View Full Version : Virus Infect with Reboot
Hi
It has been sometime since my last post. Sorry, I've had a crash with PC. I had to reinstall the OS with the application/support disc. WindowsXP-SP1 Home Edition. I had to uninstall Norton 2006 because it crashed so much. I now have CA Antivrus 2007 installed.
Logfile of Hijackthis v1.99.1
Scan saved at 10:10:27 PM. on k.4.2007
Platform: Windows XP SP1 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.medion.com
o2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:/Program Files/Adobe/Acrobat 6.0/Reader/ActiveX/AcroIEHelper.dll
o2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
o2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no
file)
02 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
o3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
o4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
o4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
o4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
o4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
o4 - HKLM\..\Run: [Dit] Dit.exe
o4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
o4 - HKLM\..\Run [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
o4 - HKLM\..\Run [Lexmark x1100 Series] "C:\Program Files\Lexmark x1100 Series\lxbkbmgr.exe"
o4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
o4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
o4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
o4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
o4 - Global Startup: Wireless keyboard control panel.lnk=C:\WINDOWS\CNYHKey.exe
o9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
o9 - Extra 'Tools' menuitem: Show&Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
o9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
o14 - IERESET.INF: StART_PAGE_URL=http://www.aldi.com
o16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/:linkid=39204
o20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
o20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SSTEM32\WgaLogon.dll
o23 - Service: CaCCProvSP- CA,Inc. - C"\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
o23 - Service: CAISafe - Computer Associates International, Inc.- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
o23 - Service: LexBce Server (LexBceS) - Lexmark International,Inc. - C:\WINDOWS\system32\LEXBCES.EXE
o23 - Service: Intel NCS NetService (NetSvc) - Intel(R)Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
Hello Shela :)
Looks that the HijacKThis log was taken in safe mode.
Please post a fresh HijackThis log but create it in normal mode :bigthumb:
Logfile of HijackThis v1.99.1
Scan saved at 11:13:24 PM, on 5/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\Program Files\PowerCinema\PCMService.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179350540468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
;)
Hello Shela and sorry for the huge delay :oops:
I don't know how I missed this...
Please post a fresh HijackThis log and we'll continue :bigthumb:
Hi Mr_JAK3
Just to let you know I still have same problem. Am waiting to clean up PC before adding the WinXP SP2 cd from Microsoft. Every time I try to install it crashes suddenly. And I end up with the same problems. Microsoft customer support said to try and get it all removed or else consider a new OS. And wipe the hard drive clean to install a new os. I will appreciate your help to clean up my pc. thanks, Logfile of HijackThis v1.99.1
Scan saved at 12:59:11 PM, on 5/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\Program Files\PowerCinema\PCMService.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\DitExp.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179350540468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
here's the hj log
Hi again, we'll continue :)
Don't install AP2 yet as we need to get you cleaned first.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 lines too if you haven't locked Internet Explorer settings on purpose
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Ok, I got through the downloads and began HJThis. Found some of the ones listed and fixed it. Ran the ATF Cleaner.Got stuck trying to update AVG Spyware. Found nothing. I still have the same problems in the registry reloading the same thing. I have to manually remove it from Lexmark. It keeps generating itself.Also the HKLM and HKU keeps changing to something else. I'm guessing but if I remember this stuff got fixed when I was running the older versions of S&D. Now I can't get this stuff off or so it seems. Thank you for helping me. And I'm still considered with this. Will appreciate anymore help. Here is the logs:Logfile of HijackThis v1.99.1
Scan saved at 2:16:30 PM, on 5/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.verisign.com/repository/CPS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179350540468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:52:44 PM 5/28/2007
+ Scan result:
Nothing found.
::Report end
:rolleyes: Also I forgot to add I am losing my colors on desktop. I do not know where to look for it. As of now I don't have the color red, brown, orange,green. Only blue, yellow, gray and white. It keeps happening over again too. Please help.
Shela
Ok looking better now.
The desktop color issues might be hardware related too..
