Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Xxwtq.dll Vundo Virus File


  • This topic is locked This topic is locked
18 replies to this topic

#1 gwj5035

gwj5035

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 27 March 2008 - 09:25 PM

I can't remove xxwtq.dll -- qtwxx.ini -- fcbyyw.dll ( Vundo files) from C:\Winnt\system32. I had other vundo files that were addressed in this posting http://www.bleepingcomputer.com/forums/t/133723/unwanted-pop-ups-adware-ie-freeze-ups/ I did as the "Preparation Guide For Use Before Posting A Hijackthis Log" instructed me. SuperAntiSpyware and BitDefender are the only two Scans that locate the files and neither will delete them. The other two files show up on the Regcure scan, and showed up on the SuperAntiSpyware scan. I thought that SuperAntiSpyware had removed them, but it is still showing on the Regcure scan (I have included snips from the latest scan below).

Two symptons that I can describe as questionable are: 1) my desktop keeps getting reset (It almost seems like Windows is restarting). Sometimes when this happens the desktop icons don't reappear and the bottom tray is frozen. The only thing I can do is to use Task Manager to reboot, and always explorer.exe is not responding on exit. 2) the recycle bin of both my C: and I: hard drives have hidden folders "C:\RECYCLER\S-1-5-21-4159782051-2014835873-2795487254-1005" (they are hidden files and appear faint on the screen) when you use Windows Explorer to list. When you click on the Recycle Bin Icon and the bin is empty there is nothing listed. When the properties are listed they both show two files as being in the folder, and I can't access either file to try and delete.

Beside the Hijackthis log I have also included the last log form BitDefender scan. It took me about 8 BitDefender scans to finally remove (all that I could) defective files that were present on my hard drive. Here are the logs:

Regcure Snips

title="Could not resolve title for classID ClassID {FC9F68DA-8485-41AA-9EA3-FA7C639DC486}, error querying default value" resolved-symbol="C:\WINNT\System32\fccbyyw.dll">






value="C:\WINNT\System32\fccbyyw.dll" valuename="" type="File Path" checkedforcleaning="yes" cleaned="yes"/>
<




******************************************************************
BitDefender Online Scanner
Scan report generated at: Wed, Mar 26, 2008 - 16:40:16

Scan path: C:\Documents and Settings\George\My Documents;C:\Documents and Settings\All Users\Documents;A:\;C:\;D:\;E:\;H:\;J:\;

Statistics
Time 01:15:42
Files 341814
Folders 7691
Boot Sectors 4
Archives 8326
Packed Files 15822
Results
Identified Viruses 2
Infected Files 3
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 2
Engines Info
Virus Definitions 1023686
Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins 16
Archive plugins 41
Unpack plugins 7
E-mail plugins 6
System plugins 5
Scan Settings
First Action Delete
Second Action None
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File Status
C:\WINNT\system32\qtwxx.ini Infected with: Trojan.Vundo.DVS
C:\WINNT\system32\qtwxx.ini Deleted
C:\WINNT\system32\qtwxx.ini2 Infected with: Trojan.Vundo.DVS
C:\WINNT\system32\qtwxx.ini2 Deleted
C:\WINNT\system32\xxwtq.dll Infected with: Trojan.Vundo.ECG
C:\WINNT\system32\xxwtq.dll Delete failed
******************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:12 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.netscape.com/index2.psp"); (C:\Documents and Settings\GEORGE\Application Data\Mozilla\Profiles\default\csx0c7g6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\GEORGE\Application Data\Mozilla\Profiles\default\csx0c7g6.slt\prefs.js)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MbarInstall] C:\DOCUME~1\George\LOCALS~1\Temp\mrmoney.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-21-4159782051-2014835873-2795487254-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://lms2.clarkson.edu/iNotes6W.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nce/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11316 bytes

Edited by gwj5035, 27 March 2008 - 09:37 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 29 March 2008 - 07:14 PM

Hello gwj5035,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 30 March 2008 - 09:34 AM

VundoFix found no infections. Log follows:

VundoFix V6.7.10

Checking Java version...

Scan started at 9:34:51 AM 3/30/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 30 March 2008 - 12:54 PM

Hi gwj5035,

Download VirtumundoBegone and save it to your desktop.

