exe. files stopped working

[peepster1005]

First off- I love your program. Its easy to use and works great. Keep up the good work.

Anyways, I'm having a major problem with my computer. I recently got a virus while searching for guitar parts. I noticed it right away, as your program told me immediately, and my computer slowed down quite a bit. It was a Trojan virus. As it was getting late, I figured i would shut down my computer for the night, and work on removing the virus the next day, as Trojans take a bit of extra work to remove in my opinion. The next morning i log on, and almost nothing is working. Please understand that all programs, and i do mean ALL PROGRAMS with an exe. file do not work. Itunes, Windows Movie Maker, and even Malwarebytes WILL NOT start up no matter what i do or try. Not even my screensaver. I noticed Malwarebytes was missing the exe. file all together.

Heres where things start to get fun. I figured if maybe I un-installed Malwarebytes, re-installed it, and removed the virus, maybe things could go back to normal. but the problem is, the Add/Remove Programs Wizard is an application, and applications have an exe. file, which means it wont open. I have tried to System Restore my computer back a few days, but the System Restore program is also an application, so that won't work either.

My question is, what is my next step!?! I am completely stumped, and i have no idea where to go from here. I don't want to have to completely restore my computer, so any other possible option will be taken first.

Also, is it possible for a virus to corrupt and/or delete a exe. file?

Thanks for your time!!!!!

-peepster1005

[LDTate]

Stay with this topic until I give you the final 'All clean' post.

Vista users:

1. These tools MUST be run from the executable. (.exe)

2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

[peepster1005]

I did that but as soon as the black box opens, it closes immediately.

[LDTate]

rename exeHelper.com to explorer.exe

Now try it.

[peepster1005]

thats better. this is what i got, but my programs still arent opening. do i need to restart?

exeHelper by Raktor

Build 20091021

Run at 16:56:14 on 11/01/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

exeHelper by Raktor

Build 20091021

Run at 16:57:14 on 11/01/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

[peepster1005]

thats better. this is what i got, but my programs still arent opening. do i need to restart?

exeHelper by Raktor

Build 20091021

Run at 16:56:14 on 11/01/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

exeHelper by Raktor

Build 20091021

Run at 16:57:14 on 11/01/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

sorry, ran it twice because i accidentally closed the boxes.

[LDTate]

I hope you're not infected with Virut.

Do this:

Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.

* IMPORTANT !!! Save ABCD.exe to your Desktop

Link 1

Link 2

Double click on the ABCD.exe ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt so we can continue cleaning the system.
  

[peepster1005]

my computer doesnt allow me to rename things before they are downloaded.

[LDTate]

my computer doesnt allow me to rename things before they are downloaded.

I've never heard of that. When you click on the download do you not get the option to Save and Select to save on the desktop and at the bottom of the open windows, the file name?

[peepster1005]

sorry, didnt know you could do that. thanks.

[peepster1005]

i double clicked it and it didnt do anything.

[LDTate]

I want you to reboot and as soon as you see the desktop icons double click ABCD and try to run it.

[peepster1005]

nope that didnt do anything.

[LDTate]

OK. By renaming exeHelper to explorer.exe worked so lets do this.

Rename ABCD.exe to explorer.exe

It will warn you that that file already exist but go ahead and replace it.

Now run explorer.exe

[peepster1005]

okay i changed the name, ran the program, clicked agree a couple times and it opened a blue box. it said it was missing a program and could not continue without it. so i agreed to download and now my programs are working. is this a final fix? if i reboot, will this all start over again?

oh and the icon for it disappeared, is that supposed to happen too?

[LDTate]

okay i changed the name, ran the program, clicked agree a couple times and it opened a blue box. it said it was missing a program and could not continue without it. so i agreed to download and now my programs are working. is this a final fix? if i reboot, will this all start over again?

oh and the icon for it disappeared, is that supposed to happen too?

NO. You're far from being fixed.

Will MBAM run? If so do a scan with MBAM and post the results.

Is Combofix running?

