Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

laptop w/win xp only allows me to go to RUN/ Computer 2


  • Please log in to reply
21 replies to this topic

#1 thatguy418

thatguy418

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 30 November 2008 - 11:02 AM

I have another post for my pc, but my laptop went on fritz a few months back too. I put it in the closet until I had time to mess with it. It won't run or open any programs, not Office, Windows Explorer, My computer, etc. I can only access Run and can browse once in there. I was able to load RSIT on it via thumb drive and run it in safe mode as it wouldn't pull up the regular way. I can't access internet on it, or at least IE won't open up. Please see RGIT file and advise, trying to avoid reinstalling OS if possible.

Thanks,
Thatguy418


11-30-08 RSIT Log Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-30 10:51:49
Microsoft Windows XP Professional Service Pack 2
System drive C: has 15 GB (77%) free of 19 GB
Total RAM: 254 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:51 AM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
E:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5261 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22}]
AOLSearchHook Class - C:\Program Files\AOL Search\AOLSearch.dll [2007-12-18 111968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Launcher - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll [2007-10-10 1090912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AIM Toolbar - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll [2007-10-10 1090912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe [2008-11-01 590848]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\Program Files\AIM\aim.exe [2006-08-01 67112]
"SpybotSD TeaTimer"=C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-20 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2008-08-04 79408]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG Free\avgemc.exe"="C:\Program Files\Grisoft\AVG Free\avgemc.exe:*:Enabled:avgemc.exe"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2008-11-30 10:51:49 ----D---- C:\rsit
2008-11-30 10:12:32 ----D---- C:\Program Files\Trend Micro
2008-11-08 23:16:37 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-11-08 23:14:20 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-07 20:01:55 ----D---- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-04 09:32:13 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-04 09:32:03 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-04 09:31:53 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-11-04 09:31:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-04 09:31:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-11-04 09:31:24 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-04 09:31:14 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-04 09:31:02 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-04 09:30:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-04 09:30:21 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-04 09:30:08 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-04 09:29:56 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-11-04 09:29:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-04 09:29:34 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-04 09:29:11 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-04 09:01:20 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-04 08:59:06 ----HDC---- C:\WINDOWS\$NtUninstallKB956390$
2008-11-04 08:57:33 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2008-11-04 08:57:04 ----A---- C:\WINDOWS\_delis43.ini
2008-11-02 09:41:47 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-11-02 09:28:21 ----D---- C:\WINDOWS\system32\PreInstall
2008-11-02 09:28:14 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-11-02 09:28:13 ----A---- C:\WINDOWS\system32\spupdsvc.exe
2008-11-02 09:28:09 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2008-11-02 09:28:07 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-01 20:07:52 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-01 20:01:39 ----D---- C:\Program Files\Spybot
2008-11-01 16:28:12 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2008-11-01 16:21:34 ----SHD---- C:\Config.Msi
2008-11-01 16:16:28 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-01 16:06:12 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2008-11-01 16:05:59 ----D---- C:\Program Files\WinZip
2008-09-07 20:21:37 ----A---- C:\WINDOWS\ntbtlog.txt
2008-09-05 23:30:42 ----N---- C:\WINDOWS\system32\WgaLogon.dll
2008-09-05 23:30:06 ----N---- C:\WINDOWS\system32\LegitCheckControl.dll
2008-09-05 23:29:58 ----N---- C:\WINDOWS\system32\WgaTray.exe