VirtumundoBegone

Reboot your computer into Safe Mode

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.
Post the log that is created on your desktop called VBG.TXT in your next reply.
Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

Edited by SifuMike, 30 March 2008 - 12:55 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 30 March 2008 - 04:15 PM

Ran VundoFix and it found no problems. Log follows:

[03/30/2008, 17:02:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\VirtumundoBeGone.exe" )
[03/30/2008, 17:02:51] - Detected System Information:
[03/30/2008, 17:02:51] - Windows Version: 5.1.2600, Service Pack 2
[03/30/2008, 17:02:52] - Current Username: George (Admin)
[03/30/2008, 17:02:52] - Windows is in NORMAL mode.
[03/30/2008, 17:02:52] - Searching for Browser Helper Objects:
[03/30/2008, 17:02:52] - BHO 1: AutorunsDisabled ()
[03/30/2008, 17:02:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 17:02:52] - No filename found. Continuing.
[03/30/2008, 17:02:52] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/30/2008, 17:02:52] - BHO 3: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
[03/30/2008, 17:02:52] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/30/2008, 17:02:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 17:02:52] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/30/2008, 17:02:52] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/30/2008, 17:02:52] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/30/2008, 17:02:52] - BHO 6: {AC9DA97D-75BA-4D47-9A36-101104C7DE03} ()
[03/30/2008, 17:02:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 17:02:52] - Checking for HKLM\...\Winlogon\Notify\xxwtq
[03/30/2008, 17:02:52] - Key not found: HKLM\...\Winlogon\Notify\xxwtq, continuing.
[03/30/2008, 17:02:52] - BHO 7: {FC9F68DA-8485-41AA-9EA3-FA7C639DC486} ()
[03/30/2008, 17:02:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/30/2008, 17:02:52] - No filename found. Continuing.
[03/30/2008, 17:02:52] - Finished Searching Browser Helper Objects
[03/30/2008, 17:02:52] - Finishing up...
[03/30/2008, 17:02:52] - Nothing found! Exiting...

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 30 March 2008 - 04:46 PM

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 5.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

Reboot your computer, post a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 31 March 2008 - 12:05 AM

I got rid of the expired version of Java and installed the latest version. I then generated the Hijackthis log and am including it. There still seems to be a problem with the vundo file xxwtq.dll. The only program that seems to find this file is SuperAntiSpyware. After the scan is complete and the program restarts the computer, Windows starts up to a point. Right after the Windows Screen (that has the blue squares running across the screen) is finished the screen goes black for an instant and then the entire screen becomes blue with some text on it. The blue screen with the text doesn't appear long enough to read anything and then the screen goes black again. It almost seems as though the blue screen with the text has an error message with code. The next thing that happens is the safe mode screen appears without me pressing the F8 key. The only way to get the computer to boot is to choose the "Last Known Good Configuration" for start up and the computer boots up into Windows. I have included the SuperAntiSpyware log along with the Hijack log. The other thing that didn'seem normal was after installing Java. The computer rebooted, and then opened MSIE to a registration screen. At this point there must have been 5 to 6 pop up screens (the kind that just loop when you try to get rid of them) appear and I had to use the task manager to shut them off. It seems that MSIE is causing most of my problems. For years I have been using Netscape as my browser and never had problems. When Netscape notified me of not supporting security after March 1st, I started using MSIE and have had nothing but trouble ever since. As soon as we get this computer back to normal I am going to install Firefox. OK, rant is over. Here are the logs:

SUPERAntiSpyware Scan Log
http:/ / www.superantispyware.com

Generated 03/30/2008 at 10:00 PM

Application Version : 4.0.1154

Core Rules Database Version : 3427
Trace Rules Database Version: 1419

Scan type : Complete Scan
Total Scan Time : 00:11:36

Memory items scanned : 188
Memory threats detected : 1
Registry items scanned : 6616
Registry threats detected : 0
File items scanned : 4799
File threats detected : 32

Adware.Vundo Variant/Resident
C:\WINNT\SYSTEM32\XXWTQ.DLL
C:\WINNT\SYSTEM32\XXWTQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\George\Cookies\george@html[1].txt
C:\Documents and Settings\George\Cookies\george@advancedcleaner[1].txt
C:\Documents and Settings\George\Cookies\george@statse.webtrendslive[1].txt
C:\Documents and Settings\George\Cookies\george@systemerrorfixer[1].txt
C:\Documents and Settings\George\Cookies\george@hitbox[2].txt
C:\Documents and Settings\George\Cookies\george@e-2dj6wjkyahczolp.stats.esomniture[2].txt
C:\Documents and Settings\George\Cookies\george@atwola[2].txt
C:\Documents and Settings\George\Cookies\george@ad.yieldmanager[1].txt
C:\Documents and Settings\George\Cookies\george@ads.pointroll[1].txt
C:\Documents and Settings\George\Cookies\george@adopt.euroclick[1].txt
C:\Documents and Settings\George\Cookies\george@ads.addynamix[1].txt
C:\Documents and Settings\George\Cookies\george@adrevolver[2].txt
C:\Documents and Settings\George\Cookies\george@counter.marketplaceadvisor.channeladvisor[1].txt
C:\Documents and Settings\George\Cookies\george@secure.systemerrorfixer[1].txt
C:\Documents and Settings\George\Cookies\george@specificclick[1].txt
C:\Documents and Settings\George\Cookies\george@ads.sun[1].txt
C:\Documents and Settings\George\Cookies\george@mediaplex[2].txt
C:\Documents and Settings\George\Cookies\george@bp.specificclick[1].txt
C:\Documents and Settings\George\Cookies\george@ehg-dig.hitbox[2].txt
C:\Documents and Settings\George\Cookies\george@apmebf[1].txt
C:\Documents and Settings\George\Cookies\george@revsci[1].txt
C:\Documents and Settings\George\Cookies\george@2o7[1].txt
C:\Documents and Settings\George\Cookies\george@advertising[3].txt
C:\Documents and Settings\George\Cookies\george@e-2dj6wfkiehajmlp.stats.esomniture[2].txt
C:\Documents and Settings\George\Cookies\george@questionmarket[1].txt
C:\Documents and Settings\George\Cookies\george@msnportal.112.2o7[1].txt
C:\Documents and Settings\George\Cookies\george@media.adrevolver[1].txt
C:\Documents and Settings\George\Cookies\george@adrevolver[1].txt
C:\Documents and Settings\George\Cookies\george@adnetserver[1].txt
C:\Documents and Settings\George\Cookies\george@atdmt[2].txt
C:\Documents and Settings\George\Cookies\george@tacoda[1].txt