Let's deal with the infections first.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Thanks Mr_JAK3
I still have no idea-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 29, 2007 10:49:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/05/2007
Kaspersky Anti-Virus database records: 333906
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 36131
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:27:05
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\Temp\~DF2223.tmp Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\Temp\~DF302E.tmp Object is locked skipped
C:\Documents and Settings\Sheila Wilson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sheila Wilson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sheila Wilson\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{3B223519-4D9E-4C77-86E2-EA6855E15FE6}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
what's going with my pc. Has same problems. Looking for your reply, Shela
Hello :)
Ok, when did this color issue began?
Hi there. I did some researching all of the programs you had me do. And believe me I didn't think I skipped anything. Well I did. I went back to Safe Mode and showed all hidden and system files. And there it was again. The same virus that keeps showing up in the Lexmark files for printing as you may guess. Also looked into the Windows files and there are alot infected there. I did change some of them but having the inf and i386 to go through I stopped to write and let you know. Must say I am sorry for not checking first. So, if you may give me a couple days to clean it all out I would like to get back to you. Will try to go through all the steps you wrote as I printed them all out. I must say, my pc is starting to run smoother without error messages and crashing on its own. At least I'm able to access the internet with all original files. I will hold off installing the SP2 CD from Microsoft. It is still my belief that having Norton pre-installed on my pc was not protecting everything. This stuff has been constantly coming up until I deleted the program and bought something else. Also I really liked all the older S&D Versions that cleaned alot off for me. That is why I am recognizing what is in those files. I just can't get to them with any program yet. Getting back to the color, it has been going on for three months. Twice I got into some files in the system and found it and the colors came back. I have maybe four other third party programs I will re-install when everything goes well. They were not causing me any problems but have large quantiy of files. So Mr_JAK3 I will say everything has been going well with your help. And I'm glad to find where alot of it has been. I would like to keep going with this as soon as I get my files taken care of in a few days. Thanks again, Shela
Ok don't worry :)
Post the fresh logs when you're ready...
:bigthumb:
How is it going Shela. :)
I have just made some logs to send. I've been working all weekend long on the infected files. So you can't imagine how I feel as the same things keep popping up in the Lexmark files in the Registry. It is this, Account Unknown (S-1-5-32-547). I don't know where it's coming from. Also my colors are all back to normal on the desktop this morning. Also I found two files in the C:\Documents and Settings\All Users\Documents\Shared Music\Thumbs. The Thumbs says it's a DataBase file dated Sept.18,03. The next one is a Thumbs database file from Sheila Wilsons Pictures\sample pictures. Also a Thumbs database file from the Owners Videos. I didn't deleted them but deleted this, S-1-5-21-3150081293-1317959777-2995841162-1003 from most all of the files infected. This is the one that keeps coming back also on reboot. And I don't know if it's still there or not. Will wait to hear from you and thanks again. Shela
Sorry, Logfile of HijackThis v1.99.1
Scan saved at 1:36:19 PM, on 6/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medion.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.verisign.com/repository/CPS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab1179350540468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:55:54 PM 6/11/2007
+ Scan result:
Nothing found.
::Report end
Tashi or Mr_JAK3
Today I ran the S&D V1.4 and it said no problems found there. So I don't know where to go from here. Please Help if you will. Thanks,Shela
Hello :)
Your HijackThis log was taken from safe mode.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log taken in normal mode
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
:rolleyes:Hi Mr_JAK3 Ready to go with ComboFixlog and hjlog. All done in normal mode..
