PDA

View Full Version : Desperately need help getting rid of Trojan



musicteacher
2008-08-09, 23:45
I hope someone here can help me! I'm the first to admit that I don't know much about the inner workings of my computer and really need help!

I've had Spybot on my computer for years and have had great success with it. I also had Norton on and have been trying to get rid of it, but can't seem to. My renewal subscription was due in June and when I didn't renew, my computer started having problems.

I've done some kind of Windows restore that lost all my email but kept my hard drive files intact. My husband and I had different profiles when we would log into Windows and we got to where it would log in and immediately log off. That's why I did that.

Now it just shows up as Owner and we've been able to stay on for the last 2 weeks.

I haven't been as watchful about updating virus software and so forth lately, and Tuesday night I visited a website of a Christian Rock Band and my computer screen sort of flashed at me, then shut down, then restarted.

Since then, I have a red circle with a white X in it in my lower right corner. I also have a message that keeps coming up telling me that I'm infected, but the message has 2 words spelled wrong in it. I've researched a little bit and I know that this happened because I got infected with something.

I can't start Spybot. I've tried deleting it and downloading it again, but I can't get it to install. When I had the big meltdown in late June and did the Windows restore thing, I installed anti-virus stuff from Comodo. I thought I had it set to keep the bad stuff away.

I've read many messages here about what to do before I ask for help. I've heard of Hijack This, but have never done anything with it.

I just clicked on a link and downloaded it, but when I click on the icon to install it, nothing happens.

I read about a site that has software called HouseCall but I can't get that to work either.

I went to the Ewido site and scanned for Trojans there. Immediately it found something and asked me what to do and I clicked on whatever made sense. The red circle with the white X disappeared for awhile, but when the computer restarted, it came right back.

I know this makes me sound so illiterate. I'm actually think I'm an intelligent person. I'm a music teacher with a Master's Degree so I don't think I'm a dumb person but I'll freely admit that I have no idea what I'm doing here.

I DID manage to get the sound going on my computer all by myself. Since I did the Windows restore thing in late June, we haven't had any sound. Last night I stumbled upon Device Manager, and under Sound I found 3 yellow questions marks. I right-clicked and saw something about reinstalling drivers, so I did that and now I can play CDs in my drive again!

I hope someone here can have the patience to help me through this problem. I would love to get my computer healthy again.

Thanks,
musicteacher

ken545
2008-08-14, 03:09
Hello musicteacher

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.




Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.







Delete Hijackthis you previously downloaded and try this one, install it this way.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.

Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Post the Malwarebytes log and a Hijackthis log please

musicteacher
2008-08-14, 20:21
Thank you so much for your assistance. I hope I did everything correctly.



Malwarebytes' Anti-Malware 1.24
Database version: 1052
Windows 5.1.2600

12:06:38 PM 8/14/2008
mbam-log-8-14-2008 (12-06-38).txt

Scan type: Quick Scan
Objects scanned: 80812
Time elapsed: 58 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buritos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karina.dat -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\system32\buritos.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\buritos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:11 PM, on 8/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavemsrv.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\31741158.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5562 bytes

ken545
2008-08-14, 20:53
Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM') G
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\31741158.EXE

O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat


You have been infected with some nasty stuff, one of the reasons being is that your Operating System is very outdated and letting this garbage in. Before we proceed any further I need you to download and install Service Pack 1 (SP1)...DO NOT INSTALL SERVICE PACK 3 JUST YET

http://www.microsoft.com/downloads/details.aspx?FamilyID=0136e5f8-1684-4202-b2d0-c6a43430f12a&displaylang=en



Install the service pack and post a new log please

musicteacher
2008-08-15, 00:40
I did exactly what you told me to do with HJT.

Then I followed your link to Microsoft to get the SP, but I get this message:


Internet Explorer cannot download splaexpress_usa.exe from download.microsoft.com
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.


I was getting this message a few days ago when I was trying to get spybot and others to download.


I did run HJT again and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:32 PM, on 8/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5093 bytes

ken545
2008-08-15, 02:21
Go to this Microsoft site and follow the instructions to Validate windows and then try SP1 again.

http://www.microsoft.com/windowsxp/using/setup/winxp/validate.mspx

musicteacher
2008-08-15, 04:34
This isn't going well. I click on the link that you provided, and it takes me to a page at microsoft. I follow their directions, which include telling me to scroll down and click on a validate button, but the button isn't anywhere on the page:

http://www.microsoft.com/genuine/ProgramInfo.aspx?displaylang=en&sGuid=7730cf00-f564-49ae-bc3f-451d1eeca9c1

I've done a google search, and I've been clicking all over the Microsoft site trying to find how to validate my copy of Windows XP. I bought this computer 5 years ago at Circuit City and Windows was right on it. I registered it like I should have, so I shouldn't have any problem validating, if I can find the button to click.

musicteacher
2008-08-15, 04:37
OK. I finally got it to validate at the Microsoft website. I got a message congratulating me on my ability to validate.

