ----a-w- c:\windows\MBR.exe

2012-01-17 09:10:20 -------- d-----w- C:\bd_logs

2012-01-17 02:07:41 98224 ----a-w- c:\windows\system32\drivers\05562270.sys

2012-01-16 23:13:38 18432 ----a-w- c:\windows\system32\drivers\TClass2k.sys

2012-01-16 23:13:37 14848 ----a-w- c:\windows\system32\drivers\UCTblHid.sys

2012-01-16 05:06:07 -------- d-----w- c:\documents and settings\administrator\SecurityScans

2012-01-16 04:26:58 -------- d--h--w- c:\windows\$hf_mig$

2012-01-16 02:15:34 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2012-01-16 02:08:25 98224 ----a-w- c:\windows\system32\drivers\46067842.sys

2012-01-15 10:36:31 98224 ----a-w- c:\windows\system32\drivers\41550288.sys

2012-01-15 10:27:06 -------- d-----w- C:\TDSSKiller_Quarantine

2012-01-15 10:09:34 54016 ----a-w- c:\windows\system32\drivers\uwco.sys

2012-01-15 09:24:33 98224 ----a-w- c:\windows\system32\drivers\44765034.sys

2012-01-15 09:18:33 2864 ----a-w- c:\windows\ctrl2cap.nt4.sys

2012-01-15 09:18:33 2832 ----a-w- c:\windows\ctrl2cap.nt5.sys

2012-01-15 09:18:33 10104 ----a-w- c:\windows\ctrl2cap.amd.sys

2012-01-15 09:18:26 6098944 ----a-w- c:\windows\dd-wrt.v24_mega_atheros_generic.bin

2012-01-15 09:18:26 3760160 ----a-w- c:\windows\dd-wrt.v24_std_wrt600n.bin

2012-01-15 09:18:26 3760128 ----a-w- c:\windows\dd-wrt.v24_std_generic.bin

2012-01-15 09:18:26 3698688 ----a-w- c:\windows\dd-wrt.v24_vpn_generic.bin

2012-01-15 09:18:25 3477562 ----a-w- c:\windows\f5d8231-4 v2000 ww v2.01.27.bin

2012-01-15 09:14:26 118132 ----a-w- c:\windows\580009.kmz

2012-01-15 09:14:06 3739423 ----a-w- c:\windows\f5d8232-4 ww v1.00.15.bin

2012-01-15 09:14:06 2675587 ----a-w- c:\windows\f5d8232-4 ww v2.00.04.bin

2012-01-15 09:12:20 2133 ----a-w- c:\windows\WatsonAlertHelp.htm

2012-01-15 09:12:01 5078 ----a-w- c:\windows\imagedata_rotate.pmp

2012-01-15 09:07:05 24 ----a-w- c:\windows\JobRecs.bin

2012-01-15 09:07:05 1848 ----a-w- c:\windows\FaxRecs.bin

2012-01-15 09:06:27 67584 ----a-w- c:\windows\swadcmpr.x32

2012-01-15 09:06:27 40960 ----a-w- c:\windows\Sound Control.x32

2012-01-15 09:05:14 58700 ----a-w- c:\windows\UserCache.bin

2012-01-15 09:00:48 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2012-01-15 09:00:30 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-01-15 09:00:29 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-15 09:00:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-01-15 08:47:02 -------- d-----w- c:\documents and settings\administrator\local settings\application data\PCHealth

2012-01-15 08:20:32 8192 ----a-w- c:\windows\system32\wshirda.dll

2012-01-15 08:20:32 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll

2012-01-15 08:20:32 28160 ----a-w- c:\windows\system32\irmon.dll

2012-01-15 08:20:32 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll

2012-01-15 08:20:31 151552 ----a-w- c:\windows\system32\irftp.exe

2012-01-15 08:20:31 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe

2012-01-15 05:34:33 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2012-01-12 22:19:46 13114 ----a-w- c:\windows\khTemp_45.kmz

2012-01-07 05:24:44 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-01-07 05:24:44 -------- d-----w- c:\windows\system32\wbem\Repository

2012-01-04 14:34:02 5 ----a-w- c:\windows\system32\lMMLDeleteUserData42107612FX.tmp

2011-12-23 01:39:38 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2

.

==================== Find3M ====================

.

2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec

2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll

2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

============= FINISH: 17:13:40.54 ===============

attach.zip

[Threadgill]

Dearest Experts,

I can't fix my computer and need help. I read that I could post again in 48 hours. I've waited a painful 58 hours and really been obsessing about the instant email notification. If my case does not warrant help, please inform.

In need of an expert,

Threadgill

[LDTate]

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

[Threadgill]

Mr. LDTate,

Thank you for your help. I cannot load the update. says outdated 7 days. Says report issue to support team ~ include message...codes in your submission.