======List of files/folders modified in the last 3 months======

2008-11-30 10:36:36 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-30 10:30:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-30 10:12:32 ----RD---- C:\Program Files
2008-11-30 10:10:57 ----D---- C:\WINDOWS\Prefetch
2008-11-30 10:05:18 ----AH---- C:\WINDOWS\system32\FFASTLOG.TXT
2008-11-09 16:11:47 ----D---- C:\WINDOWS\system32
2008-11-09 12:34:35 ----D---- C:\WINDOWS\Temp
2008-11-09 12:19:37 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-09 12:19:00 ----HD---- C:\WINDOWS\inf
2008-11-09 11:35:25 ----D---- C:\WINDOWS
2008-11-08 23:16:31 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-08 23:14:25 ----D---- C:\WINDOWS\Debug
2008-11-04 09:32:15 ----D---- C:\WINDOWS\system32\drivers
2008-11-04 09:32:08 ----A---- C:\WINDOWS\imsins.BAK
2008-11-04 09:31:55 ----D---- C:\Program Files\Messenger
2008-11-04 09:29:13 ----D---- C:\WINDOWS\WinSxS
2008-11-04 08:59:36 ----D---- C:\Program Files\Internet Explorer
2008-11-04 08:58:36 ----D---- C:\Scrabble
2008-11-02 09:23:55 ----D---- C:\Program Files\Google
2008-11-01 20:41:06 ----D---- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-11-01 16:29:40 ----D---- C:\WINDOWS\SoftwareDistribution
2008-11-01 16:29:36 ----D---- C:\WINDOWS\Help
2008-11-01 16:24:58 ----SHD---- C:\WINDOWS\Installer
2008-11-01 16:24:25 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-01 16:24:22 ----D---- C:\WINDOWS\system32\mui
2008-11-01 16:23:24 ----RSD---- C:\WINDOWS\assembly
2008-11-01 16:17:20 ----SD---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-11-01 16:17:19 ----D---- C:\Program Files\Common Files
2008-11-01 16:16:55 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-11-01 14:59:03 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-15 11:57:55 ----A---- C:\WINDOWS\system32\netapi32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-05 3968]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-23 10760]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
S1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-11-20 821856]
S1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-01-26 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-02-28 27776]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2004-08-04 42496]
S2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-01-26 4960]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 FTDIBUS;USB Serial Converter Driver; C:\WINDOWS\system32\drivers\ftdibus.sys [2004-04-19 24209]
S3 FTSER2K;USB Serial Port Driver; C:\WINDOWS\system32\drivers\ftser2k.sys [2004-04-19 57404]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-08-20 737874]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-04 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 42512]
S3 ZD1211U(ZyDAS);ZyDAS ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(ZyDAS); C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-09-28 247296]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2008-08-04 312880]
S2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe [2007-11-20 418816]
S2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe [2007-01-26 49664]
S2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe [2007-12-23 406528]
S2 crd;crd; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe []
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe []
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-06-28 92792]

-----------------EOF-----------------


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:02:20 PM

Posted 14 December 2008 - 05:37 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 19 December 2008 - 05:21 PM

My laptop is so messed up I can't even get AVG to respond when trying to disengage it's protection. I had to run the DDS program with AVG turned on. Very few things on that computer will respond when clicked/double clicked. Below is a pasted copy of my DDS.txt.

Thank you for any help you can give. The prior owner gave this laptop away becase it kept "crashing" a little while after it would get "fixed". IT guy couldn't figure out the problem. They told me if I don't put too many things on this it should run fine. Not sure what I put on it that messed it up, or if it is something lingering from prior person, but if you can help that would be awesome.


DDS (Version 1.0.1) - NTFSx86
Run by Administrator at 16:31:16.59 on Fri 12/19/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.67 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
E:\dds per bleeping computer for laptop.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wral.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aol search\AOLSearch.dll
uURLSearchHooks: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
dURLSearchHooks: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
BHO: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aol search\AOLSearch.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [SpybotSD TeaTimer] c:\program files\spybot\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot\spybot - search & destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-1-26 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-1-26 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-1-26 27776]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-26 3968]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-1-26 10760]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2007-1-26 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2007-1-26 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2007-1-26 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-1-26 4960]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-27 24652]
S2 crd;crd;c:\docume~1\admini~1\locals~1\temp\ixp001.tmp\poststp.exe []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-28 42512]

=============== Created Last 30 ================


==================== Find3M ====================

2007-11-20 11:24 0 a------- c:\documents and settings\administrator\ethereal-setup-0.99.0.exe

============= FINISH: 16:31:38.18 ===============

Attached Files



#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 20 December 2008 - 02:23 AM

Hello thatguy418 and welcome to BleepingComputer!

