Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

regcmdcons


  • This topic is locked This topic is locked
30 replies to this topic

#1 Barbaraeh

Barbaraeh

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 26 September 2012 - 05:34 PM

In going through my PC's Startup and doing a search on each entry to see it it truly needs to be in Startup, I got disturbing results for "regcmdcons". It seems to indicate that my PC may have some malware or virus. I got through step 6 of your prep guide and just wanted some confirmation that this does mean that there is some malware on my PC and that I should continue through the remainder of the steps.

I just had to do a full system recovery last week and am in the process of re-installing programs prior to restoring files from Carbonite. The full system recovery seemed to be the result of installing a new all-in-one Epson printer last Thursday. Got it setup and installed, it printed a couple of files just fine and I shut the PC down for the night. It wouldn't bootup the next morning -- it just kept cycling back to the beginning of the bootup process. Spent about 1 1/2 hours on the phone with HP/Compaq and ended up doing the full recovery. Don't know if this is related to the regcmdcons issue or not.

Thank you.

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 30 September 2012 - 02:22 PM

Hi Barbaraeh,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 


Without looking at any log files, it is difficult to say whether regcmdcons is legitimate or indicating a virus. This is because without the logs, there's no way to tell what regcmdcons is referring to. Please go ahead and continue following the remainder of the steps, and I'd be happy to help you remove any viruses.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 01 October 2012 - 05:34 PM

Jason,

Thank you for your response -- I'll get back to you as soon as I can get to the next steps.

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 02 October 2012 - 12:11 PM

Sounds good. Reply when you can. :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 03 October 2012 - 04:43 PM

Jason,

The DDS file I created appears below but I don't see how to attach the Attach.zip file...

Other issues with my pc (beyond the installation of the new printer described in my initial message which appeared to have started this whole string of stuff):

1. Had to do a 2nd system restore last week and have just gotten through reinstalling programs, etc. Once again, I went to the Startup Manager in Norton 360 and checked all the files listed by searching on the web. Found the following (that weren't there after the 1st system restore(??)) and that appear to indicate malware of some sort: TkBellEXE, lgfxTray, FUFAXRCN, DPLTarget\P0000000000000000.

2. Each time I bootup the pc now (since the 2nd system restore), I get an error message: "Error occurred copying ntdetect.com to C:/ntdetect.com. Access denied." It provides options to retry, exit setup and a 3rd option for advanced users -- I've been choosing "exit setup" and the pc seems to work fine. I do not have a Windows XP cd as it came installed on the pc. I did run SFC /scannow and got no indication of any problems with the Windows files.

3. I have always worked on this PC as user "Compaq Owner" which is an administrator. I've been told that I shouldn't be doing that (I've now added a password to it). I did setup another user but I can't get many of my programs to open when in that user. However, my Corel PhotoPaint will open under the 2nd user but not under "Compaq Owner". Obviously, I don't quite understand the different users and the need to have them.

If you can give me some idea of how to send you the Attach.zip file, I will do so.

Thank you.
*****************************************************************************************************************