PROGRAM_ERROR_UPDATING (11004,0, No address found)

The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for.

I am currently in safe mode with networking, but I cannot bring up "network connections" from control panel, just empty folder. NIC unplugged, planning on connecting with wifi to download update. Task manager processes show System Idle Process CPU 99 Mem Usage 16k CPU 00 on all other Image Name listed.On the bottom bar Processes 16 CPU Usage 0% Commit Change 234M / 5983M

I have restarted 5 time up to this point trying different methods to get update. The last time I was on the computer before today was 1/17/12 when I downloaded the DDS and attach file to a usb drive and transferred to chromebook to post...then shut the computer down normal.

posting from chromebook now... I want to beat this

OH THANKA

[Threadgill]

Mr. LDTate,

Its noon CST and I have to leave computer, will be back ~3:30pm CST

Threadgill

[LDTate]

Please do the following to see if it resolves the issue: Post back and let us know please

• Download and run mbam-clean.exe from here
  
• It will ask to restart your computer, please allow it to do so very important
  
• After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.
    

[Threadgill]

ran mbam clean

transferred MBAM download from the link

took awhile to get online, but got the update loaded...then disconnected from internet

MBAM is running now. Ill email log tomorrow.

[LDTate]

OK

[Threadgill]

Mr. LDTate,

None found, not able to post log

Problem is computer is frozen, takes about 20 minutes for computer to decide if computer wants to respond or just freeze. Task manager will respond quickly but about the 3rd click, computer resorts to this new decision process. I have used task manager to reboot 3 times(takes about 30 minutes). I have withheld myself from jacking with the computer to (attempt) fix and limited myself to taskmanager. To recap, computer ran the DDS fine and I was able to easily transfer file to usb and upload to start this post. Before I ran DDS, I put about 20 hrs into messing around to fix before enlisting paid professional, who also attempted to fix. Some malware has been found, but advised the "Queen" malware can't be removed. I see 3 possible answers: 1. Queen does not exist, Threadgill broke it, blow the ship (my bet, suspect of the professional advice received) 2. Queen exists, blow the ship. 3. Queen exists...Mr. LDTate gets us home.

I await the next step.

Respectfully,

Threadgill

[LDTate]

Did MBAM finish?

Did it find anything?

I see you downloaded Combofix.

Did you run it?

[Threadgill]

Mr. LDTate

MBAM -none found, not able to post log.

I ran combofix last week

Threadgill

[LDTate]

OK, so how is it running?

Any issues?

[Threadgill]

Mr. LDTate,

Computer is pretty much frozen. takes 20 minutes for every click or freezes for good.

By the way, what is your avatar?

Thanks,

LEE

[LDTate]

Avatar is a creature created by my daughter.

Do you have your Windows OS CD?

[Threadgill]

Impressive work on the avatar. Looks like a creature you do not want to mess with, but there are subtle hints that the creature is a "good guy"

Yes Sir. I have windows OS CD

[LDTate]

Are you running XP?

[Threadgill]

Mr. LDTate,

Yes running XP. The CD I have is XP Professional service pack 2

Threadgill

[LDTate]

Lets see if this will take care of it.

We want to do a Repair Install.

http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

[Threadgill]

Mr. LDTate,

I'll get the repair going now...

Threadgill

[LDTate]

OK.

Let me know how it goes

[Threadgill]

Mr. LDTate,

Yes, repair install got the computer going.

During repair install it finished and shut down the computer. There were no prompts at the end mentioned by the instructions, including that I was not asked to input product key. When I turned on the computer the "please wait" screen was froze with an hour glass for 2+ hours. I held down the power button until shut down. I then powered up the computer again with the following:

BEHAVIOR:

1. cannot turn "on" Microsoft security essentials. click red "turn on" button, hourglass pops up for 3 minutes, then stops. Red "turn on" button remains....still reflect MSE is off. alerts to turn on still pop up in the bottom left corner.

2. right clicked on START, clicked Explore to look at files and an installer starts installing adobe acrobat...explorer freezes. ctrl-alt-delete, task manager, close file explorer & end install. repeated 3 times.

3. firewall is on, I have not connected to internetz,

4, My desktop interface has been retained.

Threadgill

[LDTate]

At this point, I'd uninstall MSE and download a fresh copy.

[Threadgill]

Should I go ahead and connect back to internet or keep the machine off the internet and transfer MSE & updates?

[Threadgill]

oh, and good morning

[LDTate]

I think you need to connect to the internet and download MSE from MS.

You want this one: enus\x86\mseinstall.exe

http://www.microsoft.com/download/en/details.aspx?id=5201