[peepster1005]

Yes, combofix is working. Or did work, I should say. I started it up, got the blue box again, and it started to scan (I think?) it said completed stage 1, 2, 3..and so on all the way to fifty. Then it restarted my computer and created a log of everything it has done.

Now here is my new problem. Most of my programs quit on me earlier today, but after i ran combofix, none of them work. Not even my Firefox is opening. I am writing this on my iPod touch. I will let you know ASAP when my Internet browser is working properly.

I could not scan my computer with malwarebytes because even after I redownloaded it, it is still missing the .exe file to run it.

But on the bright side, my Sophos Anti-virus is no longer telling me that I have a virus. (yes, I have two anti-virus programs. Can never be too safe, right?)

I'll check my computer in the morning to see if anything has changed. But for now, where do I go from here?

[LDTate]

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Look for the file combofix.txt and post the text file.

[peepster1005]

Here you go. Need anything else let me know.

------------------------------------------------------------------

ComboFix 09-10-30.01 - Owner 11/01/2009 22:13.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.399 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Owner\LOCALS~1\Temp\tmp1.tmp

c:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\recycler\S-1-5-21-2846970920-2938027396-4193320068-1003

c:\recycler\S-1-5-21-4254032958-3633240100-2296491676-1003

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\jestertb.dll

c:\windows\system32\bahaboho.dll

c:\windows\system32\bolapuno.dll

c:\windows\system32\bsfusxsd.ini

c:\windows\system32\camhkfty.ini

c:\windows\system32\cyawxtjg.ini

c:\windows\system32\eKRXyccf.ini2

c:\windows\system32\fnvytlep.ini

c:\windows\system32\fozojati.dll

c:\windows\system32\fqtdhtrl.ini

c:\windows\system32\gejapifo.dll

c:\windows\system32\gmoersnh.ini

c:\windows\system32\gmseivjm.ini

c:\windows\system32\gujavujo.dll.tmp

c:\windows\system32\guyohimu.dll

c:\windows\system32\haporapu.dll

c:\windows\system32\hekomuno.dll

c:\windows\system32\heoltnjq.ini

c:\windows\system32\hiyuvubo.dll

c:\windows\system32\iumpygka.ini

c:\windows\system32\jadegada.dll

c:\windows\system32\jaxtaiys.ini

c:\windows\system32\jevaziji.dll

c:\windows\system32\jewipaje.dll

c:\windows\system32\jibepobo.dll

c:\windows\system32\jijuwajo.dll

c:\windows\system32\kveneorp.ini

c:\windows\system32\libopeke.dll

c:\windows\system32\lijujuto.dll

c:\windows\system32\lymgygng.ini

c:\windows\system32\mivusufu.dll

c:\windows\system32\muyonuvu.dll.tmp

c:\windows\system32\nnbsxtnj.ini

c:\windows\system32\nunuluna.dll.tmp

c:\windows\system32\pinigalo.dll

c:\windows\system32\puleluro.dll.tmp

c:\windows\system32\qkwtpqpw.ini

c:\windows\system32\qqicpqkd.ini

c:\windows\system32\rizilipi.dll

c:\windows\system32\rujisovo.dll

c:\windows\system32\sabadobe.dll

c:\windows\system32\sorofita.dll

c:\windows\system32\soyifafi.dll.tmp

c:\windows\system32\suroteto.dll

c:\windows\system32\tatetimo.dll

c:\windows\system32\tehenupo.dll

c:\windows\system32\tupkcrug.ini

c:\windows\system32\vemewofo.dll

c:\windows\system32\vlduhhqg.ini

c:\windows\system32\vnojeopw.ini

c:\windows\system32\voriduzi.dll

c:\windows\system32\vovamoba.dll.tmp

c:\windows\system32\wxIRtDMp.ini2

c:\windows\system32\xkqrkbof.ini

c:\windows\system32\yilinetu.dll

c:\windows\system32\yjpjajlv.ini

c:\windows\system32\yoyiriku.dll

c:\windows\system32\zabanalu.dll

c:\windows\system32\zofisuvu.dll

c:\windows\Tasks\omjyxrsp.job

c:\windows\Tasks\zzqppvco.job

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))

.

