Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log


  • This topic is locked This topic is locked
10 replies to this topic

#1 Judi_e

Judi_e

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 14 August 2007 - 08:38 AM

As I posted last week my husband's computer is acting up again.

He has a Microsoft keyboard that has programmable buttons, and the buttons aren't working right. Within the Microsoft setup program everything is still set up right, but the buttons don't function as they are programmed to. As an example last night while I was running all the preliminary tests before running HJT I pressed the calculator key, which is supposed to open up the Windows calculator, and instead it closed the Panda scan window. He's even had times when non-programmable keys do the wrong thing, like the capslock key closing Firefox. I have the same keyboard at work and it hasn't given me one problem.

Lately he's been having trouble with programs trying to dial the modem, which isn't hooked up to anything. He's been having all kinds of connection and networking issues, only on his computer, everything is working fine on mine, so I assume there's nothing wrong with our router. When I go to My Network Places on my computer I can see his computer but I can't access it. However, I was able to map a network drive to the shared folder on his computer. He can access the shared folders on my computer from his. He had trouble last night with Winamp not connecting to the internet, and when it couldn't get a connection it tried dialing the modem. We have a cable modem run through the router, and I'm not having any trouble with it from my computer. Our Tivo isn't having any trouble with it either.

There are two windows updates that won't run, Security Update for Microsoft.NET Framework, Version 2.0 (KB928365) and Version 1.1 Service Pack 1 (KB928366). Last night when I ran Housecall it noticed he was missing a couple of updates (I haven't been keeping track, not sure if it's the same ones) and there was a link to Microsoft's website, where I was supposed to download and install like 3 different files. None of them would install, they all basically said that they were updates to a program I didn't have, so they couldn't install.

He's also still having trouble with the screen blinking every once in a while, and that's obviously a problem with the graphics hardware. It's the same blink you would get when you hit apply after changing screen settings. It does it a lot less when he's not running a video game. He used to play Bejeweled a lot, the version that runs on the computer not online, and it happened a lot more when he was playing, so he stopped. But the problem hasn't gone away completely.

Help!!! Here's the HJT log that he got this morning:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:08 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Norton CleanSweep\QDCSFS.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f556.mail.yahoo.com/dc/launch?ac...mp;YY=587475367
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = What are you looking at?
O1 - Hosts: 203.121.71.128www.celebutopia.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BD1B1D80-D55A-483B-B54F-4F6EF9524E4C} - C:\WINDOWS\system32\wmvemoe2.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mitch\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com
O15 - Trusted Zone: *.workathomeagent.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149444922706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447987062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - http://www.workathomeagent.net/walldata/cu...hostexpress.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b327h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 8704 bytes

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:41 PM

Posted 21 August 2007 - 08:24 PM

Hi Judi e,

Sorry for the delay, this forum is very busy right now.

First thing you need to do is go over to Tom Coyote Forums, log in, and then PM an admin or moderator asking them to close your topic over there.

Just FYI double posting is considered bad form as it potentially wastes a very scarce resource, namely the time of volunteer helpers on the forums. Since I have now answered your topic here you need to get that duplicate topic closed as soon as you can.

Now, about the symptoms:

The keyboard problems may be related to malware but probably not. Try uninstalling the keyboard and any related software. Then reboot the machine. Reinstall the keyboard driver and software. If the problem persists uninstall his keyboard, shut down the machine and swap in a standard non-programmable keyboard. If that one also misbehaves then you know there's something the matter with his machine, either Windows (possibly caused by malware) or his hardware. The usual test to rule out hardware is to install a keyboard of a different type -- e.g. a USB keyboard if the problematic one is a PS2 (round plug) type.

The .NET framework updates problem -- common as dirt, not related to malware. I suggest you disable Windows Automatic Updates until we are finished with the other troubleshooting here. Then I can give you some links to websites with some steps for remedying this problem.

Screen flashes -- first thing I would suggest is checking for driver updates for the graphics card. Sometimes that will help. But if not, this is almost certainly a hardware problem and after we are finished here, you can post a question in the Hardware Forum about it.

Network issues -- HijackThis says you have a service related to your Smartlink modem running (SLService). This probably explains why programs are trying to use your modem. To disable this service, click Start, Run and in the text box type or paste

sc stop SLService

Then click OK. Then repeat with this command:

sc config SLService start= disabled

That should put an end to the modem activity. For the remainder of the network problems, they sound like a network setup issue. I would put them aside while we delve into the malware question.