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 17:11:30 on 2012-10-03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.229 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Norton 360\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\hp\bin\cloaker.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
c:\hp\bin\cloaker.exe
c:\windows\i386\winnt32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIH3A.EXE
C:\Documents and Settings\All Users\Application Data\Norton\NUA.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Norton 360\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\3.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\3.8.3.6\IPSBHO.DLL
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\3.8.3.6\coIEPlg.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [EPLTarget\P0000000000000000] c:\windows\system32\spool\drivers\w32x86\3\e_tatih3a.exe /ept "epltarget\P0000000000000000" /M "WP-4530 Series"
uRun: [NortonUpdateAgent] c:\documents and settings\all users\application data\norton\NUA.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{FE35135E-6A14-4668-BA45-6F2B1D3A9148} : DhcpNameServer = 192.168.0.1
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\norton 360\engine\3.8.3.6\CoIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys [2012-10-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys [2012-10-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys [2012-10-2 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20121002.001\IDSXpx86.sys [2012-10-3 373728]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\3.8.3.6\ccSvcHst.exe [2012-10-2 117648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-10-2 106656]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20121003.002\naveng.sys [2012-10-3 92704]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20121003.002\navex15.sys [2012-10-3 1601184]
.
=============== Created Last 30 ================
.
2012-10-03 21:11:00 -------- d-----w- c:\program files\DDS for malware removal
2012-10-03 21:05:02 -------- d-----w- c:\program files\Defogger
2012-10-03 17:00:18 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-10-03 17:00:14 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-10-03 17:00:10 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-10-03 17:00:06 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-10-03 17:00:02 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-10-03 16:59:50 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-10-03 16:59:45 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-10-03 16:59:43 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-10-03 16:59:37 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2012-10-03 16:59:35 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-10-03 16:59:33 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-10-03 16:57:59 11935 -c--a-w- c:\windows\system32\dllcache\wadv11nt.sys
2012-10-03 16:56:57 113762 -c--a-w- c:\windows\system32\dllcache\usrpda.sys
2012-10-03 16:55:57 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2012-10-03 16:54:56 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2012-10-03 16:53:57 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2012-10-03 16:52:59 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2012-10-03 16:51:52 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2012-10-03 16:50:59 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2012-10-03 16:49:57 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2012-10-03 16:48:57 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2012-10-03 16:47:57 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2012-10-03 16:46:58 128286 -c--a-w- c:\windows\system32\dllcache\ptserli.sys
2012-10-03 16:45:59 5504 -c--a-w- c:\windows\system32\dllcache\perc2hib.sys
2012-10-03 16:44:58 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2012-10-03 16:43:57 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2012-10-03 16:42:58 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2012-10-03 16:41:59 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2012-10-03 16:41:58 51328 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2012-10-03 16:41:47 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2012-10-03 16:41:44 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2012-10-03 16:41:36 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-10-03 16:41:32 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2012-10-03 16:41:23 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2012-10-03 16:41:16 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2012-10-03 16:41:13 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2012-10-03 16:41:12 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2012-10-03 16:41:09 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2012-10-03 16:41:06 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2012-10-03 16:41:02 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2012-10-03 16:39:56 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2012-10-03 16:39:55 70656 -c--a-w- c:\windows\system32\dllcache\korwbrkr.dll