******************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:45 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://lms2.clarkson.edu/iNotes6W.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nce/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 12178 bytes

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 31 March 2008 - 12:15 AM

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVAST Antivirus before running ComboFix, as it will prevent it from running.


To disable avast antivirus:
Right click on the avast! icon in system tray (looks like this: Posted Image) and choose (Stop On-Access Protection)




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <== IMPORTANT

Install the Windows XP Recovery Console if you have not installed it yet. <== IMPORTANT

You DO NOT need to have the Windows CD to install Recovery Console!

When Recovery Console installs correctly, ComboFix will give you a log like this:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons




We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


Post the ComboFix log.

Edited by SifuMike, 31 March 2008 - 12:20 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 31 March 2008 - 10:02 AM

Everything went fine except I could not get the Recovery Console Installed. Everytime I tried to drag the Windows Icon over the Combo Icon the ComboFix program would launch and then the ComboFix icon would dissapear. I would then have to download the ComboFix program back to the dsesktop. It did not matter which mouse switch I tried I just couldn't make it happen. I gave up knowing that if I looked hard enough I would find the original Windows XP CD.

I dont know that much about Windows XP but this is what I would like to be able to do until I get FireFox installed. Disable IE6 with the ability to enable it if I need to. With IE6 disabled I would like to be able to run MSN Explorer and Netscape. I am pretty sure that Netscape will run with IE6 disabled.

My other question is in reference to installing Windows XP updates. I have SP2 installed and there are about 60 some update files waiting to be downloaded/installed. They might already be downloaded but not installed. I read that if you are having the problems like I have, no Update Files should be installed until Virus/Malware problems are fixed. The word that they are fixed is to come from an expert like you. By the way, Thanks for all of the help so far and especialy the speed at which this help is coming down to me.

*****************************************
ComboFix 08-03-30.3 - George 2008-03-31 10:12:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.659 [GMT -5:00]
Running from: C:\Documents and Settings\George\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINNT\BM23c2eaa7.xml
C:\WINNT\cookies.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\aofygofs.ini
C:\WINNT\system32\ceekahke.ini
C:\WINNT\system32\fnuubljs.ini
C:\WINNT\system32\jlkmp.ini
C:\WINNT\system32\jlkmp.ini2
C:\WINNT\system32\jrpgcmou.ini
C:\WINNT\system32\ltnxpnmr.ini
C:\WINNT\system32\ndurevxe.ini
C:\WINNT\system32\qtwxx.ini
C:\WINNT\system32\qtwxx.ini2
C:\WINNT\system32\rcrypwbg.ini
C:\WINNT\system32\xxwtq.dll