2009-11-02 04:10 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-02 04:10 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\program files\iTunes

2009-11-02 00:16 . 2009-11-02 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-11-02 00:13 . 2009-11-02 00:13 -------- d-----w- c:\program files\QuickTime

2009-11-02 00:11 . 2009-11-02 00:17 -------- d-----w- c:\windows\LastGood.Tmp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-02 04:10 . 2009-02-26 16:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-02 00:21 . 2006-12-25 14:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer

2009-11-02 00:16 . 2006-12-25 14:48 -------- d-----w- c:\program files\iPod

2009-11-02 00:16 . 2007-12-25 14:12 -------- d-----w- c:\program files\Common Files\Apple

2009-11-02 00:11 . 2007-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-10-27 22:17 . 2009-06-24 19:10 -------- d-----w- c:\documents and settings\Owner\Application Data\Cabos

2009-10-27 20:48 . 2009-10-27 20:48 73728 ---ha-w- c:\documents and settings\Owner\Application Data\RBRegEx550.dll

2009-10-27 20:48 . 2009-10-27 20:48 39936 ---ha-w- c:\documents and settings\Owner\Application Data\RBShell555.dll

2009-10-27 20:47 . 2006-09-13 23:08 93008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-06 16:38 . 2006-09-13 23:08 13402 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-09-05 01:44 . 2009-09-05 01:44 -------- d-----w- c:\program files\Audacity

2009-08-29 01:42 . 2009-04-04 00:35 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-29 01:42 . 2007-12-25 14:13 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-30 20:45 . 2009-07-30 20:45 60928 --sha-w- c:\windows\system32\bikehizi.dll

2009-07-31 16:34 . 2009-07-31 16:34 89088 --sha-w- c:\windows\system32\fazotene.dll

2009-08-01 04:35 . 2009-08-01 04:35 89600 --sha-w- c:\windows\system32\hisakite.dll

2009-07-30 20:45 . 2009-07-30 20:45 89088 --sha-w- c:\windows\system32\tijayefe.dll

2009-08-01 16:35 . 2009-08-01 16:35 89088 --sha-w- c:\windows\system32\viwadefo.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="c:\documents and settings\Owner\My Documents\My Pictures\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"gagehokah"="c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"{87b59fa5-8a82-4609-8042-56fd0fc50762}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"{413f0a90-469a-44e0-ac55-2534858a2282}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"{61238692-df6d-4d78-a15f-cd48f9991f60}"= "c:\windows\system32\tijayefe.dll" [2009-07-30 89088]

"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"= "c:\windows\system32\viwadefo.dll" [2009-08-01 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"nonomohev"= {e5dd95c5-ddb5-4bfb-af7c-62fced274337} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]

"tavanasag"= {87b59fa5-8a82-4609-8042-56fd0fc50762} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]

"kobuguhof"= {413f0a90-469a-44e0-ac55-2534858a2282} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]

"dibofehen"= {14fe8fbb-7a06-4215-8e00-9d7b38662bdc} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]

"soyerebog"= {61238692-df6d-4d78-a15f-cd48f9991f60} - c:\windows\system32\tijayefe.dll [2009-07-30 89088]

"rivuzizum"= {0c35cdec-f50f-4c9e-93a4-0ef26441ed77} - c:\windows\system32\viwadefo.dll [2009-08-01 89088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk

backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk

backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk

backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk

backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/6/2008 12:33 PM 110848]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/6/2008 12:33 PM 38528]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/5/2009 5:22 AM 80936]

R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 6:04 AM 98304]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/29/2006 12:19 PM 200576]

S3 DzlUsb;Dazzle DVC USB Device;c:\windows\system32\drivers\DzlUsb.sys [2/12/2009 10:07 PM 62800]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 5:56 PM 14976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2