2012-10-03 16:39:51 242176 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2012-10-03 16:39:48 45568 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2012-10-03 16:39:33 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2012-10-03 16:39:30 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2012-10-03 16:39:25 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-10-03 16:39:13 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2012-10-03 16:39:10 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2012-10-03 16:39:07 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2012-10-03 16:39:05 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2012-10-03 16:37:57 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-10-03 16:36:58 391199 -c--a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2012-10-03 16:35:58 2688 -c--a-w- c:\windows\system32\dllcache\hidswvd.sys
2012-10-03 16:34:59 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys
2012-10-03 16:33:58 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2012-10-03 16:32:56 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2012-10-03 16:31:59 256512 -c--a-w- c:\windows\system32\dllcache\devcon32.dll
2012-10-03 16:30:59 44032 -c--a-w- c:\windows\system32\dllcache\cnusd.dll
2012-10-03 16:29:45 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys
2012-10-03 16:28:59 9472 -c--a-w- c:\windows\system32\dllcache\ativmdcd.sys
2012-10-03 16:27:59 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2012-10-02 16:49:47 89976 ----a-w- c:\windows\system32\drivers\n360\0308030.006\symfw.sys
2012-10-02 16:49:47 48760 ----a-w- c:\windows\system32\drivers\n360\0308030.006\symndisv.sys
2012-10-02 16:49:47 43696 ----a-w- c:\windows\system32\drivers\n360\0308030.006\srtspx.sys
2012-10-02 16:49:47 36472 ----a-w- c:\windows\system32\drivers\n360\0308030.006\symndis.sys
2012-10-02 16:49:47 33144 ----a-w- c:\windows\system32\drivers\n360\0308030.006\symids.sys
2012-10-02 16:49:47 310320 ----a-w- c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys
2012-10-02 16:49:47 308272 ----a-w- c:\windows\system32\drivers\n360\0308030.006\srtsp.sys
2012-10-02 16:49:47 217464 ----a-w- c:\windows\system32\drivers\n360\0308030.006\symtdi.sys
2012-10-02 16:49:46 467592 ----a-w- c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys
2012-10-02 16:49:46 259632 ----a-w- c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys
2012-10-02 16:49:17 -------- d-----w- c:\windows\system32\drivers\n360\0308030.006
2012-10-01 16:41:55 -------- d-----w- c:\program files\Carbonite
2012-10-01 16:41:55 -------- d-----w- c:\documents and settings\all users\application data\Carbonite
2012-09-28 20:52:13 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2012-09-28 20:52:10 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-09-28 20:52:10 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-09-28 20:51:11 -------- d-----w- c:\windows\system32\drivers\N360
2012-09-28 20:39:36 -------- d-----w- c:\program files\Norton Removal Tool
2012-09-27 21:44:02 -------- d-----w- c:\windows\SendTo
2012-09-27 21:02:01 -------- d-----w- c:\documents and settings\compaq_owner\local settings\application data\ABBYY
2012-09-27 20:57:58 -------- d-----w- c:\program files\common files\ABBYY
2012-09-27 20:57:58 -------- d-----w- c:\program files\ABBYY FineReader 9.0 Sprint
2012-09-27 20:57:58 -------- d-----w- c:\documents and settings\all users\application data\ABBYY
2012-09-27 20:46:21 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-09-27 20:46:21 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-09-27 20:43:27 93696 ----a-w- c:\windows\system32\E_TLBH3A.DLL
2012-09-27 20:43:27 81408 ----a-w- c:\windows\system32\E_TD4BH3A.DLL
2012-09-27 20:42:31 342016 ----a-w- c:\windows\system32\eswiaud.dll
2012-09-27 20:42:31 132560 ----a-w- c:\windows\system32\esdevapp.exe
2012-09-27 20:42:31 12800 ----a-w- c:\windows\system32\escdev.dll
2012-09-27 15:48:50 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2012-09-27 05:30:52 -------- dcsh--r- c:\windows\system32\dllcache
2012-09-27 03:32:24 -------- d-----w- C:\Corel PHOTO-PAINT9
2012-09-27 02:57:17 10368 ------w- c:\windows\system32\drivers\pfc.sys
2012-09-27 02:57:15 21060 ------w- c:\windows\system32\drivers\iviaspi.sys
2012-09-24 22:22:12 -------- d-----w- C:\CorelDRAW9
2012-09-24 14:17:23 16883056 ----a-w- c:\program files\internet explorer\ie8\IE8-WindowsXP-x86-ENU.exe
2012-09-24 14:13:07 -------- d-----w- c:\program files\New Folder
2012-09-21 00:50:45 -------- d-----w- c:\program files\common files\EPSON
2012-09-21 00:37:25 -------- d-----w- c:\program files\Epson America Inc
2012-09-21 00:33:08 -------- d-----w- c:\program files\Epson Software
2012-09-21 00:25:10 -------- d-----w- c:\documents and settings\all users\application data\EPSON
2012-09-21 00:23:15 -------- d-----w- c:\program files\epson
2012-09-13 21:24:59 -------- d-----w- c:\windows\Setup
2012-09-13 21:23:05 -------- d-----w- c:\program files\Corel
2012-09-13 15:21:08 -------- d-----w- c:\program files\HP2
2012-09-13 01:14:01 -------- d-----w- c:\program files\Microsoft
2012-09-13 01:13:51 -------- d-----w- c:\program files\MSN Toolbar
2012-09-13 01:11:51 -------- d-----w- c:\program files\Bing Bar Installer
.
==================== Find3M ====================
.
2012-09-28 23:43:30 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-28 23:43:29 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2012-09-27 03:03:22 3649 ----a-w- c:\windows\viassary-hp.reg
.
============= FINISH: 17:13:26.79 ===============