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Step #2

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Step #3

I see you got Malwarebytes Antimalware on your machine. Please start MBAM, then check for updates. Let updates install and run a scan. Please post back with that Log. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 20 December 2008 - 07:58 PM

Thank you for your repsonse and direction. I removed all you told me to remove and followed all instructions except those that required access of internet. My computer will not allow me to access internet. So I could not install new java applet. I loaded it to a thumb drive and tried to install from it and copied it from thumb drive to desk top, netiehr would run. ALso went in to safe mode and tried. No luck. Couldn't update MBAM due to the internet issue either. I ran the MBAM scan again and the log is pasted below.

Malwarebytes' Anti-Malware 1.30
Database version: 1410
Windows 5.1.2600 Service Pack 2

12/20/2008 7:53:25 PM
mbam-log-2008-12-20 (19-53-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 57924
Time elapsed: 24 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 21 December 2008 - 01:06 PM

hi thatguy418,

lets try whats suggested here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore and get the Internet connection back. Then try this:

Please do a scan with Kaspersky Online Scanner (You need to use InternetExplorer or enable IEView in Firefox)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 21 December 2008 - 06:06 PM

I posted that I couldn't access internet and therefore couldn't get Windows Restore (don't have xp rof disc either). I deleted that message by means of edit to post this. Then I clicked to open a file from my thumbdrive on laptop and all of a sudden the laptop was responding faster. Still can't access IE by the icon, but if I open a program that can check for updates, it gets out to the net. I dragged the Windows Boot icon on top of the ComboFix icon and program went like a charm. However, not sure how I can access Kaspersky since I can't seem to get an IE window. I'll keep trying though. For now here is the ComboFix log.

By the way, I did load Firefox to thumbdrive and install on laptop. All procesed fine, except a browser still won't open.

Thank you for all help given thus far and that yet to come.


Thatguy418

ComboFix 08-12-20.05 - Administrator 2008-12-21 18:14:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254.109 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 18:12 . 2008-12-21 18:12 388,608 --a------ c:\windows\system32\CF31506.exe
2008-12-21 15:58 . 2008-12-21 15:58 <DIR> d-------- c:\windows\LastGood
2008-11-30 17:05 . 2008-11-30 17:05 <DIR> d-------- c:\program files\Lavasoft
2008-11-30 17:05 . 2008-11-30 17:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-30 16:47 . 2008-11-30 16:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-30 15:42 . 2008-11-30 15:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 15:42 . 2008-11-30 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 15:42 . 2008-11-30 15:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-30 15:42 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-30 15:42 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 15:07 . 2008-11-30 15:09 <DIR> d-------- c:\program files\RegistryFix7
2008-11-30 14:54 . 2008-11-30 14:54 <DIR> d-------- c:\program files\IObit
2008-11-30 14:54 . 2008-11-30 14:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\IObit
2008-11-30 10:51 . 2008-11-30 10:51 <DIR> d-------- C:\rsit
2008-11-30 10:12 . 2008-11-30 10:12 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:41 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-08 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-02 14:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 14:23 --------- d-----w c:\program files\Google
2008-11-02 01:41 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-11-02 01:07 --------- d-----w c:\program files\Spybot
2008-11-01 21:09 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2007-11-20 16:24 0 ----a-w c:\documents and settings\Administrator\ethereal-setup-0.99.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-11-01 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-11-20 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 122880]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-11 61440]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:kingstest.no-ip.biz

S2 crd;crd;c:\docume~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-28 42512]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wral.com/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 18:16:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-21 18:17:47
ComboFix-quarantined-files.txt 2008-12-21 23:17:20

Pre-Run: 15,309,332,480 bytes free
Post-Run: 15,316,021,248 bytes free

95 --- E O F --- 2008-11-09 17:23:05

Edited by thatguy418, 21 December 2008 - 06:47 PM.