So I tried to download the SP 1a again and I keep getting the same message as before.

What's next??

Thanks for all your trouble!
musicteacher

ken545
2008-08-15, 04:58
Open up Internet Explorer and go to Tools> Windows Updates and let it check and install updates. Lets see if this will work, if it does do not install SP3 at this time. The reason for my concern is that not always, but most times when an Operating System is as badly outdated as yours is , the main reason being is that the copy of windows is illegal and an illegal copy of windows will not let you update.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

ken545
2008-08-16, 01:31
musicteacher,

How are you coming along?? Do you need help??

musicteacher
2008-08-16, 02:40
I disabled the Comodo anti-virus program, got my computer offline, and finally was able to run the Combofix. While some things on the computer seem to be running better, and that big red circle with the white X in the bottom right corner is GONE, along with that pesty message that kept popping up, all last night and this morning, the computer kept restarting on its own. It took quite a few attempts to finally have Combofix run all the way through, but it finally did. I'll paste the log here:




ComboFix 08-08-14.02 - Owner 2008-08-15 8:22:11.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\npptools.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\#SharedObjects\DJZ22NXW\interclick.com
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\#SharedObjects\DJZ22NXW\interclick.com\ud.sol
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\g32.txt
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\k86.bin
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\npptools.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 23:31 . 2008-08-14 23:31 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-08-14 12:49 . 2008-08-14 12:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-08-14 09:09 . 2008-08-14 09:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-08-14 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 09:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 09:05 . 2008-08-14 09:07 <DIR> d-------- C:\Program Files\Malwarebytes
2008-08-08 22:41 . 2008-08-08 22:42 382,352 --a------ C:\Program Files\jre-6u7-windows-i586-p-iftw.exe
2008-08-08 07:23 . 2008-08-08 07:23 42,496 --a------ C:\Fixing computer instructions.doc
2008-08-08 07:12 . 2008-08-08 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-08-06 20:52 . 2008-08-06 20:52 15,083,520 --a------ C:\Program Files\spybotsd160.exe
2008-08-06 07:48 . 2008-08-14 21:37 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-08-05 22:10 . 2008-08-07 19:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-08-05 20:30 . 2008-08-05 20:30 8,560 --a------ C:\WINDOWS\system32\core3.sys
2008-08-04 21:23 . 2008-08-04 21:23 <DIR> d-------- C:\Program Files\New Folder
2008-07-31 11:03 . 2008-07-31 11:03 <DIR> d-------- C:\Program Files\Disney
2008-07-29 23:01 . 2008-07-29 23:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-07-27 17:26 . 2008-07-27 17:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-07-25 23:31 . 2008-07-25 23:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-25 21:56 . 2001-08-17 22:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-07-25 21:56 . 2001-08-17 22:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys
2008-07-25 21:56 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-07-25 21:56 . 2001-08-17 14:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-07-25 21:56 . 2001-08-17 14:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys
2008-07-25 21:56 . 2001-08-17 22:37 22,016 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-07-25 21:56 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-07-22 20:55 . 2008-07-22 20:55 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\FUJIFILM
2008-07-21 20:47 . 2008-07-21 20:47 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\ACD Systems
2008-07-21 08:27 . 2008-07-21 08:27 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Microsoft Web Folders
2008-07-20 23:34 . 2008-07-21 16:40 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Spyware Terminator
2008-07-20 23:33 . 2008-07-20 23:33 <DIR> d-------- C:\TBR5LanguageAct
2008-07-20 23:33 . 2008-07-20 23:33 <DIR> d-------- C:\Languages
2008-07-20 23:10 . 2002-07-27 00:24 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\WINDOWS
2008-07-20 23:10 . 2008-07-21 21:15 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\VERITAS
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Symantec
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Share-to-Web Upload Folder
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\InterTrust
2008-07-20 23:10 . 2008-07-21 08:44 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000
2008-07-20 21:40 . 2004-07-15 15:44 18,939 --a------ C:\WINDOWS\hpbvspst.hi2
2008-07-20 21:40 . 2004-07-15 15:44 478 --a------ C:\WINDOWS\hpbvspst.bu2
2008-07-20 21:39 . 2001-07-21 14:40 3,144 --a--c--- C:\WINDOWS\system32\dllcache\srgb.icm
2008-07-19 21:36 . 2008-07-19 22:07 <DIR> d-------- C:\Program Files\Crawler
2008-07-19 17:49 . 2008-08-07 19:26 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-07-19 17:49 . 2008-07-19 22:01 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Spyware Terminator
2008-07-19 17:49 . 2008-08-07 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-07-19 17:49 . 2008-07-19 17:49 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-07-19 17:46 . 2008-07-19 17:46 8,160,016 --a------ C:\Program Files\SpywareTerminatorSetup.exe
2008-07-19 13:33 . 2008-07-19 13:34 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-07-17 23:34 . 2004-09-20 15:20 16,121,856 --------- C:\WINDOWS\system32\alsndmgr.cpl
