Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Downloader- Zlob- Won't Go Away.


  • This topic is locked This topic is locked
48 replies to this topic

#1 ComputersHateMe11

ComputersHateMe11

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 31 March 2008 - 10:06 AM

This is a long drawn out problem, that just keeps getting worse.

Here's the skinny:

We were without internet since May '07, and now have our internet through Altell, since the end of Feb '08.

It starts with finding out that our AV software is pirated. Had it fixed at a 'reputable' computer repair shop, (who is now out of business) we had multiple trojans and misc other crap infesting our computer (last MARCH). . . only to find out a year later, that they had stolen the AV software that we were using. We found this out when we were in need of some technical assistance with the software. Anyway, we had to get rid of that software, per CA. We did- and dl'd Kaspersky's free thirty day trial to see how we liked it, since people all over were saying that it is the best. This is when the problems started. Kaspersky's installation instructions said we had to uninstall ALL AV and AntiMalware software on our system. I uninstalled CA, spybot, and adaware. The only firewall we had at the time was the one that comes with our Windows XP (We have SP2 and all the appropriate updates- I went to the MS update site, and it said we are up to date as of yesterday)

About a week ago, trying to view a video, (I know- bad, bad, bad!) the computer started doing all sorts of crazy things and we had desktop icons that mimicked the Windows Defender icons, not to mention some kind little BHO's. I was able to get rid of the desktop icons and bho's by deleting the MYWAYMYWEBSEARCH folder in C:\ program files. My sister, who thinks she is of a technical mind, dl'd SDFix and ran it. It said it removed the crap. BUT No, it didn't! The problems were back at the next start up. I uninstalled it. So, I began surfing the TechSupport sites, this one and SpyBot, to find clues, as I was feeling pretty froggy, and not wanting to wait for help. (AGAIN, bad, I know.) We are also getting a blue stop error screen at random intervals. It doesn't matter what you are doing, but it does seem to happen more frequently when on the internet. This is the only computer that we have, so I have to use it to find out what to do, there is no other way for me to access the internet.

This is what I have done so far:
*SDFix-see above
*A friend told me to dl and run CCleaner, I did this. It said it found, removed and repaired. I don't think it worked. I have since uninstalled this program.
*Downloaded and installed (AND updated) Spybot and Adaware- they both found stuff. Adaware got rid of it, Spybot said it did the same, but there are files in the backup
*Downloaded and installed AVG 7.5 Free and COMODO free firewall. These were both reccommended to me, hope that they are sufficient, and SAFE. In the AVG Virus Vault there are eight files. I can give you the names if you want, but they are all trojan downloaders and are all unfixable backups. They are all in C:\systeminformation\_restore. I have not done anything with them as I am afraid of unleashing them again.
*I have been to many free online scans. . .so very many, and these are the only ones that I remember. Some I don't have the results for, as they did not give me the option of saving a log. The scans that I used were only the ones that I found reccommended in either this forum, or in the SpyBot forums.
Kaspersky 2x, different results each time 2 viruses, 4 infected objects the first time, 1 virus, 3 infected objects the second time.
Panda 2x- don't remember those results
Eset 1x- said we had 3 viruses and 8 infected objects
LiveOneCare said we had nothing
Symantec said we had nothing
McCafee Stinger said we had nothing


I am now at my wits end and praying that someone here will have mercy and lend me a hand. I have followed the Before You Post instructions to the letter EXCEPT: step 4-unchecking the negligible objects in Adaware- couldn't find that option -- step 7- I have already dl'd a firewall. Thank you in advance for any and all help or advice.

Here is the HiJackThis Log and the blue screen error- VERBATIM! ( I included the technical information from the last two reported 'incidents' from the blue screen errors). I am also including my latest Kaspersky report. . . maybe it can help.


HIJACKTHIS


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:34 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172782167830
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204234900640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9052 bytes

BLUE SCREEN STOP ERROR


This message pops up on a blue background at random times. The only similiarity in the instances (about 15 or 20 times that it has happened), is that it usually happens when we are connected to the internet. When it pops up, the computer shuts down, and the message stays on the monitor until you manually shut off the computer:

A problem has been detected and windows has been shut down to prevent any damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates that you might need.

If the problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. IF you need to use safe mode to remove or disable components, restart your computer, pres F8 to select advanced start up options and select safe mode.