ComboFix 07-06-13 - C:\Documents and Settings\Sheila Wilson\Desktop\ComboFix.exe
"Sheila Wilson" - 2007-06-12 13:26:10 - Service Pack 1 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\command.pif
((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))
2007-06-12 13:24 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-30 12:41 100 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\wklnhst.dat
2007-05-29 22:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-27 00:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-26 23:37 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-05-26 23:36 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2007-05-26 23:36 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2007-05-26 23:36 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2007-05-26 23:36 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2007-05-26 23:36 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2007-05-26 23:36 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2007-05-26 23:36 380,957 --a------ C:\WINDOWS\system32\expsrv.dll
2007-05-26 23:36 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2007-05-26 23:36 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2007-05-26 23:36 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2007-05-26 23:36 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2007-05-26 23:36 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2007-05-26 23:36 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2007-05-26 23:36 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2007-05-26 23:36 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2007-05-26 23:36 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2007-05-26 23:36 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2007-05-26 23:36 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2007-05-26 23:30 260,096 --a------ C:\WINDOWS\system32\mstask.dll
2007-05-26 23:30 172,544 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-05-26 23:30 10,752 --a------ C:\WINDOWS\system32\mstinit.exe
2007-05-19 08:45 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\Help
2007-05-19 07:39 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-17 19:48 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\Leadertech
2007-05-17 19:45 <DIR> d-------- C:\Program Files\Atari
2007-05-17 15:03 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-05-17 15:02 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\OfficeUpdate12
2007-05-17 14:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-05-16 14:43 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\AdobeUM
2007-05-16 14:37 173,792 --a------ C:\wks7dll.exe
2007-05-16 14:06 0 --a------ C:\DOCUME~1\SHEILA~1\APPLIC~1\wklnhst.dat
2007-05-16 01:31 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-05-16 01:31 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-05-16 01:31 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-05-16 01:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-16 00:20 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-05-15 23:39 <DIR> d-------- C:\WINDOWS\system32\bits
2007-05-15 23:38 7,680 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-05-15 23:38 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-05-15 23:38 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-05-15 23:38 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-15 23:38 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-05-15 23:38 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-15 23:38 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-15 23:32 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-15 23:30 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-05-15 23:30 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-05-15 23:30 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-05-15 23:30 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-05-15 23:30 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-05-15 23:30 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-05-15 23:30 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-05-15 22:58 99,904 --a------ C:\WINDOWS\system32\isafeif.dll
2007-05-15 22:58 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-05-15 22:58 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2007-05-15 22:58 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-15 22:58 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-05-15 22:58 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-05-15 22:58 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-05-15 22:50 630,464 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-05-15 22:50 108,656 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-05-15 22:45 <DIR> d-------- C:\Program Files\CA
2007-05-15 22:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-15 22:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 16:57 2,855 --a------ C:\WINDOWS\system32\mem.PIF
2007-05-15 15:12 2,855 --a------ C:\WINDOWS\system32\edit.PIF
2007-05-14 19:00 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-05-14 19:00 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-05-14 19:00 <DIR> d-------- C:\Program Files\Lexmark X1100 Series
2007-05-14 18:59 299,520 --a------ C:\WINDOWS\uninst.exe
2007-05-14 18:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-05-14 18:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-05-13 22:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-05-13 22:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-13 18:32 2,359,296 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-13 18:32 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-05-13 18:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-13 18:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CyberLink
2007-05-13 18:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-05-13 18:25 3,670,016 --ah----- C:\DOCUME~1\SHEILA~1\NTUSER.DAT
2007-05-13 18:25 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-05-13 18:25 <DIR> d---s---- C:\DOCUME~1\SHEILA~1\UserData
2007-05-13 18:25 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\Symantec
2007-05-13 18:25 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\CyberLink
2007-05-13 18:25 <DIR> d-------- C:\DOCUME~1\SHEILA~1\APPLIC~1\Ahead
2007-05-13 18:24 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\UserData
2007-05-13 18:24 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
2007-05-13 18:24 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\CyberLink
2007-05-13 18:24 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Ahead
2007-05-13 18:13 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2007-05-13 18:13 55,680 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2007-05-13 18:13 50,560 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2007-05-13 18:13 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-01 08:04:33 388,608 ----a-w C:\WINDOWS\system32\mstsc.exe
2007-05-30 19:43:03 -------- d-----w C:\Program Files\MSN Messenger
2007-05-18 02:46:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-18 02:45:44 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-16 08:01:24 -------- d-----w C:\Program Files\Messenger
2007-05-16 06:30:33 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-11 18:04:16 524,288 ----a-w C:\WINDOWS\opuc.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-14 21:47]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"Dit"="Dit.exe" [2002-08-28 13:43 C:\WINDOWS\Dit.exe]
"PCMService"="C:\Program Files\PowerCinema\PCMService.exe" [2003-06-24 12:23]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 03:43]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-05-15 22:58]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-15 22:58]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 03:32]
"Cmaudio"="cmicnfg.cpl" [2003-09-12 20:07 C:\WINDOWS\CMICNFG.CPL]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 13:26:59
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-12 13:27:21
C:\ComboFix-quarantined-files.txt ... 2007-06-12 13:27
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 1:40:57 PM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\PowerCinema\PCMService.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab1179350540468
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi there Mr_JAK Would like to add that since running the programs yesterday and posting log everything has returned. And the only thing I remember is the Microsoft Updates came upon desktop wanting to install the June Malicious File Removal and did install that. Also I had one problem with Window Media Player 9, while reading email with an audio, video is stopped part way through to say it crashed,files may be corrupted and was unable to continue with no error number. As I thought all error messages had a number to refer to. Also once again I have lost my colors on the desktop.. Would like to hear from you. Shela
Hi :)
Ok what video card do you have? We could try updating it's drivers.
