cpu usage goes 100%

sandman

C:\Documents and Settings folder <-- this is where i found them.
as far as i can remember i didn't do anything in my registry
what's wierd is that it really does look like i'm not using an admin account because when i go to C: it says that the files are hidden and that it's hidden to protect my pc or something.
i checked the profiles and the only one that seems different is a 'guest' account. i don't recall it being there before. it says that it's for people who use the pc without an account.

bakuryu

do you see any files in this location :
c:\documents and settings\rebecca rosario\Desktop
or
c:\documents and settings\rebecca rosario\My Documents

Also is your account password protected ? I guess your previous username was "rebecca rosario" from combofix log file.

Start -> run type lusrmgr.msc, expand 'Users' and check your username and see the group assigned to it and whether or not the account is disabled or enabled. If you are using a limited account you won't be able to access it.

__________________
Please don't click here

sandman

yes i see files in both location.
no it's not password protected because we all use that account. (that's my mom's name actually )
i went to lusrmgr.msc and i saw that the account is not disabled

MihaiS

Double-click on your user-name then go to the Member of tab and see the group assigned to it.

That's what Bakuryu also asked for, so I thought I should tell you to speed things up.

sandman

ok i did that and it says that it's under administration

bakuryu

All your previous desktop files should be under : c:\documents and settings\rebecca rosario\Desktop folder

Run combofix and post a log file.

sandman

before i run it should these be included?
File::
c:\windows\system32\lkupbh.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2b7962b0-641d-11dd-8765-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{440767cb-3c21-11dd-8625-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{55861e9a-38d1-11dd-85f0-e86e6e02f575}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{58bfcc3e-7ee2-11dd-8829-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5d7d410a-11df-11de-8c26-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6025168a-3827-11dd-85e6-c37eda4963ee}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7f633f8a-12a2-11de-8c32-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ae77cd70-6a39-11dd-87a0-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c4f42d94-52b7-11dd-86f0-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d63d6cb2-b5a6-11dd-897e-0008a1ba4631}]
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e4122eef-6ce7-11dd-87b4-0008a1ba4631}]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\I raccess]

bakuryu

yes drag and drop that file on Combofix.exe and then post the new log file that it generates.

sandman

update :
i get an error everytime i try to run combofix. what happens is everytime i drag the cfscript into combofix a window pops saying that i can't rename it. i tried downloading combofix from the links in the other thread (the one about not being able to access AV sites) but my computer wont allow it, i can still access AV sites btw

Hatrix

Recuva - Undelete, Unerase, File Recovery - Home
to recover lost files, but if the sectors has already been rewriten, forget it!!

try to make a new user and log from it, it should make new registry for u, after then install and run malwarebytes.
it's all caused by a malware!

__________________
Mawarebytes
Ccleaner
KillBox