*NewlyCreated* - MBR

*Deregistered* - CLASSPNP_2

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2008-08-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8210036949.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odolpp8q.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

BHO-{571d9660-bab1-4729-aa62-1f17d27c60cc} - bahaboho.dll

BHO-{7FE54E07-2F72-42D8-96C9-E7128D6A07D0} - c:\windows\system32\fccyXRKe.dll

HKCU-Run-prunnet - c:\windows\system32\prunnet.exe

HKLM-Run-prunnet - c:\windows\system32\prunnet.exe

HKLM-Run-zipikobusi - jibepobo.dll

SharedTaskScheduler-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll

SSODL-fifidunod-{6676b59e-ea1a-436b-82d8-e8cfaa8b3072} - c:\windows\system32\gejapifo.dll

AddRemove-Picasa 3 - c:\documents and settings\Owner\My Documents\My Pictures\Google\Picasa3\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-01 22:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spaa.sys >>UNKNOWN [0x86588938]<<

kernel: MBR read successfully

user & kernel MBR OK

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xF73B4B40 atapi.sys

\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xF73B4B40 atapi.sys

\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xF73B4B40 atapi.sys

\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xF73B4B40 atapi.sys

\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xF73B4B40 atapi.sys

\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xF73B4B40 atapi.sys

\Driver\atapi IRP hooks detected !

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)

c:\windows\system32\BCMLogon.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2880)

c:\windows\system32\viwadefo.dll

c:\windows\system32\tijayefe.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\Microsoft Office\OFFICE11\msohev.dll

c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXEV.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\WLTRAY.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-11-02 22:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-02 04:48

Pre-Run: 2,599,698,432 bytes free

Post-Run: 10,353,078,272 bytes free

- - End Of File - - 6DE53CB9F135A344F92F25F29F5CC28C

[LDTate]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\windows\system32\bikehizi.dll
c:\windows\system32\fazotene.dll
c:\windows\system32\hisakite.dll
c:\windows\system32\tijayefe.dll
c:\windows\system32\viwadefo.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gagehokah"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e5dd95c5-ddb5-4bfb-af7c-62fced274337}"=- 
"{87b59fa5-8a82-4609-8042-56fd0fc50762}"=- 
"{413f0a90-469a-44e0-ac55-2534858a2282}"=- 
"{14fe8fbb-7a06-4215-8e00-9d7b38662bdc}"=- 
"{61238692-df6d-4d78-a15f-cd48f9991f60}"=- 
"{0c35cdec-f50f-4c9e-93a4-0ef26441ed77}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"nonomohev"=- 
"tavanasag"=- 
"kobuguhof"=- 
"dibofehen"=- 
"soyerebog"=- 
"rivuzizum"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

[peepster1005]

As of right now, before i do anything of what you just gave me, basically nothing is working on the computer. only a select few programs will open (paint, windows media player, quicktime) but thats about it. Anything besides that will not work, along with my firefox (im currently on a different computer).

As soon as i get the CFScript done, and run the program, i will post back if there are any major changes.

[peepster1005]

Hate to say it, but I did what your instructions told me to do, and nothing happened. Combofix.exe would not run.

[LDTate]

Can you give me just a little more details?

Is the computer booting up?

[peepster1005]

Yes the computer is booting up just fine. Shuting down, restarting - everything is working. but now no programs will run except for a select few (windows media player, quicktime, paint - all the basic programs i would assume), but that is it. it basically doesnt do anything, but i can still look at my pictures just fine. it still gives me that little blue computer screen on the lower right hand corner saying that the computer is connected to the internet, but i cannot get on the internet as my Firefox nor my Windows Internet Explorer will open (im on a different computer.) The USB drives are still working. I believe thats it.

[LDTate]

Lets see if we can get the PC back on the internet. This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe and copy it to the infected computer.

You just run it and things should work OK after it reboots your system.

http://www.snapfiles.com/get/winsockxpfix.html