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 04 October 2012 - 12:06 PM

1. Had to do a 2nd system restore last week and have just gotten through reinstalling programs, etc. Once again, I went to the Startup Manager in Norton 360 and checked all the files listed by searching on the web. Found the following (that weren't there after the 1st system restore(??)) and that appear to indicate malware of some sort: TkBellEXE, lgfxTray, FUFAXRCN, DPLTarget\P0000000000000000.


After doing some research, all of these do not appear to be malware.

  • TkBell.exe - the Application Scheduler installed along with RealOne Player.
  • IgfxTray - Part of Intel's Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through icon located near the clock.
  • FUFAXRCN - part of Epson PC-Fax Software
  • DPLTarget - the DDS log you posted shows this is associated with a printer driver, located at c:\windows\system32\spool\drivers\w32x86\3\e_tatih3a.exe

Also, in answer to your first question about regcmdcons, DDS shows this:
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
Which means that these files will run when you log onto the computer. They are not malware, but are are associated with HP, The cloaker.exe file is used by HP and Compaq computers to hide the windows of programs passed as arguments to it (in this case, it's used to hide the window of cmdcons.cmd when it runs.)

2. Each time I bootup the pc now (since the 2nd system restore), I get an error message: "Error occurred copying ntdetect.com to C:/ntdetect.com. Access denied." It provides options to retry, exit setup and a 3rd option for advanced users -- I've been choosing "exit setup" and the pc seems to work fine. I do not have a Windows XP cd as it came installed on the pc. I did run SFC /scannow and got no indication of any problems with the Windows files.

This error has been known to occur when a memory stick is in a card reader and the computer is attempting to boot from it. If you have any card reader or flash reader make sure that no memory stick is inside the computer. Additionally, disconnect all USB drives, cameras, iPods, iPhones, etc. from the computer when it is booting up. There are other possible explanations for this error, which we'll try to diagnose with aswMBR.

3. I have always worked on this PC as user "Compaq Owner" which is an administrator. I've been told that I shouldn't be doing that (I've now added a password to it). I did setup another user but I can't get many of my programs to open when in that user. However, my Corel PhotoPaint will open under the 2nd user but not under "Compaq Owner". Obviously, I don't quite understand the different users and the need to have them.


It's recommended to not always run as the administrator user. Non-administrator accounts are allowed to use the computer's existing software, but they don't have unlimited power over the computer like an Administrator does. A non-administrator account's inherent lack of power makes it MUCH more secure against viruses and spyware than using an administrator account. The key idea is to only use your Administrator account when you actually need Administrator-level powers, such as when adding new hardware & software. For instant messaging, email, Web browsing and other daily computer use, use your non-Administrator account.

However, as you've found out, when creating a new user, you don't always have access to some programs. This is because when the programs were first installed, the other user account that you recently added didn't exist, and so some install settings were setup only for the Compaq Owner account. Now that there's a new account, these settings haven't been changed. The fastest way to fix this is to reinstall the programs that currently don't open. When the install process for each of these programs asks which account you'd like them to access, you should be able to select an "all account" option (or something similar to that). You can also try the steps located here. The other option is to not use the other account you added.

If you can give me some idea of how to send you the Attach.zip file, I will do so.


Below where you type in your reply to this post, you should see a dark blue box with text that says Click To Attach Files. Go ahead and click on this button, and you'll be prompted to select a file. Browse for where the Attach.zip file is. Once you do that, you'll see the file show up as an attachment. Once you've typed your message, you can then click on the Add Reply button to post your reply, and it will include the attached file with your post.

 

aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When prompted to update, click Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Edited by jntkwx, 04 October 2012 - 12:08 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 04 October 2012 - 04:22 PM

Jason,

I'm so relieved that those files aren't malware...although I did get search results that stated they were "undesirable" and associated with known worms...I've attached the Attach.zip log.Attached File  attach.zip   2.04KB   1 downloads I see now why I couldn't attach it before, I used the "fast reply" and you need to click on "add reply" to get the attach option.

Regarding the issue with the ntdetect.com file -- there are no memory sticks/cards, USB flash drives, cameras, phones, etc. attached the computer upon bootup. The new printer is attached using a USB cable however...is that an issue? I can't imagine having to unplug the printer everytime I turn on the PC. I'll run the aswMBR and send the log.

I'll also try the options for getting my various programs to run before I try reinstalling them again. They were actually reinstalled following the 2nd system restore and after the limited user account was created. I don't recall seeing any option to select "all accounts" or anything similar...of course, these programs are rather old (i.e, MS Office 97, for example) so that may not be a part of the install process.