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 21:31 . 2008-03-30 21:31 <DIR> d-------- C:\Program Files\Sun
2008-03-30 21:31 . 2008-02-22 02:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-03-30 21:27 . 2008-03-30 21:30 <DIR> d-------- C:\Program Files\Java
2008-03-30 03:41 . 2008-03-30 03:42 1,583,637 ---hs---- C:\WINNT\system32\jscflceg.ini
2008-03-25 12:33 . 2008-03-29 10:21 <DIR> d-------- C:\WINNT\BDOSCAN8
2008-03-25 12:21 . 2008-03-25 12:23 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-03-25 12:21 . 2008-03-25 12:22 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-03-25 12:21 . 2008-03-25 12:22 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-03-25 12:21 . 2008-03-25 12:22 1,406 --a------ C:\WINNT\system32\Help.ico
2008-03-25 12:12 . 2008-03-25 12:12 <DIR> d-------- C:\Documents and Settings\George\.housecall6.6
2008-03-23 15:00 . 2005-03-02 13:09 577,024 --a------ C:\WINNT\system32\dllcache\user32.dll
2008-03-15 16:50 . 2008-03-15 16:50 <DIR> d-------- C:\WINNT\system32\LogFiles
2008-03-14 13:03 . 2008-03-14 13:03 <DIR> d-------- C:\WINNT\peernet
2008-03-14 12:42 . 2008-03-14 12:42 1,840 --a------ C:\WINNT\system32\PerfStringBackup.TMP
2008-03-14 09:55 . 2007-06-30 22:31 2,455,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dat
2008-03-14 09:55 . 2007-06-30 22:36 991,232 --------- C:\WINNT\system32\dllcache\ieframe.dll.mui
2008-03-11 13:30 . 2008-03-11 13:30 0 --a----t- C:\WINNT\003672_.tmp
2008-03-11 12:23 . 2006-07-13 08:33 8,453,632 --------- C:\WINNT\system32\dllcache\shell32.dll
2008-03-11 12:21 . 2006-03-17 00:04 8,351,232 --a------ C:\WINNT\system32\shell32(2)(2).dll
2008-03-11 12:15 . 2004-08-04 02:56 526,848 --------- C:\WINNT\system32\p2psvc.dll
2008-03-11 12:14 . 2004-08-04 00:41 404,990 --------- C:\WINNT\system32\drivers\slntamr.sys
2008-03-11 12:13 . 2004-08-04 02:56 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2008-03-11 12:03 . 2005-06-28 10:21 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2008-03-08 15:12 . 2007-06-28 23:43 123,602 --a------ C:\WINNT\system32\nvapps.nvb
2008-03-03 18:01 . 2008-03-03 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-03 18:01 . 2007-11-14 16:05 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-03-03 18:01 . 2007-11-14 16:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-03-03 18:01 . 2004-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-03-02 02:28 . 2008-03-02 02:28 <DIR> d-------- C:\WINNT\ERUNT
2008-03-02 02:11 . 2008-03-02 02:11 <DIR> d-------- C:\SDFix
2008-03-01 14:22 . 2008-03-27 09:25 <DIR> d-------- C:\VundoFix Backups
2008-02-29 12:54 . 2008-03-23 11:12 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 12:54 . 2008-02-29 12:54 <DIR> d-------- C:\Documents and Settings\George\Application Data\SUPERAntiSpyware.com
2008-02-29 12:54 . 2008-02-29 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 00:18 . 2008-02-29 00:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-29 00:18 . 2008-02-29 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 20:25 . 2008-02-28 20:25 406 --a------ C:\WINNT\system32\ioloBootDefrag.cfg
2008-02-28 20:14 . 2008-02-28 20:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-02-28 20:12 . 2008-02-28 20:12 74,703 --a------ C:\WINNT\system32\mfc45.dll
2008-02-27 18:23 . 2008-02-27 18:23 <DIR> d-------- C:\WINNT\provisioning
2008-02-27 15:45 . 2006-08-16 07:14 83,456 --a------ C:\WINNT\system32\iphlpapi(4).dll
2008-02-27 15:45 . 2006-08-16 07:14 83,456 --a------ C:\WINNT\system32\iphlpapi(3).dll
2008-02-27 15:45 . 2006-08-16 07:14 70,656 --a------ C:\WINNT\system32\ws2_32(3).dll
2008-02-27 12:51 . 2006-06-22 00:19 1,350,144 --a------ C:\WINNT\system32\query(3).dll
2008-02-27 12:51 . 2006-06-22 00:19 1,350,144 --a------ C:\WINNT\system32\query(2).dll
2008-02-27 12:47 . 2006-07-13 08:46 8,353,280 --a------ C:\WINNT\system32\shell32(6).dll
2008-02-27 12:47 . 2006-07-13 08:46 8,353,280 --a------ C:\WINNT\system32\shell32(5).dll
2008-02-27 12:47 . 2006-07-13 08:46 8,353,280 --a------ C:\WINNT\system32\shell32(4).dll
2008-02-27 12:47 . 2006-07-13 08:46 8,353,280 --a------ C:\WINNT\system32\shell32(3).dll
2008-02-27 12:47 . 2005-08-22 13:36 154,624 --a------ C:\WINNT\system32\netman(4).dll
2008-02-27 12:47 . 2005-08-22 13:36 154,624 --a------ C:\WINNT\system32\netman(3).dll
2008-02-27 12:44 . 2005-10-20 17:33 991,232 --a------ C:\WINNT\system32\esent(4).dll
2008-02-27 12:44 . 2005-10-20 17:33 991,232 --a------ C:\WINNT\system32\esent(3).dll
2008-02-27 12:42 . 2006-07-14 10:53 307,200 --a------ C:\WINNT\system32\netapi32(4).dll
2008-02-27 12:42 . 2006-07-14 10:53 307,200 --a------ C:\WINNT\system32\netapi32(3).dll
2008-02-27 10:14 . 2008-02-28 20:25 <DIR> d-------- C:\Documents and Settings\George\Application Data\iolo
2008-02-27 10:14 . 2008-02-28 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-02-26 11:37 . 2008-02-28 12:36 <DIR> d-------- C:\Program Files\CCleaner
2008-02-07 07:07 . 2008-02-07 07:58 <DIR> d-------- C:\Program Files\RegCure
2008-02-05 14:06 . 2008-02-05 14:06 97,216 --a------ C:\WINNT\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:28 119,168 ----a-w C:\Documents and Settings\George\Application Data\GDIPFONTCACHEV1.DAT
2008-03-31 02:08 --------- d-----w C:\Program Files\Java Web Start
2008-03-21 03:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 14:36 --------- d-----w C:\Program Files\Qimage
2008-03-15 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-02 19:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 07:17 --------- d-----w C:\Program Files\RegistryFix
2008-02-27 16:18 --------- d-----w C:\Program Files\THE Rename
2008-02-27 16:18 --------- d-----w C:\Program Files\Security Task Manager
2008-02-27 16:18 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-27 16:18 --------- d-----w C:\Program Files\Microsoft Works
2008-02-27 16:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-27 16:18 --------- d-----w C:\Program Files\Avery Wizard
2008-02-23 14:44 --------- d-----w C:\Program Files\Raw Therapee
2008-01-29 14:46 --------- d-----w C:\Documents and Settings\George\Application Data\MSN6
2008-01-28 13:22 --------- d-----w C:\Documents and Settings\George\Application Data\Viewpoint
2008-01-28 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-09 20:01 53,248 ----a-w C:\WINNT\bdoscandel.exe
2006-12-26 16:01 1,151 ---ha-w C:\Documents and Settings\George\hpothb07.dat
2006-01-13 01:10 30 ----a-w C:\Program Files\Exiferupdate.ini
.