I see one sign of malware in the log. I also see signs of a computer crash, or maybe more than one. I need more information to try to determine what the infection was and what caused the crash(es). I assume your online scans and your regular installed antivirus have not identified anything? If they have, please tell me about it. There may be a log that can help identify your malware, maybe even a quarantined file we can analyze. Please look in your AVG virus vault to see if there is a file named wmvemoe2.dll in there. If so, please tell me. If not, please do a Regsearch as follows:

Please download Regsearch by Bobbi Flekman and save it to your desktop. This is a zip file. Right click the file icon, a menu will open, select Extract all. The Extraction Wizard will open, click Next, Next, then Finish. You should see the contents of the Regsearch folder on your desktop. Double click the Regsearch.exe icon to run the program.

The top section of the program window contains a text box with four lines. It is labeled "Enter search strings (case independent) and click OK..."

In the first line of that text box, type or paste wmvemoe2.dll.

In the second line of that text box, type or paste {BD1B1D80-D55A-483B-B54F-4F6EF9524E4C}. Be sure to include the brackets.

Leave the bottom section, with the text box marked "Enter string to exclude from results (optional)" empty. Leave the Search boxes alone -- all should be checked. Click OK.

Regsearch will run. After a few minutes it will open a log file, Regsearch.txt on your desktop.

Copy and paste the contents of that file, to a reply here.

Regardless of whether you turn up a quarantined copy of that .dll file, I need you to run Combofix:

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Post all the logs to your next reply. If they won't all fit in one post, split them into two.

Good luck,

Dave

#3 Judi_e

Judi_e
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 22 August 2007 - 09:45 AM

Dave,

I apologize. I didn't realize it was inappropriate to try to get help from more than one source.

Thank you for your help. I'll give all of this a try after I get home tonight.

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:41 PM

Posted 22 August 2007 - 10:05 AM

Hi Judi e,

Apology accepted. Looking forward to seeing those logs and the results of your keyboard experiments.

A tip about getting your topic closed, if there are no mods or admins online, get the list and just pick one out who is online frequently at this time of day and send him or her a PM.

One thing I might add for clarification -- if that .dll file is in the AVG quarantine there should be an identification of it -- AVG's name for this virus or trojan. Please include that information in the reply, if you find it.

Dave

#5 Judi_e

Judi_e
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 22 August 2007 - 04:30 PM

Dave,

OK, I'm going to leave the keyboard until we get some of this other stuff done. My husband has updated the drivers for the graphics card and that didn't help, so I'll be asking in the hardware forum about it when we finish here.

I disabled automatic updates. I tried to run sc stop SLService, but there seems to be a problem with that function on this computer. I go to Start, Run and then enter sc stop SLService and click OK and see the DOS window open for just a split second and then it's gone. Apparently this is a problem my husband was aware of because he told me it wouldn't work when I got to the program Run box. Is there another way to do that?

As for the scans, there were some spyware things it found, but nothing too serious. Recently AVG has found a couple things and cleaned them, Obfustat.FDT on the 11th and again on the 12th in the system backup. It appears to be cleaned up just fine. I don't recall what else was found by the online scanners. Are there logs files I should look for?

The virus vault does have wmvemoe2.dll from back in February.

Here is the combofix log:

ComboFix 07-08-17.2 - "Mitch" 2007-08-22 17:17:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.441 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\internet explorer\msimg32.dll