#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 23 December 2008 - 07:24 AM

Hi thatguy418,

Step #1

Please copy and paste the following text into Notepad:

sc stop crd
sc delete crd
del services.bat

Save this as "services.bat" Choose to save as *all files and place it on your Desktop.
Double-click services.bat. Soon it should disappear from your Desktop; this is fine.

Step #2

* Clean your Cache and Cookies in InternetExplorer:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
I ll double check regarding your above described behaviour and will revert with more stuff as soon as possible. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 27 December 2008 - 10:38 AM

I ran the services.bat file as instructed. It seemed to work as the icon disappeared as you said it would.

Since I can not pull up an IE window nor control panel, I opened IE Properties via control inetcpl.cpl in RUN. I have to use RUN to get anywhere practically on the pc (so when directing me if you know the command for RUN to get to what you ask pelase iclude it in instructions, otherwise I can alwasy search for the prompt online on another computer. In the IE properties every time I clicked delete cookies or temporary files, the properties went to Not Responding. After multiple attempts (and reboots) I moved to next step and typed in cleanmgr in my RUN box. Nothing happened.

If you have more ideas or suggestions, please let me know. I am happy to keep trying. My fear is if I reinstall Windows, the computer will continue to freak out periodically since that is the history. Apparently a reinstall doesn't necessarily clean the computer???

Thank you for all the time and suggestions offerend thus far.

Thatguy418

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 27 December 2008 - 04:39 PM

Hi Thatguy418,

just reinstalling windows is not enough. Thats correct. You will always need to format drives, to be sure all infections have disappeared.
Could you please try the following to see if you can then perform an Onlinescan as suggested above:

Please follow this guide on Dial-A-Fix and let me know if your problem still persists.

If that wont work, could you also run this please:

Download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.

Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 28 December 2008 - 04:10 PM

I ran the Dial a Fix (a couple of times as it quit responding). All items ran fine except the Object Linking Libraries. I tried three or four times and it gets to Registering msdaer.dll and stops responding.

I went on and ran the AVG Anti Root kit as directed and both scans came back as no inst alled rootkits found.

I await your next suggestion when possible.

Thank you,

Thatguy418

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 29 December 2008 - 05:04 PM

Hi Thatguy418,

strange problem. Let me check on that, before we continue. How is the pc running in general?

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 thatguy418

thatguy418
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 30 December 2008 - 11:48 PM

Strange (and frustrating) indeed.

The laptop doesn't run well at all. I can play Spider solitare, go to Run and access many things from there, but can not access hardly any programs via their link on desktop or in start panel. Can't access internet windows at all, but my antivirus was able to update, so somehow internet access can be obtained, just not visibly.

Task Manager showed CPU usage at 100% so I researched a fix for that as I had no programs visibly running and didn't know what was making it run so high. Saw a thread where users deleted an AVI fiel from Registry Editor. I did it and it seems to be helping the CPU usage. However when I tried to run the Dial a Fix, it shot up to 100% again until I ended program.

I can't function much better, if at any at all, in safe mode either.

Feel free to ask more if it helps isolate issues. Any program that you suggest that can be put on a thumb drive from one computer and saved to the laptop, I am happy to try.

Thank you for your time and input.

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:07:20 PM

Posted 31 December 2008 - 02:45 AM

Hi thatguy418,

one reason for your high memory usage is that you only have 256 MB of Ram all together. Windows XP itself would need 128 MB to run without any problems (thats half your capacity), but a 512 MB minimum has been referred to as the optimum minimum memory. As for the other stuff, lets try one thing please follow this guide to run sfc /scannow.

Whilst you are doing this, I am having at least one more pair of eyes looking at your descriptions, as I am more malware knowledgeable than hardware / software stuff like these :thumbsup:. Should we not get this done here, I suggest you look at our software and hardware sub-forums. We have great helpers there too :).

Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:20 PM

Posted 31 December 2008 - 08:22 AM

Edited: Posted to the wrong topic.

Edited by farbar, 31 December 2008 - 09:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users