#8 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 04 October 2012 - 04:26 PM

Jason,

Here's the log from running aswMBR.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 16:37:15
-----------------------------
16:37:15.593 OS Version: Windows 5.1.2600 Service Pack 2
16:37:15.593 Number of processors: 1 586 0xA00
16:37:15.593 ComputerName: YOUR-1A4D29F243 UserName: Compaq_Owner
16:37:19.828 Initialize success
17:03:04.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b
17:03:04.453 Disk 0 Vendor: ST3200822A 3.02 Size: 190782MB BusType: 3
17:03:04.484 Disk 0 MBR read successfully
17:03:04.500 Disk 0 MBR scan
17:03:04.515 Disk 0 unknown MBR code
17:03:04.531 Disk 0 Partition 1 00 0B FAT32 RECOVERY 5396 MB offset 63
17:03:04.546 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 185382 MB offset 11052720
17:03:04.562 Disk 0 scanning sectors +390715920
17:03:04.640 Disk 0 scanning C:\WINDOWS\system32\drivers
17:03:19.828 Service scanning
17:03:32.562 Modules scanning
17:04:02.265 Disk 0 trace - called modules:
17:04:02.296 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
17:04:02.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86745ab8]
17:04:02.359 3 CLASSPNP.SYS[f787005b] -> nt!IofCallDriver -> \Device\0000006a[0x867879e8]
17:04:02.390 5 ACPI.sys[f77e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-1b[0x86752940]
17:04:02.390 Scan finished successfully
17:05:28.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Compaq_Owner\Desktop\MBR.dat"
17:05:28.968 The log file has been saved successfully to "C:\Documents and Settings\Compaq_Owner\Desktop\aswMBR.txt"


Thank you.

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 04 October 2012 - 07:01 PM

Barbaraeh,

Regarding the issue with the ntdetect.com file -- there are no memory sticks/cards, USB flash drives, cameras, phones, etc. attached the computer upon bootup. The new printer is attached using a USB cable however...is that an issue? I can't imagine having to unplug the printer everytime I turn on the PC. I'll run the aswMBR and send the log.


No, you shouldn't have to unplug the USB cable for every restart. IaswMBR showed showed what I think may be the reason you're getting that ntdetect error:
17:03:04.515 Disk 0 unknown MBR code

Please right click on the MBR.dat file on your desktop, and select Send To > Compressed (Zipped) Folder. Then, attach the MBR.zip file to your next reply (just like you did with Attach.zip).

These programs are rather old (i.e, MS Office 97, for example) so that may not be a part of the install process.


After doing some more research on this, it appears that may be true for Office 97, and likely true for any programs designed for Windows 2000 or older (the way user accounts work for programs changed with Windows XP). The simple solution to this is to reinstall Office to the same program folder while logged on under each user account. This may work for your other programs as well.

Edited by jntkwx, 04 October 2012 - 07:03 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 08 October 2012 - 12:08 PM

Barbaraeh,

It has been four days since my last post. Do you still need help?

If you do, please follow my previous instructions for Zipping and attaching the MBR.zip file to your next reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 09 October 2012 - 11:30 AM

Jason,

Sorry for the delay in responding -- had to go out of town.

I'm attaching the two file you requested.

Thank you.

Attached Files



#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 09 October 2012 - 07:52 PM

Barbaraeh

No problem. :)

That's the aswMBR log, there should also be an MBR.dat file on your desktop. Please right click on the MBR.dat file, and select Send To > Compressed (Zipped) Folder. Then, attach the MBR.zip file to your next reply
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 10 October 2012 - 10:54 AM

Jason,

Sorry...I think I've got it right this time.

Attached Files

  • Attached File  MBR.zip   546bytes   1 downloads


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:56 PM

Posted 11 October 2012 - 01:41 PM

Yes, that's what I'm looking for. :thumbup2:

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Barbaraeh

Barbaraeh
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 12 October 2012 - 09:59 PM

Jason,

So you do think that I have may have some malware? I will try to do this operation over the weekend.

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users