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 17:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-14 09:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-14 05:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-13 20:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-13 18:57 <DIR> d-------- C:\DOCUME~1\Mitch\.housecall6.6
2007-08-09 19:05 <DIR> d-------- C:\Program Files\TiVo
2007-08-09 19:05 <DIR> d-------- C:\Program Files\Common Files\TiVo Shared
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TiVo
2007-08-09 18:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 15:11 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2007-08-06 15:11 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2007-08-06 15:11 21,504 --a------ C:\WINDOWS\system32\drivers\motport.sys
2007-08-06 15:11 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2007-08-06 15:11 17,792 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2007-08-06 15:11 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-08-06 15:10 92,064 --a------ C:\DOCUME~1\Mitch\mqdmmdm.sys
2007-08-06 15:10 9,232 --a------ C:\DOCUME~1\Mitch\mqdmmdfl.sys
2007-08-06 15:10 79,328 --a------ C:\DOCUME~1\Mitch\mqdmserd.sys
2007-08-06 15:10 66,656 --a------ C:\DOCUME~1\Mitch\mqdmbus.sys
2007-08-06 15:10 6,208 --a------ C:\DOCUME~1\Mitch\mqdmcmnt.sys
2007-08-06 15:10 5,936 --a------ C:\DOCUME~1\Mitch\mqdmwhnt.sys
2007-08-06 15:10 4,048 --a------ C:\DOCUME~1\Mitch\mqdmcr.sys
2007-08-06 15:10 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2007-08-06 15:07 <DIR> d-------- C:\DOCUME~1\Mitch\APPLIC~1\InstallShield
2007-08-06 13:32 <DIR> d-------- C:\Program Files\Avanquest update
2007-08-06 13:31 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-08-06 13:31 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-08-06 13:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-08-06 13:30 25,600 --a------ C:\DOCUME~1\Mitch\usbsermptxp.sys
2007-08-06 13:30 22,768 --a------ C:\DOCUME~1\Mitch\usbsermpt.sys
2007-07-27 14:12 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-22 16:55 --------- d-------- C:\DOCUME~1\Mitch\APPLIC~1\OpenOffice.org2
2007-08-22 16:40 --------- d-------- C:\Program Files\Trillian
2007-08-19 09:41 --------- d-------- C:\Program Files\Ricochet Lost Worlds Recharged
2007-08-19 09:26 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-13 23:11 --------- d-------- C:\Program Files\Wallpaper Master
2007-08-13 23:00 --------- d-------- C:\Program Files\Norton CleanSweep
2007-08-13 22:58 --------- d-------- C:\Program Files\Kontiki
2007-08-12 09:02 --------- d-------- C:\Program Files\DivX
2007-08-10 08:24 --------- d-------- C:\Program Files\Picasa2
2007-08-06 15:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-08-06 15:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motport_01005.Wdf
2007-08-06 15:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-08-06 15:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2007-08-06 15:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2007-08-06 13:32 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 09:15 --------- d-------- C:\DOCUME~1\Mitch\APPLIC~1\DVD Profiler
2007-08-04 09:04 --------- d-------- C:\Program Files\DVD Profiler3.0
2007-07-28 17:50 --------- d-------- C:\Program Files\DVD Profiler
2007-07-21 07:07 --------- d-------- C:\Program Files\Microsoft Works
2007-07-20 09:23 --------- d-------- C:\Program Files\Winamp
2007-07-19 09:21 --------- d-------- C:\DOCUME~1\Mitch\APPLIC~1\dvdcss
2007-07-18 09:53 --------- d-------- C:\DOCUME~1\Mitch\APPLIC~1\IMVU
2007-07-04 14:49 --------- d-------- C:\DOCUME~1\Mitch\APPLIC~1\vlc
2007-07-04 14:46 --------- d-------- C:\Program Files\Citrix
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-25 16:07 --------- d-------- C:\Program Files\VideoLAN
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD1B1D80-D55A-483B-B54F-4F6EF9524E4C}]
C:\WINDOWS\system32\wmvemoe2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-08-16 09:16]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 16:22 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"QD FastAndSafe"="C:\Program Files\Norton CleanSweep\QDCSFS.exe" [1999-04-15 05:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 09:41]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WallpaperChanger"="C:\Program Files\Wallpaper Master\Wallpaper.exe" [2005-11-08 13:13]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"TivoTransfer"="C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" [2007-08-06 11:12]
"TivoNotify"="C:\Program Files\TiVo\Desktop\TiVoNotify.exe" [2007-08-06 11:13]
"TivoServer"="C:\Program Files\TiVo\Desktop\TiVoServer.exe" [2007-08-06 11:14]

R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys


Contents of the 'Scheduled Tasks' folder
2007-07-29 06:51:34 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job - C:\Program Files\Microsoft IntelliType Pro\itype.exe
2007-08-19 18:14:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-05-15 12:09:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job - C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 17:22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 17:23:51 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 17:23

--- E O F ---

And here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:14 PM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton CleanSweep\QDCSFS.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f556.mail.yahoo.com/dc/launch?ac...mp;YY=587475367
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BD1B1D80-D55A-483B-B54F-4F6EF9524E4C} - C:\WINDOWS\system32\wmvemoe2.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton CleanSweep\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mitch\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com
O15 - Trusted Zone: *.workathomeagent.net
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149444922706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149447987062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - http://www.workathomeagent.net/walldata/cu...hostexpress.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b327h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 7942 bytes

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:41 PM

Posted 23 August 2007 - 09:10 PM

Hi again Judi e,

Sorry for the late reply, I had to work late last night and was unable to give much time to your logs.