2008-07-17 23:34 . 2004-09-21 11:13 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe
2008-07-17 23:34 . 2004-10-01 10:24 2,279,424 --------- C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-07-17 23:34 . 2004-09-10 10:12 208,896 --------- C:\WINDOWS\alcupd.exe
2008-07-17 23:34 . 2004-09-07 14:23 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-07-17 23:34 . 2002-02-05 13:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav
2008-07-17 23:34 . 2004-09-01 20:04 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-07-17 23:34 . 2004-09-16 20:39 69,632 --------- C:\WINDOWS\soundman.exe
2008-07-17 23:34 . 2004-09-07 13:47 57,344 --------- C:\WINDOWS\Alcxmntr.exe
2008-07-17 23:34 . 2004-02-25 18:00 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2008-07-17 21:55 . 2008-07-17 21:55 2,369,474 --a------ C:\Project1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 02:36 --------- d---a-w C:\Program Files\WildTangent
2008-08-06 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 00:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-05 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 21:40 --------- d-----w C:\Program Files\PicturesToExe
2008-07-31 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-29 23:51 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-29 23:48 --------- d-----w C:\Program Files\ACD Systems
2008-07-28 11:45 73,728 ----a-w C:\WINDOWS\system32\CavEmLSP.dll
2008-07-28 11:45 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-28 11:45 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2008-07-28 11:45 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-28 11:45 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2008-07-28 11:45 102,400 ----a-w C:\WINDOWS\system32\drivers\cavasm.sys
2008-07-28 11:45 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2008-07-27 21:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-23 00:55 --------- d-----w C:\Program Files\FinePixViewer
2008-07-21 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-21 03:38 --------- d-----w C:\Program Files\SymNetDrv
2008-07-19 22:34 --------- d-----w C:\Program Files\FileSubmit
2008-07-19 21:55 --------- d-----w C:\Program Files\Viewpoint
2008-07-19 21:55 --------- d-----w C:\Program Files\Lycos
2008-07-14 15:56 --------- d-----w C:\Program Files\WildGames
2008-07-12 20:38 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Viewpoint
2008-07-11 01:25 --------- d-----w C:\Program Files\Coupons
2008-07-11 01:23 1,277,680 ----a-w C:\Program Files\CouponPrinter.exe
2008-07-10 01:57 --------- d-----w C:\Program Files\AIM6
2008-07-10 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-10 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-10 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-10 01:47 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\acccore
2008-07-08 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-08 11:21 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-08 11:13 --------- d-----w C:\Program Files\NOS
2008-07-06 21:06 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Corel
2008-07-01 02:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ACD Systems
2008-07-01 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-30 14:05 --------- d-----w C:\Program Files\Comodo
2008-06-30 11:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Snapfish
2008-06-30 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-06-30 00:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Microsoft Web Folders
2008-06-30 00:27 --------- d-----w C:\Program Files\OpenOffice
2008-06-30 00:16 --------- d-----w C:\Program Files\Comodo Free
2008-06-29 22:05 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\VERITAS
2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\MSN6
2008-06-28 12:41 --------- d-----w C:\Program Files\CCleaner
2008-06-28 11:14 --------- d-----w C:\Program Files\Java
2008-06-26 21:26 --------- d-----w C:\Documents and Settings\Craig\Application Data\WeatherBug
2008-06-26 03:05 --------- d-----w C:\Documents and Settings\Betsy\Application Data\WeatherBug
2008-06-15 10:55 --------- d-----w C:\Documents and Settings\Betsy\Application Data\Roxio
2008-06-15 01:19 --------- d-----w C:\Documents and Settings\Betsy\Application Data\Creative
2008-05-26 10:58 1,470,464 ----a-w C:\Program Files\clipart.exe
2008-04-26 11:06 2,751,368 ----a-w C:\Program Files\ccsetup206.exe
2008-01-21 23:55 119,992 ----a-w C:\Documents and Settings\Betsy\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 03:04 16,291,424 ----a-w C:\Program Files\Java.exe
2005-01-15 11:13 9,893,152 ----a-w C:\Program Files\PatternViewerInst.exe
2004-07-22 10:39 2,150,574 ----a-w C:\Program Files\Ad-aware.exe
2004-05-23 19:26 2,403,357 ----a-w C:\Program Files\Reg Mechanic Install.exe
2004-05-02 20:17 10,241,609 ----a-w C:\Program Files\Vendio-SMPro.exe
2003-08-13 10:30 1,291,040 ----a-w C:\Program Files\WindowsXP-KB823980-x86-ENU.exe
2003-07-28 11:16 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w C:\WINDOWS\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w C:\WINDOWS\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2003-05-07 01:53 0 ----a-w C:\Program Files\Gevalia.jsp
2003-02-09 22:36 78,516 ----a-w C:\Program Files\AuctionManagerPro.exe
2002-11-30 21:16 1,803,464 ----a-w C:\Program Files\winzip81.exe
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 17:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 19:39 81920]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 07:42 176128]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2008-07-28 07:45 110592]
"nwiz"="nwiz.exe" [2002-05-03 20:06 364544 C:\WINDOWS\system32\nwiz.exe]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]