Technical Information:
***STOP: 0x0000010D (0x00000002, 0x820D7054, 0x00000000, 0x82B69D00)

Beginning dump of physical memory.
Physical memory dump complete.
Contact your system administrator or tech support group for further assistance.

Error report to Microsoft following this BLUE SCREEN ERROR MESSAGE!!


After restarting the computer, you have the option of sending an error report to Microsoft. Here is the contents of the error report and the technical information option that it gives you:

Error Report Contents:

Error signature:
BCCode: 10d BCP1: 00000002 BCP2: 820D7054 BCP3:00000000
BCP4: 82B69D00 OSVer: 5_1_2600 SP: 2_0 Product: 768_1

Technical information option:

The following files will be included in this error report:
C:\DOCUME~1\owner\LOCALS~1\Temp\WER4378.dir00\Mini033008-01.dmp
C:\DOCUME~1\owner\LOCALS~1\Temp\WER4378.dir00\sysdata.xml

Now we are getting a different error- the same blue screen, <a stop error don't know if that means anything or not, but here are the changes> just different technical information:

Error Report Contents:

Error signature:
BCCode: 10d BCP1: 00000002 BCP2: FE717054 BCP3: 00000000
BCP4: 82BEAC70 OSVer: 5_1_2600 SP: 2_0 Product: 768_1


Technical information option:

C:\DOCUME~1\owner\LOCALS~1\Temp\WER27d9.dir00\Mini033108-01.dmp
C:\DOCUME~1\owner\LOCALS~1\Temp\WER27d9.dir00\sysdata.xml

KASPERSKY ONLINE SCAN- MOST RECENT


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 2:28:42 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/03/2008
Kaspersky Anti-Virus database records: 672899
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 93902
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:55:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03022007-141425.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AC4F1A9E-9FB4-4787-BD5F-6A70CCD26C5B} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth\ErrorRep\QSignoff\125EF60.cab/a0113547.dll.xor Infected: Trojan-Downloader.Win32.Zlob.kfu skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth\ErrorRep\QSignoff\125EF60.cab/a0113533.dll.xor Infected: Trojan-Downloader.Win32.Zlob.kfu skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth\ErrorRep\QSignoff\125EF60.cab CAB: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008033020080331\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_19c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF36C6.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF36E4.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Motorola USB Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{8ACDF6AE-0C26-4633-9A69-61AE9FFFEC2A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_544.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
~*~Vicki~*~

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 31 March 2008 - 10:42 PM

Hello ComputersHateMe11,

Welcome to Bleeping Computer :)

First of all, it really sounds like you've been through it. You have every right to be frustrated out of your mind. :thumbsup: You did a splendiferously good thing by getting AVG for your AntiVirus and Comodo Firewall! :wacko: Those are exactly what I have on my system. I see Spybot on board, with Tea Timer.....good! Everything you see in C:\systeminformation\_restore is benign, and we'll take care of it in a little bit. Now let's fix you up.......

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall. I know you're frustrated here, so the best thing for you to do after you get this going is to simply walk away from the computer for a few minutes and let it do its thing. :blink:

Thanks,
tea

Edited by teacup61, 31 March 2008 - 10:43 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 01 April 2008 - 08:59 AM

Tea,

Thank you so very much for your assistance. :wacko: I am just hoping that I am able to follow your instructions correctly, I really don't want to mess this up. :blink:

I disabled Tea Timer
I dl'd Combo Fix
Ran Combo Fix
Ran HiJackThis
Now I am back here. . .


Drumroll. . .

. . . the results, and a little bit of extra information that I thought you might need to see. If not, I apologize for adding it, but I figure that in this predicament, one can not be too careful. :thumbsup:


While running ComboFix- COMODO kept popping up, asking if the program was allowed to make changes. Should I have shut that off too? If I need to rerun the ComboFix with COMODO in a different mode, or off, please just let me know. ComboFix did not take all that long to run, just a matter of minutes, and despite my desperate urge to walk away from this confounded machine, COMODO would not allow it. Kept having to OK every move that ComboFix tried to make. Also, during the running of ComboFix, there were five errors that popped up. I had the options to close and exit the program, or ignore. Due to the warning of 1/100 computers not surviving the 'fix' process, (how thoughtful of the ComboFix creator/s to scare the pants off of me!! =) I chose 'close', however, the program did not stop running. I am hoping that it is all well and good, but here are the errors.