I don't see much in your Combofix log. The only deletion is a legitimate file (probably); however, it was in the wrong place. Just to be sure , I would like you to submit the file for analysis. It will be found here:

C:\Qoobox\Quarantine\C\Program Files\internet explorer\msimg32.dll

To submit, go to this webpage:

Virustotal

Near the top of the webpage there is a white text box with a Browse button, just click it and navigate to the file, select it, click Open, then back on the web page, click Send.

Virustotal puts the file in a queue and will estimate how long it should take before your file is analyzed. During the analysis you will see the report grow as the file is scanned by each of the programs.

To save the report, highlight the relevant block of text on the web page, then press <Ctrl> - C. Open Notepad and press <Ctrl> - V. Give the file a catchy name like Virustotal.txt and save it to your desktop. I need to see it.

Regarding that wmvemoe2.dll file, if the quarantine dates from February that pretty well rules it out as a source of your current problems. Unless they have been going on for that long, which does not seem likely.

The most interesting items in the Combofix log were all the Motorola cell phone program entries. Could you please explain these to me? It seems like they are recent additions, I wonder if they coincide with the onset of some of your symptoms.

Actually, the right way to fix your modem problem is to uninstall the modem completely. However, before we get into that let's first try to disable the modem service once more and see if that stops it dialing.

Click start, run and type in cmd. Click OK. A command line window will open.

Type in the following line. Be careful to put in the spaces where they belong.

sc stop SLService

Then press <Enter>. You should get several lines of feedback including one saying either "stopped" or "stop pending." If not write down the error message.

If the service stops, then type in the following. Note that there is no space between the t and the equals sign in "start="

sc config SLService start= disabled

Press <Enter>. This time you should get a one line message "ChangeServiceConfig SUCCESS" If you get any oither message write that down.

Let me know how this goes, and if either command produces an error message please include it in your reply.

Also tell me whether the modem has stopped dialing, and answer my other questions.

Dave

#7 Judi_e

Judi_e
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 24 August 2007 - 06:27 AM

Dave,

I was only able to do a little of this this morning. The command prompt worked, so I disabled the modem service just fine. My husband then informed me that he had already disabled the modem in the control panel. I don't know if he uninstalled it completely or what he did. Anyway, instead of the computer trying to dial the modem, now it's giving an error because it can't find the modem. He is able to go to one particular myspace page to always try to access the modem, apparently because of some of the embedded videos on the page. Anyway, here's the error he gets:

Error Connecting to Internet connection

Opening port...

Error 797: A connection to the remote computer could not be established because the modem was not found or was busy. For further assistance, click More Info or search Help and Support Center for this error number.


When you click More Info here is what it says:

797: This connection requires a modem. Try the following:

Close all other programs and try again to establish the connection. Another program may be using the modem or the communication port to which the modem is attached.

Make sure that a modem has been installed on your computer. For more information see To Install a Modem.

Make sure that the modem is functioning correctly. For more information see Troubleshooting Modems.


Also of interest....even though I haven't done anything specifically about his keyboard yet, it was working fine this morning.

And yes the Motorola Phone Tools is a recent thing. We got new Razr's on the 4th of this month, and installed that software some time after that. Now that you mention it I think it does coincide with most of these problems. I'll be honest and tell you that it was a pirated copy of the software. Do you think it could be the program itself, or maybe something malicious that was riding along with it?

Hmmmm....the Phone Tools program can be used to connect the computer to the cell phone in order to use the phone as a modem....do you think that could be the issue?

Edited to add: My husband says the keyboard was a problem before Phone Tools was installed. He's uninstalling Phone Tools to see if that fixes the problem with the computer trying to access the modem.

Edited again to add: Uninstalling the phone tools seems to have fixed the issue of the computer trying to access the modem. The one Myspace page that always caused it to try for the modem loaded up just fine with no errors. Hopefully that will be the end of that problem. I'll submit the msimg32.dll file for analysis when I get home.

Thanks so much Dave!!! I wouldn't have even thought about the Phone Tools being the problem!

Edited by Judi_e, 24 August 2007 - 06:46 AM.