C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Betsy\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [2007-06-04 21:33:41 325632]
PowerReg Scheduler V3.exe [2008-02-23 19:23:15 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 7.0 Tray Icon.lnk - C:\Program Files\America Online 7.0\aoltray.exe [2002-11-29 17:24:20 32839]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-22 21:51:56 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-30 13:03:47 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 04:00:00 65588]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-11-30 15:02:16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
2008-07-28 07:45 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\core3.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 core3;HTCore Controller;C:\WINDOWS\System32\core3.sys [2008-08-05 20:30]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-07-19 17:49]
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2002-04-20 00:10]

2002-07-27 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BOC-426 - (no file)
Notify-xatcore - xatcore.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://srch-us6.hpwis.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar = hxxp://srch-us6.hpwis.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 08:29:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\cavbase99 118640 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comodo\Common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\CavAUD.exe
.
**************************************************************************
.
Completion time: 2008-08-15 8:43:06 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-15 12:42:55

Pre-Run: 38,384,062,464 bytes free
Post-Run: 38,321,852,416 bytes free

270

musicteacher
2008-08-16, 02:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:49 PM, on 8/15/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5424 bytes

musicteacher
2008-08-16, 02:46
I'm sorry to leave so many messages, but out of curiosity, I went back this link that you gave me:

http://www.microsoft.com/downloads/d...displaylang=en

and I tried it again and this time the Service Pack downloaded!!! Yeah!!!

I have this message telling me that before I install it I should back up all programs. Not sure what to do about that, and I don't think my System Restore is working or turned on.

I'm not doing anything with Service Pack 1a until I have instructions from you.

ken545
2008-08-16, 02:55
Hello,

Your logs look fine :bigthumb: Please understand that if you can't update your Operating System your just going to keep getting infected. How are things running now??

musicteacher
2008-08-16, 03:05
Everything seems to be running smoothly. What do I do about the system restore and the service packs?

ken545
2008-08-16, 03:55
Lets check a few things.


Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.

Click Start>Run
Type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow
This should replace any corrupted/missing system files and will hopefully fix things.




Please run the MGA Diagnostic Tool and post back the report it creates:
Download MGADiag (http://go.microsoft.com/fwlink/?linkid=56062) to your desktop.
Double-click on MGADiag.exe to launch the program
Click "Continue"
Ensure that the "Windows" tab is selected (it should be by default).
Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report back here in your next reply.

musicteacher
2008-08-16, 04:32
You are the best. I can't believe how the computer is running now. Hope it keeps up. When do we do all the updating?


Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {196FDD5F-9A16-4BEE-BF82-88D84E2D38A5}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{196FDD5F-9A16-4BEE-BF82-88D84E2D38A5}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-4212676017-135449575-3207847200</SID><SYSTEM><Manufacturer>HP Pavilion 05</Manufacturer><Model>DA179A-ABA 743g</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>6.00</Version><SMBIOSVersion major="2" minor="31"/><Date>20020925******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>DCB23B4F01842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

musicteacher
2008-08-16, 14:42
Good morning Ken. I decided to try and get Service Pack 1a installed, if I could.