My log of error messages while running ComboFix:



First error:

Before ComboFix did anything but start up the MSDOS screen:

AutoScan
The NTVDM CPU has encountered an illegal instruction.

CS: 05f4 IP:0103 OP: 63 20 68 69 64

Choose close to terminate the application or ignore to keep running. (this was exactly the same on all errors)

Second error:

Just as ComboFix completed stage four:

AutoScan
The NTVDM CPU has encountered an illegal instruction.

CS: 108c IP:0103 OP: 63 20 68 69 64

Third Error:

When ComboFix said that it was preparing the log report:

Find 3M
The NTVDM CPU has encountered an illegal instruction.

CS: 108c IP:0103 OP: 63 20 68 69 64

Fourth Error:

As soon as the log report was on the screen:

c:\combofix\nircmd.exe

The NTVDM CPU has encountered an illegal instruction.

CS: 108c IP:0103 OP: 63 20 68 69 64

Fifth Error:

As soon as the last error closed, this one popped up:

Find 3M
The NTVDM CPU has encountered an illegal instruction.

CS: 108c IP:0103 OP: 63 20 68 69 64


ComboFix Log


ComboFix 08-03-30.5 - Owner 2008-04-01 9:05:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.201 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 21:28 . 2008-03-30 21:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 21:19 . 2008-03-30 21:19 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 22:13 . 2008-03-30 15:34 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-28 22:13 . 2008-03-30 15:34 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-28 22:13 . 2008-03-30 15:34 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-28 22:12 . 2008-03-30 16:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Program Files\COMODO
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2008-03-28 03:23 . 2008-03-28 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-28 03:23 . 2008-03-28 03:23 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-03-28 03:23 . 2008-03-28 03:23 85,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-03-28 03:23 . 2008-03-28 03:23 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-03-28 02:53 . 2008-03-30 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-28 02:52 . 2008-03-28 02:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-28 02:51 . 2008-03-28 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 02:51 . 2008-04-01 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 22:43 . 2008-03-28 01:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-27 17:41 . 2004-07-19 19:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 17:41 . 2004-07-19 19:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-27 17:41 . 2004-07-19 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-26 22:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-26 22:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-26 15:50 . 2008-03-26 15:50 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-03-26 15:40 . 2008-03-26 15:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-26 12:42 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 12:27 . 2008-03-27 20:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\375013
2008-03-17 17:51 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-12 01:48 . 2008-03-12 01:48 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-03 23:11 . 2008-03-27 22:07 848 --ahs---- C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 21:16 --------- d-----w C:\Program Files\Windows Defender
2008-03-30 21:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-30 21:00 --------- d-----w C:\Program Files\Digital Line Detect
2008-03-30 21:00 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-30 20:58 --------- d-----w C:\Program Files\Bonjour
2008-03-29 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 17:43 --------- d-----w C:\Program Files\Lavasoft
2008-03-17 22:50 --------- d-----w C:\Program Files\Java
2008-03-12 06:49 --------- d-----w C:\Program Files\PictureToTV
2008-03-12 06:49 --------- d-----w C:\Program Files\NetWaiting
2008-03-12 06:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-12 06:48 --------- d-----w C:\Program Files\Modem Helper
2008-03-12 06:48 --------- d-----w C:\Program Files\America Online 9.0
2008-02-27 04:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-26 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 14:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-26 13:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-25 03:10 --------- d-----w C:\Program Files\Viewpoint
2008-02-25 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 08:04 --------- d-----w C:\Program Files\MSXML 6.0
2008-02-23 19:33 --------- d-----w C:\Program Files\Alltel
2008-02-23 19:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smith Micro
2008-02-23 19:23 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-02-23 18:39 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-02-19 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-16 22:49 --------- d-----w C:\Program Files\Microsoft Encarta
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"c:_program files_wordperfe3a"="C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe" [2004-01-07 11:14 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 13:46 4800512]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 17:00 86102]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-28 03:04 579072]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-28 03:23 1503488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-28 02:52 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-19 19:06:49 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-28 03:23]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-28 03:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 08:00:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
"2008-03-30 09:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2008-04-01 12:14:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 09:13:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-01 9:15:46
ComboFix-quarantined-files.txt 2008-04-01 14:15:42
Pre-Run: 46,248,394,752 bytes free
Post-Run: 46,237,409,280 bytes free
.
2008-03-28 00:42:34 --- E O F ---

HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:43 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172782167830
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204234900640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8895 bytes


Again, thank you so very much Tea! I have been going out of my mind (and I am sure that you know the feeling) with the waiting to see if this thing can be saved or not. Anything you tell me to do, I will do without question. You can also rest assured that I fully understand that I am following any and all instructions as well as using any and all software at my own risk. I know how things can go, and if something goes wrong, I can't really be any worse off than I already am.

~*~Vicki~*~
(my real name. . .LOL. . .although, it does seem that computers REALLY do hate me!)
~*~Vicki~*~

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 01 April 2008 - 03:13 PM

Hi Vicki,

You did everything just fine. :blink: Thing is, it didn't do what I expected it to do. :thumbsup: Let's do this :

Go totally offline, then disable all your protection programs, including Comodo, and run it again. Re enable everything before you come back on and post the report.

You're doing fine! :wacko:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 01 April 2008 - 04:34 PM

Tea,

Thank you for your patience and your very prompt reply! I do so appreciate it. I followed your instructions, and here is the new ComboFix Report Log. There were NO ERRORS this time!! :wacko: Oh, I ran another HiJackThis, just in case. Don't think I needed to, but I did.

And just so you know, you are working with a person whose luck is as follows: 'If it can go wrong, it will!' :thumbsup:

~*~Vicki~*~



:) The New and Improved (trying to keep a sense of humor!)ComboFix Log :)


ComboFix 08-03-30.5 - Owner 2008-04-01 17:05:34.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 21:28 . 2008-03-30 21:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 21:19 . 2008-03-30 21:19 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 22:13 . 2008-03-30 15:34 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-28 22:13 . 2008-03-30 15:34 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-28 22:13 . 2008-03-30 15:34 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-28 22:12 . 2008-03-30 16:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Program Files\COMODO
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2008-03-28 03:23 . 2008-03-28 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-28 03:23 . 2008-03-28 03:23 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-03-28 03:23 . 2008-03-28 03:23 85,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-03-28 03:23 . 2008-03-28 03:23 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-03-28 02:53 . 2008-03-30 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-28 02:52 . 2008-03-28 02:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-28 02:51 . 2008-03-28 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 02:51 . 2008-04-01 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 22:43 . 2008-03-28 01:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-27 17:41 . 2004-07-19 19:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 17:41 . 2004-07-19 19:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-27 17:41 . 2004-07-19 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-26 22:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-26 22:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-26 15:50 . 2008-03-26 15:50 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-03-26 15:40 . 2008-03-26 15:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-26 12:42 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 12:27 . 2008-03-27 20:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\375013
2008-03-17 17:51 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-12 01:48 . 2008-03-12 01:48 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-03 23:11 . 2008-03-27 22:07 848 --ahs---- C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 21:16 --------- d-----w C:\Program Files\Windows Defender
2008-03-30 21:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-30 21:00 --------- d-----w C:\Program Files\Digital Line Detect
2008-03-30 21:00 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-30 20:58 --------- d-----w C:\Program Files\Bonjour
2008-03-29 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 21:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-28 21:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2008-03-26 17:43 --------- d-----w C:\Program Files\Lavasoft
2008-03-17 22:50 --------- d-----w C:\Program Files\Java
2008-03-12 06:49 --------- d-----w C:\Program Files\PictureToTV
2008-03-12 06:49 --------- d-----w C:\Program Files\NetWaiting
2008-03-12 06:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-12 06:48 --------- d-----w C:\Program Files\Modem Helper
2008-03-12 06:48 --------- d-----w C:\Program Files\America Online 9.0
2008-02-27 04:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-26 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 14:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-26 13:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-25 03:10 --------- d-----w C:\Program Files\Viewpoint
2008-02-25 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 08:04 --------- d-----w C:\Program Files\MSXML 6.0
2008-02-23 19:33 --------- d-----w C:\Program Files\Alltel
2008-02-23 19:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smith Micro
2008-02-23 19:23 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-02-23 18:39 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-02-19 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-16 22:49 --------- d-----w C:\Program Files\Microsoft Encarta
2008-02-01 08:21 245,408 ----a-w C:\WINDOWS\SYSTEM32\unicows.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"c:_program files_wordperfe3a"="C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe" [2004-01-07 11:14 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 13:46 4800512]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 17:00 86102]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-28 03:04 579072]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-28 03:23 1503488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-28 02:52 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-19 19:06:49 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-28 03:23]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-28 03:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 08:00:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
"2008-03-30 09:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2008-04-01 12:14:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 17:08:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-01 17:09:24
ComboFix-quarantined-files.txt 2008-04-01 22:09:07
ComboFix2.txt 2008-04-01 14:15:47
Pre-Run: 46,312,833,024 bytes free
Post-Run: 46,298,955,776 bytes free
.
2008-03-28 00:42:34 --- E O F ---