------- Sigcheck -------

2001-08-18 13:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINNT\$NtServicePackUninstall$\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\svchost.exe

2006-08-16 07:14 70656 7b6a08441a4f11320421599d7ecf8d41 C:\WINNT\$NtServicePackUninstall$\ws2_32.dll
2001-08-18 13:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINNT\$NtUninstallKB914388_0$\ws2_32.dll
2006-05-19 07:15 70656 3748e0fc8c1b6ada49f98c8e69a4228c C:\WINNT\$NtUninstallKB922819_0$\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\ServicePackFiles\i386\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\ws2_32.dll

2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINNT\$NtServicePackUninstall$\wininet.dll
2004-02-06 17:05 588288 4f64d1df989e3aa2fad91a2f1167b9c7 C:\WINNT\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
2004-08-23 19:32 589312 01893ed35886aff539b58a025736f7ed C:\WINNT\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\ServicePackFiles\i386\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINNT\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINNT\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINNT\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINNT\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\system32\wininet.dll

2004-05-26 20:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINNT\$NtServicePackUninstall$\winlogon.exe
2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINNT\$NtUninstallKB841533$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\ServicePackFiles\i386\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\winlogon.exe

2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINNT\$NtServicePackUninstall$\ndis.sys
2002-08-29 04:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINNT\$NtUninstallKB826942$\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\ServicePackFiles\i386\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\drivers\ndis.sys

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\drivers\ip6fw.sys

2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\explorer.exe
2003-05-11 20:12 996352 a73bc66a95cf4f7b597fc8975778a889 C:\WINNT\$NtServicePackUninstall$\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINNT\$NtUninstallKB820291$\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\ServicePackFiles\i386\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-06 05:06 1682368]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 15:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2007-06-28 23:43 8466432]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
winjcr32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2005-04-08 14:09 102400 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-16 15:21 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-05-19 18:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"=

R3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;C:\WINNT\system32\DRIVERS\lne100tx.sys [2001-08-17 13:12]
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINNT\system32\DRIVERS\nvtunep.sys [2003-09-16 12:16]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINNT\system32\DRIVERS\nvtvsnd.sys [2003-09-16 12:16]
S3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mpaa.sys [2001-08-17 13:48]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys [2004-08-04 00:29]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINNT\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:06:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-02 04:59:00 C:\WINNT\Tasks\Defrag Job #00.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-02 04:59:00 C:\WINNT\Tasks\Defrag Job #01.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-31 15:20:05 C:\WINNT\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-27 08:15:05 C:\WINNT\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 10:18:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-03-31 10:22:17 - machine was rebooted [George]
ComboFix-quarantined-files.txt 2008-03-31 15:22:12
Pre-Run: 52,633,591,808 bytes free
Post-Run: 52,902,326,272 bytes free
.
2008-03-11 23:49:44 --- E O F ---

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 31 March 2008 - 03:03 PM

Hi gwj5035


I dont know that much about Windows XP but this is what I would like to be able to do until I get FireFox installed. Disable IE6 with the ability to enable it if I need to. With IE6 disabled I would like to be able to run MSN Explorer and Netscape. I am pretty sure that Netscape will run with IE6 disabled.


You do not want to disable IE6 as that is the only way to get the Windows Updates. You can use the latest version of FireFox or Netscape for normal browsing, and then use IE7 only for windows updates.