I can get it from the Microsoft website, and it downloads. But when I try to install it, it get to a point where I get an error message that says:

Service Pack 1 Setup Error

The file c:\windows\servicepackfiles\i386\svcsys
is open or in use by another application.
Close all other applications and then click retry.

And then there are 2 buttons: Retry and cancel

I DO have everything else closed, but when I hit retry, it just keeps beeping at me until I hit the cancel button.

I'm so close!!!!

My daughter keeps asking me if she can go play games on Club Penguin, but I won't let her go to any websites until I get the service packs done, because I don't want to get infected again. What's next?

ken545
2008-08-16, 15:58
Good Morning,

The tool I had you run shows that your copy of Windows is legal and validated so there are some issue we cant see preventing the installation of SP1a. After thats installed then we can proceed to SP3 but SP3 cannot be installed without SP1a.

Lets try booting your computer to Safemode with Network Support, then go to the Microsoft site again and give it another try.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

musicteacher
2008-08-16, 16:21
I restarted and got into Safe Mode with Networking like you said.

I double-clicked on the SP 1a icon that I had installed on my desktop and tried to install again. The same message pops up.

Is something wrong with that one file?

ken545
2008-08-16, 16:25
Lets do one more thing to make sure there is no virus still hiding on your system. Your log looks fine and I see no indication of one but lets make sure.

Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

musicteacher
2008-08-16, 16:30
Should I still be in safe mode to do this?

ken545
2008-08-16, 17:12
NO, you can run it in Normal windows

musicteacher
2008-08-16, 18:05
I fired it up while in safe mode. It's been running 90 minutes and has found 13 threats but it isn't done yet. Hope it's OK to run it while the computer is in safe mode.

ken545
2008-08-16, 18:09
Well, you should have run it in normal windows but lets see what it finds, they could be just tracking cookies

musicteacher
2008-08-16, 18:18
Here is what it says:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3360 (20080815)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=843deaf2484ee0478dce0cd09fbd2b16
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-16 03:14:35
# local_time=2008-08-16 11:14:35 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT
# scanned=536709
# found=16
# scan_time=6055
C:\Desktop pictures\justwanttobe.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Desktop pictures\justwanttobe.exe »WISE »NNWDAC638.EXE Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Desktop pictures\justwanttobe.exe »WISE »rkinstaller.exe Win32/Adware.Relevant application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Desktop pictures\St Pat Day.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Desktop pictures\St Pat Day.exe »WISE »NNWDAC638.EXE Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Desktop pictures\St Pat Day.exe »WISE »rkinstaller.exe Win32/Adware.Relevant application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\hp\bin\AUTOPLAY.EXE Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\catchme2008-08-15_ 73219.62.zip a variant of Win32/Spy.Goldun.NCW trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\catchme2008-08-15_ 73219.62.zip »ZIP »xatcore.dll a variant of Win32/Spy.Goldun.NCW trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\karina.dat.vir Win32/TrojanDownloader.Agent.OBD trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\AutoPlay.exe Win32/Agent.NVP trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Temp\__delete_on_reboot__~_7_4_7_4_6_1_._t_m_p_ Win32/Adware.Websearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\WINDOWS\Temp\__delete_on_reboot__~_8_2_0_5_7_4_._t_m_p_ Win32/Adware.Websearch application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000

ken545
2008-08-16, 18:37
Post a new HJT log from normal windows please

musicteacher
2008-08-16, 18:48
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:15 AM, on 8/16/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5412 bytes

ken545
2008-08-16, 19:07
Hi,

NOD removed a few things, your HJT log is fine so this may be a windows issue, I am going to link you to a windows support site that deals with these problems as this forum is for malware removal only. Be sure to tell them you posted here and that we cleaned your system of some malware. You can link them to this site if you wish so they can see what has been removed.

http://forums.spybot.info/showthread.php?t=32303

Also tell them that we checked and your Operating System is legal and its been validated. I would post at the first forum I listed first as they are pretty in tune with issues like this. Like this forum its free but you will have to register. If you like I will keep this thread open for you, post back and link me to the thread where you post so I can keep and eye on it and offer any help I its needed.


Windows Tech Support Forums

Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)





ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix Is not a general cleaning tool, just run it with supervision or you can bork your system


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

musicteacher
2008-08-16, 19:22
Thanks for your help! I will be gone the rest of the day but will follow your instructions when I return later.

Yes, please keep my thread open and I'll let you know what's going on.

Thank you so much,

Betsy
musicteacher

tashi
2008-08-23, 19:07
This topic has been archived due to inactivity.

As it has been five days or more since your last post, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.