:) The New Hijack This Log. . .Just in case. . . :blink:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:37 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172782167830
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204234900640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8417 bytes

:) Hopefully we can get to the bottom of this.
And I sure do hope you love a challenge! :)

Edited by ComputersHateMe11, 01 April 2008 - 04:36 PM.

~*~Vicki~*~

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 01 April 2008 - 04:49 PM

Hi Vicki,

You're most welcome, and I do know the feeling. Murphy's Law has a way of finding me when it gets bored I guess. :thumbsup: Did mention my middle name is Challenge? :blink:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\SYSTEM32\pavas.ico
C:\WINDOWS\SYSTEM32\Uninstall.ico
C:\WINDOWS\SYSTEM32\Help.ico


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 01 April 2008 - 06:39 PM

:thumbsup: Hey there Tea,
(seeing as you are from Texas, I thought the Cowgirl smilie might be cute, but you have probably gotten that one a hundred or so times. . .)

I did as instructed, and here are the logs for ComboFix and HiJackThis.

Hope they are as they should be . . .

ComboFix Log


ComboFix 08-03-30.5 - Owner 2008-04-01 19:04:49.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\Help.ico
C:\WINDOWS\SYSTEM32\pavas.ico
C:\WINDOWS\SYSTEM32\Uninstall.ico
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\Help.ico
C:\WINDOWS\SYSTEM32\pavas.ico
C:\WINDOWS\SYSTEM32\Uninstall.ico

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-03-30 21:28 . 2008-03-30 21:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-30 21:19 . 2008-03-30 21:19 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-28 22:12 . 2008-03-30 16:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Program Files\COMODO
2008-03-28 03:23 . 2008-03-28 03:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2008-03-28 03:23 . 2008-03-28 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-28 03:23 . 2008-03-28 03:23 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-03-28 03:23 . 2008-03-28 03:23 85,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-03-28 03:23 . 2008-03-28 03:23 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-03-28 02:53 . 2008-03-30 21:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2008-03-28 02:52 . 2008-03-28 02:52 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-28 02:51 . 2008-03-28 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 02:51 . 2008-04-01 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 22:43 . 2008-03-28 01:35 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-27 17:41 . 2004-07-19 19:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-27 17:41 . 2004-07-19 19:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-27 17:41 . 2004-07-19 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-03-26 22:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-26 22:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-26 15:50 . 2008-03-26 15:50 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2008-03-26 15:40 . 2008-03-26 15:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-26 12:42 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-26 12:27 . 2008-03-27 20:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\375013
2008-03-17 17:51 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-12 01:48 . 2008-03-12 01:48 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-03 23:11 . 2008-03-27 22:07 848 --ahs---- C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 21:16 --------- d-----w C:\Program Files\Windows Defender
2008-03-30 21:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-30 21:00 --------- d-----w C:\Program Files\Digital Line Detect
2008-03-30 21:00 --------- d-----w C:\Program Files\Dell AIO Printer A940
2008-03-30 20:58 --------- d-----w C:\Program Files\Bonjour
2008-03-29 05:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 21:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe
2008-03-28 21:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2008-03-26 17:43 --------- d-----w C:\Program Files\Lavasoft
2008-03-17 22:50 --------- d-----w C:\Program Files\Java
2008-03-12 06:49 --------- d-----w C:\Program Files\PictureToTV
2008-03-12 06:49 --------- d-----w C:\Program Files\NetWaiting
2008-03-12 06:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-12 06:48 --------- d-----w C:\Program Files\Modem Helper
2008-03-12 06:48 --------- d-----w C:\Program Files\America Online 9.0
2008-02-27 04:42 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-26 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-26 14:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-26 13:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\acccore
2008-02-25 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-25 03:10 --------- d-----w C:\Program Files\Viewpoint
2008-02-25 03:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-25 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-24 08:04 --------- d-----w C:\Program Files\MSXML 6.0
2008-02-23 19:33 --------- d-----w C:\Program Files\Alltel
2008-02-23 19:33 --------- d-----w C:\Documents and Settings\Owner\Application Data\Smith Micro
2008-02-23 19:23 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-02-23 18:44 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-02-23 18:39 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-02-19 15:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-16 22:49 --------- d-----w C:\Program Files\Microsoft Encarta
2008-02-01 08:21 245,408 ----a-w C:\WINDOWS\SYSTEM32\unicows.dll
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"c:_program files_wordperfe3a"="C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe" [2004-01-07 11:14 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 13:46 4800512]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 20:05 323584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"Dell AIO Printer A940"="C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 17:00 86102]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-28 03:04 579072]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-28 03:23 1503488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-28 02:52 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-19 19:06:49 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-28 03:23]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-28 03:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-01 08:00:00 C:\WINDOWS\Tasks\Ad-Aware SE Personal.job"
- C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
"2008-03-30 09:00:00 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2008-04-01 12:14:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 19:07:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\Program Files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-04-01 19:08:35
ComboFix-quarantined-files.txt 2008-04-02 00:08:19
ComboFix2.txt 2008-04-01 22:09:25
ComboFix3.txt 2008-04-01 14:15:47
Pre-Run: 46,283,382,784 bytes free
Post-Run: 46,269,726,720 bytes free
.
2008-03-28 00:42:34 --- E O F ---

HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:36 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alltel\QuickLink Mobile\QuickLink Mobile.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172782167830
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204234900640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{1A1D9852-141F-40EE-A89C-5A834A395ACA}: NameServer = 166.102.165.11 166.102.165.13
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8417 bytes

As for how the computer is running. . . Sometimes it is really slow to open and load webpages, so slow that at times we have to actually close Internet Explorer completely, then dump the temporary files, and then restart the internet connection. It doesn't seem like there is alot in the temporary files, but it does help when we do that. We have only received the blue error screen once today, and it had a different error code than the last two times I recorded them. Opening and running certain programs is still slow at times as well. We can deal with the slow running and all that. What scares us is the fact that some of the virus scans come up with a positive, and some don't. We just want to try to get rid of the pesky little :censored:'s and keep them away. My worry with that is that as I understand it, if you have a virus on your system when you install an AV software, then your system will most likely recognize it as part of your OS. Is that correct? If that is the case, then that has happened here. And the files in the AVG Virus Vault, should I delete them? What is the best setting for the fire wall and the COMODO defense? I have the firewall set to "Train with safe" mode and the defense is set to the same. I have the 'stealth ports wizard' set to block all, but it keeps resetting itself (immediately) to 'define a new trusted network' without me doing a thing. Is that normal? Now that I have badgered you with questions. . . Thanks again.
~*~Vicki~*~

~*~Vicki~*~

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 01 April 2008 - 08:09 PM

Hi Vicki,

No, I don't get that as much as you might think. :thumbsup: What I get more often is mistaken for a guy. I have no idea why, but it's true. :wacko:

My worry with that is that as I understand it, if you have a virus on your system when you install an AV software, then your system will most likely recognize it as part of your OS. Is that correct?

No, not at all correct. If malware gets past an Anti Virus program it's simply because no one program can detect everything, and some are better than others.

Yes, you can delete AVG's vault if you like. :blink:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [c:_program files_wordperfe3a] C:\Program Files\WordPerfect Office 12\Programs\CorUpd.exe /Watch /r="SOFTWARE\Corel\WordPerfect Suite\12"
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 01 April 2008 - 11:12 PM

Tea-
I don't understand why anyone would mistake you for a man. :wacko: <----I know.... but I saw your picture on here, and I just don't see how that is even remotely possible. Some people though . . . yikes. :)

Back to the matter at hand:

Per your instructions:

I first downloaded ATF Cleaner [I had to rush, so that had to come first, the cell phone (how we connect to the internet) battery was dying, and I had to disconnect from the internet to charge it.]
I then deleted ComboFix and the associated file.
Restarted the computer
Ran ATF Cleaner
Then ran HJT and 'fixed' the appropriate entries.