BTW, you should upgrade to IE7 as that has many of the bugs fixed.

I have SP2 installed and there are about 60 some update files waiting to be downloaded/installed. They might already be downloaded but not installed. I read that if you are having the problems like I have, no Update Files should be installed until Virus/Malware problems are fixed. The word that they are fixed is to come from an expert like you.


You should update IE after we have your computer clean.
The updates are very important as they fix the holes in IE that allow malware to attack your computer.


I see RegCure and RegistryFix installed on this computer.

Have you run these progream trying to "fix" the registry yourself? I hope NOT. :thumbsup: If you used them then you may have shot yourself in the foot.

I DO NOT recommend "Registry Cleaners" because they may damage rather than cleaning/fixing your registry. A damaged registry is a damaged Windows.

You should only use them if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.
IMHO, if registry cleaning was required, then Microsoft would have added this option.
So you use registry at you own risk.

Please tell me if you ran System Restore on these dates
2008-03-11
2008-02-27

Edited by SifuMike, 31 March 2008 - 03:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 31 March 2008 - 06:14 PM

Mike:

I guess I have shot myself in the foot. I did run RegCure more than once but not sure of the exact number. It is now gone. I don't remember running RegFix. As far as the two dates: Feb 27 I would say yes because it is the day before I first posted to Bleeping Computer. Mar 3 was the date that I upgraded to Windows SP2. I didn't create the restore point but I'll bet that the upgrade install did. I just checked the restore calendar and noticed that I can't go back any farther than 3/11.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 31 March 2008 - 06:39 PM

Hi gwj5035,


Before we start, I have to let you know that without Recovery Console installed, there is a possiblity that there is a small possiblity you may have to do a reformat and reinstall if thing go drasticly wrong. Recovery Console is like a safety net.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINNT\system32\jscflceg.ini
C:\WINNT\003672_.tmp

Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 31 March 2008 - 06:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 01 April 2008 - 12:46 PM

I guess I was lucky one more time. ComboFix ran with no hitches. I spent at least 20 hrs trying to get the Recovery Console to install. I keep getting messages or installations quitting with everything pointing to a mismatch of Windows XP. I hope I get this fixed after all of the updates get installed. I tried to create the Boot 6 disk Set Up using the Microsoft Instructions. I tried to start Windows with the 6 disks. When it got to disk 6 got an error message, "STOP: c0000221 Unkown Hard Error \system Root\system32\ntdll.dll. I tried quite a few instructions to create a Boot CD, no luck either. If something goes drasticly wrong to cause a boot from other than the hard disk I'm SOL.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:03 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\Netscape\Netscape Browser\netscape.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the bro wser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://lms2.clarkson.edu/iNotes6W.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nce/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 12877 bytes