Hi Am back again with same problems. I have almost crashed three times today. My control panel in the Folder Options keeps changing by itself. As the the Reg on reboot with the same virus in Lexmark printing files. Also looking in Registry Files I saw under HKLM\SYSTEM\CCSet\Services\USB a string with, USBBIOSHACKS. Is this part of the virus? I still have no colors on the desktop and to let you know. I did call the mfg. of the lcd monitor I use and had me run some tests. All colors showed on the monitor from the test and said that it has to be a virus on my computer. Also I forgot to mention I did have Reg Repair installed before beginning this thread. It got lost when I crashed and didn't bother putting back on. Just want to get this thing cleaned up first before the SP2 is put on. Will send a hj log. Thanks Shela
Ok please post a fresh HijackThis log.
Do your colors work in safe mode?
Hi there
I'm back again. Yes it was a big crash again. PC didn't like the bleepingcomputers or whatever. I almost ask about the last program before running. I must say that when I reinstall from my application support disc it dumps crap all through my files. So I went into safe mode to see them and tried to pull most of them off. I know there must be a better way to install or so it seems. Also all of the colors have come back so right now I am not worrying. The LCD Monitor settings say that all colors are showing. The computer has a virus at times that block alot of them?? The Customer Service for the monitor said this also. Also the pc has a Intel(R)82865G Graphic Controller. It may need updating the drivers? Also I have not installed that dreaded printer Lexmark I have waiting for me. Any suggestions before do this? Please continue with your help as I need it badly. I am updating everything, so will look for your help when online today. Thank you and appreciate keeping up with me still. Shela
Hello :)
I think that the issue is hardware related, I don't think that it is malware related as your computer looks clean.
You could install this driver and see how it works -> Link (read the instructions) (http://downloadcenter.intel.com/Detail_Desc.aspx?agr=N&ProductID=1044&DwnldID=9498&strOSs=45&OSFullName=Windows*%20XP%20Home%20Edition&lang=eng)
Let me know if it helps :bigthumb:
:alien:
Hi there, sorry for taking so long. Thanks Mr_JAk3 for patience. Caught something to crash it again so have it about ready to run everything again. I need to install hj and spybot again. To let you know I have cleaned up my files so well since working with you. I still can't get the boot straightened out. But will work on that also. Thank you for the Intel Drivers. I forgot to check them out of late. It makes a difference. I will be sending my logs next. Will check back later to see where to begin.
Shela
Hi There to SpyBot Team
Letting you know I'm still not doing well. I'm sad to say it's my fault this time. If I didn't make mistakes this pc would work better. Presently I'm running on the desktop with the Default User. I can't even login with my own name.I get the message "No Profile to Log On by Windows" and "Can't Log On User Profile" "Logged on with the Default".
I can't find some of my programs I installed and can't figure out what went wrong. If you have any suggestions I'll appreciate much. So will wander off to Microsoft Help And Support Site as this has occured in the past.
Will let you know when I get find the problems and would like to have SpyBot help with the virus stuff. Thanks for any help. Shela
Hello :)
Sounds like something in the system is corrupted. Have you tried creating a new user account?
Also you might want to consider a total reformat and re-install as an option. Something seems to be messed up.