#8 Judi_e

Judi_e
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 24 August 2007 - 04:42 PM

Dave,

OK, I rand the msimg32.dll.vir file through Virustotal. Here is the log file it generated:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.24 -
Authentium 4.93.8 2007.08.24 -
Avast 4.7.1029.0 2007.08.24 -
AVG 7.5.0.484 2007.08.24 -
BitDefender 7.2 2007.08.24 -
CAT-QuickHeal 9.00 2007.08.23 -
ClamAV 0.91 2007.08.24 -
DrWeb 4.33 2007.08.24 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 -
Ewido 4.0 2007.08.24 -
FileAdvisor 1 2007.08.24 -
Fortinet 2.91.0.0 2007.08.24 -
F-Prot 4.3.2.48 2007.08.24 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.24 -
Kaspersky 4.0.2.24 2007.08.24 -
McAfee 5105 2007.08.24 -
Microsoft 1.2803 2007.08.24 -
NOD32v2 2483 2007.08.24 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.24 -
Prevx1 V2 2007.08.24 -
Rising 19.37.42.00 2007.08.24 -
Sophos 4.21.0 2007.08.24 -
Sunbelt 2.2.907.0 2007.08.24 -
Symantec 10 2007.08.24 -
TheHacker 6.1.8.172 2007.08.24 -
VBA32 3.12.2.3 2007.08.24 -
VirusBuster 4.3.26:9 2007.08.24 -
Webwasher-Gateway 6.0.1 2007.08.24 -
Additional information
File size: 53248 bytes
MD5: 028957c2b7205b2b4e1923febd34fd40
SHA1: 83c0b32923d223ffd77c05d53aaf7fe7b0c4dd44

Let me know if there is anything else we need to do here.

Thanks again for all of your help!

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:41 PM

Posted 24 August 2007 - 07:28 PM

Hi again,

Hmmmm....the Phone Tools program can be used to connect the computer to the cell phone in order to use the phone as a modem....do you think that could be the issue?


Yes I do, especially after looking at the error description on this webpage.

I think v.Richard (owner of Modemsite and modem guru extraordinaire) pretty much described your situation.

Frankly, if your husband's computer is a desktop, I can't imagine why he would need to have that part of the software installed. I can understand wanting to be able to update and backup your contacts list, maybe install new ringtones or other goodies, but the modem functionality of a cell phone is pretty dismal (read SLOW) from what I have heard.

BTW I'm glad your husband disabled your Smartlink modem in Device Manager. I forgot to mention that when I advised you to disable the service. Sorry for the oversight -- it's been a while since I was on dialup.

I still think a complete removal of the Smartlink software, drivers, and hardware, is the best thing to do if you have no intention of ever using the modem in this computer, but what you have done should guarantee that it can't cause any trouble.

I'll be honest and tell you that it was a pirated copy of the software.


I was thinking that if your scan came up clean on that file, that we could be pretty sure the computer was clean, but piracy and malware go together like a horse and carriage -- or love and marriage, or peas and carrots, if you're too young to know the old song. So, I think we have to put you through a couple more scans just to be sure there's nothing that sneaked onto this machine with that pirated software.

First an online scan. You must use Internet Explorer for this.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Then a rootkit scan.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

I need to see the Gmer and Kaspersky logs in your next reply. Also please run a fresh HJT scan and include that log as well.

If everything is clean then I can point you to some help for your .NET framework update problem and we can also discuss some other issues, including upgrading your security.

Please be aware, I will be out of town on business until Sunday afternoon, so I will not be able to answer your next post until Sunday evening.

Dave

#10 Judi_e

Judi_e
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Detroit suburbs
  • Local time:08:41 PM

Posted 28 August 2007 - 01:29 PM

Dave,

Sorry, I meant to reply to you over the weekend. I'm actually done working on his computer. He says it's working fine now and he doesn't want me fiddling with it anymore because he thinks something I did messed with some settings in IE. So, fine, it's his computer, he can fix it next time it breaks.

I want to thank everyone here. You have saved my husband's computer more times than I care to count. I'm just done doing it for him, next time he can come ask for help himself.

Thanks again,
Judi

#11 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:41 PM

Posted 28 August 2007 - 02:44 PM

Hi again Judi E,

No problem, I know what youmean.

In our family the "computer situation" was a source of sporadic conflict and misunderstanding. It finally got resolved when our kids got my wife a Mac Mini for Christmas a couple of years ago. By mutual agreement, the machines are not networked. If she needs files off the PC I burn a CD. So far she has had no problems, and I can play with the PC to my heart's content.

Be sure and keep your own computer updated and make sure you have a two-way firewall installed -- especially since it is networked to his machine. Here are a couple of links with information on firewalls and other aspects of internet safety:

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

There are more tips found here:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

Good luck and safe computing --

Dave

Since this topic appears to be resolved, it is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users