ComboFix 08-03-30.5 - George 2008-04-01 12:57:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.616 [GMT -5:00]
Running from: C:\Documents and Settings\George\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\George\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINNT\003672_.tmp
C:\WINNT\system32\jscflceg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\George\Favorites\.url
C:\VundoFix Backups
C:\WINNT\003672_.tmp
C:\WINNT\system32\jscflceg.ini
C:\WINNT\system32\swsc.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 21:31 . 2008-03-30 21:31 <DIR> d-------- C:\Program Files\Sun
2008-03-30 21:31 . 2008-02-22 02:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-03-30 21:27 . 2008-03-30 21:30 <DIR> d-------- C:\Program Files\Java
2008-03-25 12:33 . 2008-03-29 10:21 <DIR> d-------- C:\WINNT\BDOSCAN8
2008-03-25 12:21 . 2008-03-25 12:23 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-03-25 12:21 . 2008-03-25 12:22 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-03-25 12:21 . 2008-03-25 12:22 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-03-25 12:21 . 2008-03-25 12:22 1,406 --a------ C:\WINNT\system32\Help.ico
2008-03-25 12:12 . 2008-03-25 12:12 <DIR> d-------- C:\Documents and Settings\George\.housecall6.6
2008-03-23 15:00 . 2005-03-02 13:09 577,024 --a------ C:\WINNT\system32\dllcache\user32.dll
2008-03-15 16:50 . 2008-03-15 16:50 <DIR> d-------- C:\WINNT\system32\LogFiles
2008-03-14 13:03 . 2008-03-14 13:03 <DIR> d-------- C:\WINNT\peernet
2008-03-14 12:42 . 2008-03-14 12:42 1,840 --a------ C:\WINNT\system32\PerfStringBackup.TMP
2008-03-14 09:55 . 2007-06-30 22:31 2,455,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dat
2008-03-14 09:55 . 2007-06-30 22:36 991,232 --------- C:\WINNT\system32\dllcache\ieframe.dll.mui
2008-03-11 12:23 . 2006-07-13 08:33 8,453,632 --------- C:\WINNT\system32\dllcache\shell32.dll
2008-03-11 12:21 . 2006-03-17 00:04 8,351,232 --a------ C:\WINNT\system32\shell32(2)(2).dll
2008-03-11 12:15 . 2004-08-04 02:56 526,848 --------- C:\WINNT\system32\p2psvc.dll
2008-03-11 12:14 . 2004-08-04 00:41 404,990 --------- C:\WINNT\system32\drivers\slntamr.sys
2008-03-11 12:13 . 2004-08-04 02:56 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2008-03-11 12:03 . 2005-06-28 10:21 22,752 --a------ C:\WINNT\system32\spupdsvc.exe
2008-03-08 15:12 . 2007-06-28 23:43 123,602 --a------ C:\WINNT\system32\nvapps.nvb
2008-03-03 18:01 . 2008-03-03 18:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-03 18:01 . 2007-11-14 16:05 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-03-03 18:01 . 2007-11-14 16:05 75,248 --a------ C:\WINNT\zllsputility.exe
2008-03-03 18:01 . 2004-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-03-02 02:28 . 2008-03-02 02:28 <DIR> d-------- C:\WINNT\ERUNT
2008-03-02 02:11 . 2008-03-02 02:11 <DIR> d-------- C:\SDFix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:28 119,168 ----a-w C:\Documents and Settings\George\Application Data\GDIPFONTCACHEV1.DAT
2008-03-31 02:08 --------- d-----w C:\Program Files\Java Web Start
2008-03-23 16:12 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-21 03:17 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 14:36 --------- d-----w C:\Program Files\Qimage
2008-03-15 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-03-08 20:13 616,960 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2008-03-02 19:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 17:54 --------- d-----w C:\Documents and Settings\George\Application Data\SUPERAntiSpyware.com
2008-02-29 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 17:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 05:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 05:18 --------- d-----w C:\Program Files\Lavasoft
2008-02-29 01:58 29,992,417 ----a-w C:\WINNT\Internet Logs\tvDebug.zip
2008-02-29 01:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2008-02-29 01:25 --------- d-----w C:\Documents and Settings\George\Application Data\iolo
2008-02-29 01:14 --------- d-----w C:\Documents and Settings\LocalService\Application Data\iolo
2008-02-29 01:12 74,703 ----a-w C:\WINNT\system32\mfc45.dll
2008-02-28 17:36 --------- d-----w C:\Program Files\CCleaner
2008-02-27 16:18 --------- d-----w C:\Program Files\THE Rename
2008-02-27 16:18 --------- d-----w C:\Program Files\Security Task Manager
2008-02-27 16:18 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-02-27 16:18 --------- d-----w C:\Program Files\Microsoft Works
2008-02-27 16:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-27 16:18 --------- d-----w C:\Program Files\Avery Wizard
2008-02-23 14:44 --------- d-----w C:\Program Files\Raw Therapee
2008-02-05 19:06 97,216 ----a-w C:\WINNT\system32\drivers\AnyDVD.sys
2008-01-18 18:22 51,716 ----a-w C:\WINNT\system32\pdf995mon.dll
2008-01-18 18:22 249,856 ----a-w C:\WINNT\system32\pdfmona.dll
2008-01-09 20:01 53,248 ----a-w C:\WINNT\bdoscandel.exe
2008-01-08 01:12 17,890,012 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2008_01_07_20_11_05_full.dmp.zip
2007-12-16 14:24 17,863,577 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2007_12_16_09_21_56_full.dmp.zip
2007-02-06 12:39 17,712,287 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2007_02_06_07_29_46_full.dmp.zip
2007-02-06 12:39 17,648,698 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2007_02_06_07_37_38_full.dmp.zip
2007-01-27 20:52 17,639,143 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2007_01_27_15_49_33_full.dmp.zip
2006-12-26 16:01 1,151 ---ha-w C:\Documents and Settings\George\hpothb07.dat
2006-12-14 15:29 17,562,799 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2006_12_14_08_55_19_full.dmp.zip
2006-09-08 04:22 17,359,490 ----a-w C:\WINNT\Internet Logs\vsmon_on_demand_2006_09_08_00_21_14_full.dmp.zip
2006-01-13 01:10 30 ----a-w C:\Program Files\Exiferupdate.ini
.

------- Sigcheck -------

2001-08-18 13:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINNT\$NtServicePackUninstall$\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\svchost.exe
2004-08-04 02:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINNT\system32\svchost.exe

2006-08-16 07:14 70656 7b6a08441a4f11320421599d7ecf8d41 C:\WINNT\$NtServicePackUninstall$\ws2_32.dll
2001-08-18 13:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINNT\$NtUninstallKB914388_0$\ws2_32.dll
2006-05-19 07:15 70656 3748e0fc8c1b6ada49f98c8e69a4228c C:\WINNT\$NtUninstallKB922819_0$\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\ServicePackFiles\i386\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ws2_32.dll
2004-08-04 02:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINNT\system32\ws2_32.dll

2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINNT\$NtServicePackUninstall$\wininet.dll
2004-02-06 17:05 588288 4f64d1df989e3aa2fad91a2f1167b9c7 C:\WINNT\$NtUninstallKB889293-IE6SP1-20041111.235619$\wininet.dll
2004-08-23 19:32 589312 01893ed35886aff539b58a025736f7ed C:\WINNT\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\ServicePackFiles\i386\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\wininet.dll
2007-10-10 18:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINNT\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
2007-10-10 18:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINNT\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
2007-12-06 21:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINNT\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
2007-12-06 21:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINNT\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINNT\system32\wininet.dll

2004-05-26 20:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINNT\$NtServicePackUninstall$\winlogon.exe
2002-08-29 05:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINNT\$NtUninstallKB841533$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\ServicePackFiles\i386\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINNT\system32\winlogon.exe

2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINNT\$NtServicePackUninstall$\ndis.sys
2002-08-29 04:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINNT\$NtUninstallKB826942$\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\ServicePackFiles\i386\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINNT\system32\drivers\ndis.sys

2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\ServicePackFiles\i386\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINNT\system32\drivers\ip6fw.sys

2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\explorer.exe
2003-05-11 20:12 996352 a73bc66a95cf4f7b597fc8975778a889 C:\WINNT\$NtServicePackUninstall$\explorer.exe
2002-08-29 05:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINNT\$NtUninstallKB820291$\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\ServicePackFiles\i386\explorer.exe
2004-08-04 02:56 1032192 a0732187050030ae399b241436565e64 C:\WINNT\SoftwareDistribution\Download\9ded4ee34a35fced0033d3e152a36e0e\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-31_10.21.45.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-01 16:31:32 16,384 ----atw C:\WINNT\Temp\Perflib_Perfdata_5c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-06 05:06 1682368]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 15:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2007-06-28 23:43 8466432]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINNT\system32\nwiz.exe]
"NvMediaCenter"="C:\WINNT\System32\NvMcTray.dll" [2007-06-28 23:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--------- 2005-04-08 14:09 102400 C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-16 15:21 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2005-05-19 18:38 1957888 C:\Program Files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"=

R3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;C:\WINNT\system32\DRIVERS\lne100tx.sys [2001-08-17 13:12]
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINNT\system32\DRIVERS\nvtunep.sys [2003-09-16 12:16]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINNT\system32\DRIVERS\nvtvsnd.sys [2003-09-16 12:16]
S3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mpaa.sys [2001-08-17 13:48]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys [2004-08-04 00:29]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINNT\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:06:04 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-02 04:59:00 C:\WINNT\Tasks\Defrag Job #00.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2008-03-02 04:59:00 C:\WINNT\Tasks\Defrag Job #01.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 12:59:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 13:01:04
ComboFix-quarantined-files.txt 2008-04-01 18:00:43
ComboFix2.txt 2008-03-31 15:22:18
Pre-Run: 52,703,961,088 bytes free
Post-Run: 52,678,225,920 bytes free
.
2008-03-11 23:49:44 --- E O F ---

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 AM

Posted 01 April 2008 - 02:43 PM

Hi gwj5035,

When you are trying to install Recovery Console are you following this link http://www.bleepingcomputer.com/combofix/how-to-use-combofix ?
Are you using IE to do the download?

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop.


Did you download to the desktop?


We just have some clean up to do. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginnerís Guide to CCleaner

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -


These are optional fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 01 April 2008 - 02:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 gwj5035

gwj5035
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Southern Delaware
  • Local time:10:22 AM

Posted 01 April 2008 - 06:19 PM

Mike:

I am not sure when it happened but I now have the Recovery Console as a menu choice with an F8 boot. Everything else seems to be working fine. Removed the items you listed with HijackThis. I hope that I can now finish with the installation of SP2. Let me know if it is OK to do this. The HijackThis log follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:41 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\George\Desktop\Anti Spyware__AdAware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("38737567.aim.session.autologin", false);
user_pref("38737567.aim.session.connectionname", "ICQ");
user_pref("38737567.aim.session.firstsignon", false);
user_pref("38737567.aim.session.password", "0");
user_pref("38737567.aim.session.storepassword", false);
user_pref("KickMeK8.aim.session.autologin", false);
user_pref("KickMeK8.aim.session.connectionname", "AIM");
user_pref("KickMeK8.aim.session.firstsignon", false);
user_pref("KickMeK8.aim.session.password", "0");
user_pref("KickMeK8.aim.session.storepassword", false);
user_pref("Megami01Ai.aim.session.autologin", false);
user_pref("Megami01Ai.aim.session.connectionname", "AIM");
user_pref(
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {38F5F92F-BD40-40DF-A569-6C1FCB638190} (InSPECS3_0 Control) - http://www.powerleap.com/cab_files/InSPECS3_0.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://lms2.clarkson.edu/iNotes6W.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nce/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - c:\fixit\pt\PCTKRNT.SYS
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 12206 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users