:bigthumb:
Hi to Spybot Staff again,
I am thinking also this is what's wrong. And am thinking to just re-install everything from a fresh start. Since writing I've checked the files out and doesn't look good. Alot of the files are messing up and I have to keep fixing them. Also this year at some time I did receive a error message "system registry files corrupted". Can't remember exact but did access Microsoft website and called the virus help support site. I did get some help and it's like this is almost the same exact thing that was wrong. They gave me a Co-Create Fix of some sort and it did help for a while. And the User Accounts with two different users to log on were all of a sudden gone and the Default User message came on with blue screen. This was the time I was using Norton Antivirus 2006 and was crashing with the SP2 because there was still a virus there as it is now. That is why I don't want to put it on until it is all gone. Just to add I have considered putting the Norton Antivirus back on to be able to access their web site for help in pulling this off. Back then I got nowhere with it. I was told that I didn't install Norton Antv. 2005 and was missing files that was needed to run. Which I didn't know at the time. Now I see they are offering more support. I did like the Norton Antivirus, it was the viruses, worms,trojans that were blogging down my pc so bad it shut down. It's a miracle I think that I've gotten this far and would like to keep my pc running so. My OS at present is Windows XP Home Ed SP1 with CA Antivirus2007. Am going to look at a few more options on the web and Microsoft and then re-install everything. But would like to ask is there a better way to re-install? I would like to know how to reformat and reinstall leaving out the viruses. Also including to say that I tried to uncheck the System Restore in the Control Panel while in safe mode, to unload the viruses. And it acted wierd and said 'not able to check system restore mode, try again after rebooting to desktop'. Which I did and it put me in this mess of Default User. Hope that explains some help as what I did. Thanks Will keep in touch, Shela
Hello :)
The formatting will wipe everything from you hard drive -> fresh start
Then you'll re-install Windows and other programs.
Here is something about formatting, you'll need to know how to perform the operation before begining:
Reformatting Windows XP by wng_z3r0 (http://spyware-free.us/tutorials/reformat/)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)
Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).
These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)
These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)
Get all Windows updates installed!
Please ask me if you have any questions :)
Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Hi again
Thanks Mr-JAk3. First I took your advice and made a new account and think that it may do the job. Because I was on the Microsoft Help and Support yesterday, there it was 'Lost Local Profile' 7/15. http://support.microsoft.com/kb/318011/en-us (copy data from a corrupted user profile to a new profile) This seems to be working so will start from there and check to see if the other applications are running as well. I made a few mistakes at first but am running ok for now. I want to admit that I tried to clean my files and didn't ask, sorry.. I like how my files are performing since beginning with this forum. So much has been done to help my computer run better. I'd never think to get this far. Just thanks for bringing me to it. I have printed the instructions just in case... After all the clean-up I plan to install the SP2 cd as soon as I get the go sign. Just to let you know I looked in the hidden files and found more infected files to delete in the Application Data files again. Will let you know how it goes. Thanks again for your help and support.
Hello :)
How can you tell that the files are infected?
Also have you tried "System File Checker (http://dwightblackburn.com/winxp/)" utility?
I think it could help if you have some files missing there...
Hi Mr_JAk3
Yes I do use the "System File Checker".
As to How Can I Tell if Files Are Infected, they usually start with the Control Panel buttons changing from what I set. Also when I look in the Registry and when in Safe Mode it will show up in RED. Where the account is placed the icon is in red. This is usually from the internet s uch as when I download drivers I needed. For example: C:Windows\Intel; Installtion Files\Sunbelt CounterSpy.msi;Windows\Debug\mrteng.log and \mt.log. All had the same virus after being on the internet. Why, I don't know.
Before posting on this forum my files were not clean at all. I did not know how to. And since Jan2007 I was running WinXP-SP2 with Norton AntiVirus2006. I crashed repeatedly, then seeking Customer Service help from Norton and Microsoft. Norton said that because I didn't install Norton Systemworks2005 that I was missing some important files I needed. I never had it to install and called them later and was told to install the Norton2006 cd that it would work. I found that Norton2006Antivirus only work with SP2 on my pc which had so many infected files to begin with that it was crashing constantly after being on the internet. Also I went to Microsoft's Online Support Service. I had the same problem with user accounts being deleted and viruses. After much debate as they are thorough too, I was told the virus was infected in the pc and that third partys do cause some of the problems. And that said my best bet would be to buy a new OS and do a clean install of hd, or take it to a computer shop, whatever I chose to. I opted to clean myself as when I bought it new I knew what was running and what not. Viruses do not come from anywhere but the internet and need to be cleaned from the machine. Also since I've replaced one part in the pc and added more memory. Since, it is running more smoothly. Just to add that when I bought my pc new in 2004 I ran Norton Antivirus two years with no problems at all. So I know how well I do like the software. I also liked the Norton2006 which is much more advanced. It was too difficult to run on an infected PC. Enuf said.