When I rebooted the PC after 'fixing' with HJT, it acted as if it didn't want to start windows. Took a while. Almost a minute longer than normal, I would say. Is that normal after running an HJT fix?

I know you didn't ask for one, but here is the HJT log (after the longer than normal reboot)


HiJackThis Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:33 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172782167830
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204234900640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7058 bytes

Still haven't had any more blue screen stop errors, :) since this morning anyway. The computer is still lagging though. Especially when I run AdAware or SpyBot S&D. I am hoping that you don't see anything else that looks bad. :thumbsup: Internet Explorer is still giving us a fit here and there, but I suppose that can be expected. An internet explorer shortcut keeps showing up on the desktop, no matter how many times I delete it. . . just comes back. :) So, I guess other than the lags, we are good here now, unless you see something else that needs a tweak. :blink: Thank you again for all of your help and for your promptness. :) <-----For you!
Have you any suggestions on how to get this old beast running better/faster? Also, I have a few questions regarding COMODO firewall, AVG and other misc "anti-crap on my computer" software, if you don't mind. Of course they can wait till we have all the other stuff done that you want to do, and I can post my questions in another forum if necessary.

~*~Vicki~*~

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 03 April 2008 - 09:29 AM

Hi Vicki,

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

How is it running after a couple of days? Still all right (no bsod)?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 03 April 2008 - 08:59 PM

Hello Tea!

I already deleted the ComboFix and the corresponding file as per your instructions on 4-1. As of right now, yes, we are still getting the BSOD's, not as frequently, but still getting them. Funny, we had one yesterday, and then one again today, right before we read your reply! Each time the error codes seem to be different.

PC is still REALLY slow to open files and run things. . . get the little searching flashlight EVERY time we open the Control Panel. When you open the task manager after startup it says there are 41 processes running. Could this be the problem? Just tapping out the resources? It says that CPU usage is on average 2% though. That's good, right? I checked the system information and it says that we are 58% free on our memory. I would think there would be more than that available. . . have intentionally avoided installing unnecessary applications for just that reason. AdAware, SpyBot S&D, AVG and COMODO searches all come up clean. Going to try running Kaspersky Online one more time, tomorrow morning, and see what happens there. If it comes up with anything, I will post the log.

Thanks again. . .

Vicki

Edited by ComputersHateMe11, 03 April 2008 - 09:01 PM.

~*~Vicki~*~

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 04 April 2008 - 11:03 AM

Hi Vicki,

Did you get the Kaspersky log yet? I know it's still morning, but I wanted you to know I got your last message and am here. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 04 April 2008 - 09:01 PM

:wacko: Tea-

Didn't want you to think I went MIA- so here is what is going on currently:

Trying to run Kaspersky (on the fourth try now) :) and keep getting BSOD's when we are about 90% (or so) complete. Can't get a log. During the scan though it is saying that we have :blink: 2 viruses and 4 infected files. (SpyBotS&d, AdAware, COMODO and AVG all say we are clean!) I am going to try running Kaspersky one more time. If I am unable to get it to work, I am going to just dump everything :thumbsup: and re-install windows. I will wait for you to reply to this before I do that, to see if you have an idea that will keep me from having to dump the system. Thanks for your help!

Sorry that it took so long to get back to you. . .long day. :)
~*~Vicki~*~

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:17 PM

Posted 04 April 2008 - 09:20 PM

wwww....Vicki....let's not give up quite yet. Forget Kaspersky for the moment and try BitDefender online scan, Kaspersky will just scan anyway. BD will remove as well.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
No need to be sorry about anything. Real life happens! :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 ComputersHateMe11

ComputersHateMe11
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ohio
  • Local time:02:17 PM

Posted 04 April 2008 - 09:37 PM

Tea,

Gonna go do that right now, or attempt to at the very least. Will post as soon as I get it done, or if it doesn't work by the second go round, will post then.

Vicki
~*~Vicki~*~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users