I am posting a new HJ log.
Hi :)
As to How Can I Tell if Files Are Infected, they usually start with the Control Panel buttons changing from what I set. Also when I look in the Registry and when in Safe Mode it will show up in RED. Where the account is placed the icon is in red. This is usually from the internet s uch as when I download drivers I needed. For example: C:Windows\Intel; Installtion Files\Sunbelt CounterSpy.msi;Windows\Debug\mrteng.log and \mt.log. All had the same virus after being on the internet. Why, I don't know.
Ok that sounds strange. To what do the Control Panel buttons change? What will show up in RED? How can you know that C:Windows\Intel; Installtion Files\Sunbelt CounterSpy.msi;Windows\Debug\mrteng.log and \mt.log. are infected?
Hi I'm finally back from crashing again. Most largely due to the user account disappearing and having to make a new one. Anyway it crashed right after I had been online and did my updates with Microsoft. My #1 online crasher. I usually check my files after being online and always find their garbage dumped in their. And as to the buttons going aloof, they become unchecked or a box that I don't select in Internet Explorer gets checked without my doing so. This happens often. For the red items, it is a red question mark on the acct. icon and I take it off because using Spybot to clean with in the earlier versions pointed these out as spyware or whatever so I know they need to come off, ok? Am going to get back with you. I have everything going okay for now and am about ready to put on the sp2 cd. Thanks for helping me. Shela;)
Ok nice to hear that things are working.
All that crashing doesn't sound normal. If it re-appears I would recommed to do a complete reformat...
:bigthumb:
Hi again
I am agreeing totally. I think the same thing as to what's happening. I am presently at the point that update from Microsoft wants the sp2 installed and I haven't finished my clean up or reformated yet. From what I can see everything looks ok and not causing any problems. The only third party I had to install was CA AntiVirus. I will proceed as far as I can if not detained by any other obstacles. I hope I'm on the right track and no boulders come flying from the internet throw me off. I will slow down this time and check everything before take off. And hopefully I can get done with all cleanup work. Check back later. Thanks much for help. Shela
Hi Am sending a HJ Log. Cleaned up files from the update web site and will try again for sp2. Thanks I think it's looking better? Shela
Logfile of HijackThis v1.99.1
Scan saved at 11:57:34 PM, on 7/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\Program Files\PowerCinema\PCMService.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4476001&ctry=00000409&os=5&src=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Wireless keyboard control panel.lnk = C:\WINDOWS\CNYHKey.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
You can fix these leftovers with HijacKThis:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Otherwise looking good. :bigthumb:
Mr_JAk3
Hi Would like to start with the Formatting you suggested. A couple days ago I installed AVG virus cleaner by grisoft. It ran and found 9 entries of which where entries from cookies, will post that here. And since then guess? My colors are once again missing. I may not have gotten the correct drivers since crashing last time. So will do that. Also I've looked up all of the sites you listed before reformating and found I can't as my computer only has a 'Application&Support Disc' to re-install when it crashes or to repair and runs as NTFS Files System. Also to mention that every time I use that disk every infected file that I previously deleted is put back on causing everthing to be re-infected as before. It is the problem and I can't remember how to copy that drive as it was posted on the Microsoft Discuss Support Group. By copying it would eliminate the virus out. Just can't remember how to. Also in Windows XP why doesn't turning off 'System Restore' and then rebooting, turn it back on, erase all bad files? I have tried this and doesn't seem to get anywhere or not doing the right procedure. Considering, I would like to cleanup the files on this system without having to buy a new OS as seen this on the internet. Help is greatly appreciated and willingness to try something. Thanks,Shela
Hi :)
So you don't have a Windows installation disk? Does the Application&Support Disc allow you to re-install everything? You could ask this from the support.
Also the System Restore won't get you cleaned. It only restores the pc back to some earlier state.
Hi and want to say thanks for everything. Mr_JAK3. I've appreciated all help and will resolve the left overs I have created. Your wisdom is my gain in solving these problems with my pc. I realize it's get a new Operating System or cleanup the mess. Bye and thanks for all the reception I received with this.
Hi :)
I wish I'd be able to help more but this is life....
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: