View Full Version : MS Antivirus 2009 infection
Hi all. Thanks in advance for any and all help. A couple of days ago the MS Antivirus 2009 popup occurred on my home computer. It is a Dimension 8200 @ 1.9 GHz with 256 MB of RDRAM running WinXP Home SP2. I made sure I didn't click the window and ended the program using task manager. I deleted all files/folders under C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd. and removed MS Antivirus 2009 with Add/Remove programs.
Many things have changed on the computer since that fateful popup. Among them are:
Can no longer run Spybot S&D
Folder Options is missing from the Tools menu item in Explorer
Cannot change most options for Windows
In Safe Mode, System Restore does list many Restore Points, but when I click on one (prior to the date of the popup) and then 'Next', nothing happens.
I will post a hjt log next. Thanks again!
Here is the hjt log from SafeMode:
Logfile of HijackThis v1.99.1
Scan saved at 04:54:34 PM, on 12/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smetsys.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thanks again for the help. Happy Holidays!
Sorry, I forgot to add that I have disconnected the infected computer from the internet to hopefully stop any further additions to the problem. Thanks again!
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Hi Blade81. Thank you for the help. I have downloaded 'ComboFix' and the 'Windows XP Home Edition with Service Pack 2 Utility- Setup Disks for Floppy Boot Install' to install the Recovery Console. I will be transfering these over to the home computer with a flash drive and then installing them. Once I have the ComboFix log I will run hjt again and post both logs.
Thanks again for the help!
P.S. Just curious, what does sUBs stand for (it's been awhile since I kept up :) )?
Hi Blade81. I copied both files to the desktop on the home computer. I then dragged the file 'WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe' onto the top of the file 'ComboFix.exe' as instructed to in the ComboFix guide, but nothing happens.
Should I turn off ZoneAlarm and SB TeaTimer first (even though that's the next step after the drag & drop)?
I am not in SafeMode either, should I be?
I also forgot to mention that after the MS AV2009 infection that I can no longer run diags/commands from Run, like regedit, as I will get a Error Window that states 'Registry editing has be disabled by your administrator.', even though my login is setup as an Administrator. Maybe this is why the above step didn't work.
Thanks again!
Hi
Please rename ComboFix.exe file -> CombiFxx.exe before transfering it to the infected system. Then try to run it there.
sUBs is the author of ComboFix :)
Hi Blade81. Well, I had typed up a long response on what happened, but when I clicked Submit Reply I was redirected to login again, and of course everything I typed went by the wayside too. I will try and remember what I had typed up before.
Renaming the exe worked. A couple of problems came up though. Since I can't run SB, I didn't know how to shut down the TeaTimer, but something kind of weird happened. When I shut down ZoneAlarm, not only did the icon for ZA get removed from the System Tray, but the TeaTimer icon disappeared too. I went to the Task Manager to make sure the TeaTimer was not running, which it wasn't, and noticed that BOCore was running too (even though it has stopped working correctly), so I ended the task for it as well (as noted in the AV, FW, AMW disabling instructions).
ComboFix started to run as per the instructions, with a Dos Window and then prompts through popup windows. It made it to the Query Window "ComboFix has detected that this machine does not have the 'WINDOWS RECOVERY CONSOLE'. It would be in your BEST INTEREST to have it installed. Would you like to do so now? *Note* -This requires an active internet connection." Since the internet would be required, I plugged back in the network cable for the internet connection and then clicked Yes on the Query Window. Shortly after an Error Window came stating that the Recovery Console installation failed. While I was typing this up the Error Window disappeared along with the Taskbar, so I tried looking to see if it was under the Dos Window to make sure what the Error Window stated to relay it in this note. I then realized that the scan was already running and on Stage_32. I then remembered that if the scan was running I was not supposed to click on the window, and that the desktop might disappear during the scan as part of the normal process, which might be why the Error Window disappeared as well. When I clicked on the Dos Window, the scan went from Stage_32 to Stage_32A.
Sorry, the memory is not as good as it once was. Hopefully this didn't mess up the scan. Let me know if you need me to restart the scan with ComboFix and also what I should do to fix the Recovery Console installation failure. Many, many thanks again for the help. Hope your weekend is going well.
Hi SBDad
It's possible that recovery console installation must be done later if malware is still blocking the connection. Let ComboFix finish and then post back its log & a fresh hjt log :)
Hi Blade81. Thanks :) . The forum logged me out again; is there a way to increase the timeout?
Here's what happened since the last post (I'm listing all of the steps so as you know what I did and encountered and to help with future assistance to anyone):
During the process, ComboFix rebooted the computer. I logged back in and ComboFix restarted, but since the computer rebooted ZA and SD TeaTimer restarted as well (I cannot run SB so I can't shut down the TeaTimer). The Dos window came up with "Preparing Log Report. Do not run any programs until ComboFix has finished." and a Warning Window came up that stated "ComboFix has detected the following real time scanner(s) to be active: *ZoneAlarm Security Suite Antivirus. Antivirus and intrusion prevention programs are know to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage. Please disable these scanners before clicking 'OK'." Not to mention the numberous SB popups detecting registry changes.
I unplugged the network cable and shut down ZA and the SysTray icon did disappear, and this time the TeaTimer icon stayed. I was able to right click on the TeaTimer icon and uncheck the Resident, and then right click again and shut down the Resident.
I ran Task Manager to verify and found both TeaTimer.exe and BOCore.exe, so I ended both tasks.
I then clicked on the Warning Window's OK to finish ComboFix.
After a bit the following line came up in the Dos window Find3M= FINDSTR: Cannot open temp01
Of course and tried very carefully to be patient, and finally the log.txt window (in Notepad) appeared.
*****************************************************
Here's the ComboFix log:
ComboFix 08-12-26.03 - Brian 2008-12-28 14:19:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.97 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\CombiFxx.exe
Command switches used :: c:\documents and settings\Brian\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\asembl~1
c:\program files\asembl~1\?vchost.exe
c:\program files\Common Files\{3C6A5~1
c:\program files\dobe~1
c:\program files\dobe~1\WNSXS~1\ctxad-530.0000
c:\program files\dobe~1\WNSXS~1\ctxad-530.0001
c:\program files\dobe~1\WNSXS~1\ctxad-530.0002
c:\program files\dobe~1\WNSXS~1\ctxad-530.0003
c:\program files\dobe~1\WNSXS~1\ctxad-530.0004
c:\program files\dobe~1\WNSXS~1\ctxad-530.0005
c:\program files\dobe~1\wuauclt.exe
c:\windows\IE4 Error Log.txt
c:\windows\msettings.ini
c:\windows\system32\bb1.dat
c:\windows\system32\cmds.txt
c:\windows\system32\cs.dat
c:\windows\system32\dl.txt
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\mdm.exe
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\tb.dr
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\unsvchosts.lzma
c:\windows\system32\vgf32.dll
c:\windows\system32\wapiit.exe
----- BITS: Possible infected sites -----
hxxp://auf-jeder.com
c:\windows\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TDSSSERV.SYS
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.
2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 15:53 . 2007-01-15 15:24 1,441 --a------ c:\windows\GtX73.ini
2008-12-19 00:06 . 2008-12-19 00:06 73,728 --a------ c:\windows\system32\TDSScfum.dll
2008-12-19 00:06 . 2008-12-19 00:06 31,232 --a------ c:\windows\system32\TDSSriqp.dll
2008-12-19 00:06 . 2008-12-19 00:06 29,696 --a------ c:\windows\system32\TDSSnrsr.dll
2008-12-19 00:06 . 2008-12-19 00:06 2,710 --a------ c:\windows\system32\TDSSlxwp.dll
2008-12-19 00:06 . 2008-12-19 00:06 441 --a------ c:\windows\system32\TDSSosvd.dat
2008-12-19 00:05 . 2008-12-19 00:06 35,840 --a------ c:\windows\system32\TDSSofxh.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 20:28 35,664,416 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-28 20:09 2,004,768 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-28 19:31 479,576 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-28 19:31 189,944 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-19 04:43 --------- d-----w c:\documents and settings\Brian\Application Data\MailFrontier
2008-11-23 04:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-06-08 17:44 116,432 -c--a-w c:\documents and settings\Ashley\Application Data\GDIPFONTCACHEV1.DAT
2006-05-13 15:31 116,432 ----a-w c:\documents and settings\Samantha\Application Data\GDIPFONTCACHEV1.DAT
2003-03-13 18:12 69,344 ----a-w c:\documents and settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 70,816 2003-11-10 18:30:02 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 218,240 2004-08-05 21:23:14 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 172,122 2001-08-30 09:00:00 c:\program files\Creative\SBLive\Creative Diagnostics 2.0\bak\DIAGENT.EXE
----a-w 102,400 2001-03-28 01:00:00 c:\program files\Creative\SBLive\Program\bak\AHQInit.exe
----a-w 49,152 2004-09-13 20:49:00 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 19:49:00 c:\program files\HP\HP Software Update\hpwuSchd2.exe
----a-w 278,528 2005-10-06 23:03:14 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 53,248 2001-07-11 17:08:38 c:\program files\LexmarkX73\bak\AcBtnMgr_X73.exe
----a-w 53,248 2001-10-08 21:21:28 c:\program files\LexmarkX73\bak\ACMonitor_X73.exe
----a-w 204,800 2004-06-03 08:50:07 c:\program files\Microsoft IntelliPoint\bak\point32.exe
----a-w 155,648 2006-02-09 02:05:33 c:\program files\QuickTime\bak\qttask.exe
----a-w 1,415,824 2005-05-31 06:04:00 c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 1,833,296 2008-09-16 16:16:08 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 163,840 2001-09-23 15:14:48 c:\windows\bak\DELLMMKB.EXE
----a-w 13,312 2002-08-29 10:41:22 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 c:\windows\system32\ctfmon.exe
----a-w 36,864 2001-10-12 07:42:53 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [N/A]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [N/A]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"BOC-425"="c:\progra~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"zzzHPSETUP"="F:\Setup.exe" [N/A]
"nwiz"="nwiz.exe" [2004-10-29 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Photo TurboBackup"="c:\program files\FileStream\Photo TurboBackup\pbksche.exe" [2005-09-15 512000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk.disabled [2005-06-03 838]
AOL Companion.lnk.disabled [2005-12-28 1646]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk.disabled
backup=c:\windows\pss\BlackICE PC Protection.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 15:00 311350 c:\program files\Microsoft Works\WksSb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlackICE"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe
"MoneyStartUp"=c:\program files\Microsoft Money\System\Money Startup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
"UpdReg"=c:\windows\Updreg.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"{3C6A5D37-0766-1033-0918-010516010001}"="c:\program files\Common Files\{3C6A5D37-0766-1033-0918-010516010001}\Update.exe" te-110-12-0000213
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"DellTouch"=c:\windows\DELLMMKB.EXE
"DIAGENT"=c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2003-07-13 6097]
R1 hll_evlula;hll_evlula;\??\c:\program files\Common Files\System\hll_evlula32.dll [2008-11-22 19456]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2002-12-29 6942]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Brian\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 RapDrv;RapDrv;\??\c:\windows\System32\drivers\RapDrv.sys [2003-08-11 104636]
S3 RapFile;RapFile;\??\c:\windows\System32\drivers\RapFile.sys [2003-01-27 36644]
S3 RapNet;RapNet;\??\c:\windows\System32\drivers\RapNet.sys [2003-01-27 24344]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2003-07-13 299923]
.
Contents of the 'Scheduled Tasks' folder
2004-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://antwrp.gsfc.nasa.gov/apod/
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 15:28:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\Nhksrv.exe
c:\windows\system32\PackethSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-28 15:36:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 20:36:36
Pre-Run: 41,481,265,152 bytes free
Post-Run: 41,315,061,760 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
235
*****************************************************
Here's a fresh hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 03:46:55 PM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
*****************************************************
Thanks again Blade81 for the help!
Hi
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Download ResetTeaTimer.bat to the Desktop (right click the link and select save)
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Upload following files to http://www.virustotal.com and post back the scanning results:
c:\windows\x73_lut.dat
c:\windows\GtX73.ini
c:\windows\system32\userinit.exe
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
hll_evlula
TDSSserv.sys
File::
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSofxh.dll
c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\drivers\TDSSpqxt.sys
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 11 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
Hi Blade81. Thanks again.
I'll see if I can open Spybot now; after the MS AV2009 infection I could no longer open/run it, even though the TeaTimer would show up in the SysTray. I tried to run it from the desktop icon, the Start Menu icon, and the TeaTimer icon to no avail. Also the infection hide all the exe files and removed the folder options menu item under Tools in Explorer, so I could re-check the 'Show Hidden Files and Folders' box so I could see the exe to try and run Spybot from there. That's why I couldn't disable the TeaTimer other than stopping it after it started.
I'll download the items and report back on the Spybot issue. Thanks again!
Ok. Shall wait for your input :)
Hi Blade81. Thanks again. I almost made it through all of the steps; the system BSoD'ed on the Kaspersky scanner, so I'll wait to here back what the next step should be. Here's the latest update (sorry for the length):
I am now able to run Spybot, so I was able to disable the TeaTimer. Restarted computer.
I also thought to disable the firewall/virus protection (as per previous instructions) so I disabled ZoneAlarm as well, even though it is not listed. I did this by unchecking "Load ZoneAlarm Security Suite at startup" in Overview--Preferences tab-General section, then right-click on the SysTray icon and shutdown ZoneAlarm.
Ran the file ResetTeaTimer.bat.
Copied the requested files to a flash drive and uploaded from the flash drive to virustotal.com; see results below.
The file userinit.exe came up "File has already been analysed" so I have the last report if you need it, but I clicked "Reanalyse file now" and posted those results below.
I think the X73 files are for the Lexmark X73 printer, but better safe than sorry.
Created the textfile CFScript.txt, copied to a flash drive and then ontop the home computers desktop, closed all windows, then dragged the file onto CombiFxx and let ComboFix run; see log below.
Sun Java
Downloaded latest JRE (the steps are a little different than you listed), copied to a flash drive, and copied to the home computer desktop.
Removed Java 2 Runtime Environment, SE v1.4.2_05, 137.00MB.
Removed Java(TM) 6 Update 2, 133.00MB.
Restarted the computer.
Ran the file jre-6u11-windows-i586-p.exe from the desktop but there was now option for the MSN toolbar option. (I Was going to update Java shortly before the infection, but alas it was not to be at the time :) .)
The installation requested an internet connection, so I plugged the network cable back in and verified the connection, but I never seen anything come of the request for internet.
Downloaded the Atribune Temp File Cleaner to a flash drive, copied it to the desktop, and performed the requested task.
Freed 6,736.000 KBs. I don't use Firefox or Opera (yet :) ).
As a side note, I think the Cache Cleaner in ZoneAlarm takes care of most of these and maybe a few more, but I'm not sure if it covers all of the listed items.
Kaspersky Online Scanner
The network cable was still plugged in with an active connection (from the Java update), so I was able to run this.
For some reason now all of the pictures in IE have a icon in place of them where you need to right-click and click show picture, but this doesn't work in the separate window that opens for the KOS v7.0.
I wasn't sure which scans you wanted me to run (i.e. Critical Areas, My Computer, Folder..., File...), so I ran the My Computer scan.
About 30 minutes into the scan a window came up stating that "ScanningProcess.exe has encountered a problem and needs to close....", so I clicked on 'Don't Send' and the scan then continued on.
Left the scan running overnight. The next morning found it was hung and not progressing anymore. Time was stuck at 02:42:39. Clicked on Stop Scan but it did not work.
Rebooted computer and opened ie, typed in the kaspersky address.
During the kaspersky webpage opening, the computer blue-screened with the following:
*** STOP: 0X00000024 (0X001902FE, 0XF5F184D8, 0XF5F181D4, 0XF98D383F)
*** Ntfs.sys - Address F98D383F base at F98AD000, DateStamp 45cc5656a7
P.S. I was wondering if I shouldn't go to Add/Remove programs and remove Comodo BOClean since at every boot up a window comes up stating that "Comodo BOClean has encountered a problem and needs to close....", not to mention I haven't been able to update it in a while. After each bootup during this process I have been going to TaskManager and end the BOCore task.
****************************************************************************************
Here's the results from virustotal (reformatted for readability):
=========================================================
File GtX73.ini received on 12.30.2008 04:33:18 (CET)
Current status: finished
Result: 0/39 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.29 -
VBA32 3.12.8.10 2008.12.28 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -
Additional information
File size: 1441 bytes
MD5...: 57cabaff52940fc6dfb15b1542987cd3
SHA1..: d82411d4954f66c067574d3700b6751b4be4b23b
SHA256: 92c42835d5f257493a3bf255446bf6394533e42b811555613556b91ff68b968f
SHA512: e11b23ec1b14034e168e95435ef46222b581784940478451772aa3c5b0c7053c
dcc11fcdb1ad60d8e49e1447f1e33b450affcfbb0acf8b9ecdb1bee9c3432453
ssdeep: 24:8h/Kv9I12il2BLs3sAsTIlH3jaKUhcXk0sOuuf5IErKMRMGUb/09nTHh23WL9
jug:8h/Kv9I12iiW7ScXVyWPnuA9tfh
PEiD..: -
TrID..: File type identification
Generic INI configuration (100.0%)
PEInfo: -
=========================================================
File userinit.exe received on 12.30.2008 05:11:18 (CET)
Current status: Loading ... finished
Result: 0/39 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.28 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -
Additional information
File size: 24576 bytes
MD5...: 39b1ffb03c2296323832acbae50d2aff
SHA1..: e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
SHA512: ae81b19b8d778a368cf460016a9678676dfd7b8bfdeb236e8f87ef9a6c755323
227b340924d0713698350ce30bb0b3d09789c90897710cd48b3fe84ddca4a551
ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCS
F4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10050e5
timedatestamp.....: 0x41107b78 (Wed Aug 04 06:00:24 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4db8 0x4e00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xb60 0xc00 3.27 b388ab1541ccd9727979fb26a23f72e1
( 7 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
( 0 exports )
=========================================================
File X73_DS.ini received on 12.30.2008 05:24:12 (CET)
Current status: Loading ... finished
Result: 0/39 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -
Additional information
File size: 288 bytes
MD5...: 949264f8c9a4fe5c8033a1bf0065385e
SHA1..: e722abadbfbd4e5ce25830b9644e3ef5fad77151
SHA256: c9594f6e0a634dc44c2c0e0fa1ad3bd38743a2f3353a838643d774c2195c4439
SHA512: 29abf8d2847a5f79060dfe824f68b650cc40d0db4e5a698f39ca6f013f20efa4
d543db8abfbebdee9700eb5c4c20fc5623bd32b312d260f123b2ed2c4d9c92ac
ssdeep: 6:l1m5U9GdIY3lIXoKLe+9U/dn6cp1yUfbYAGARZP/n:l1mJdIXYie+9Udn/1yUj
Y3ARZP/n
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -
=========================================================
File x73_lut.dat received on 12.30.2008 05:34:21 (CET)
Current status: Loading ... finished
Result: 0/37 (0%)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -
Additional information
File size: 768 bytes
MD5...: 244a70f5e1b299bbec2167d83c6349f2
SHA1..: 2039d2d5e8752a598b5873d7333b6f41f2a598f3
SHA256: 14e8cb0e012de29c114113185b2ab34d720c693e8bdeb89e595f2002b41e49a9
SHA512: c3728e31a4610cf5d5308541f143c3e6996ede653cee37a87a1aaf512906501c
a84707c86df3e690b9765991513a6419cffa2c54ee0683bb40edf88794364e01
ssdeep: 12:EmYyCF10j5SfG9zmorO0+D3mBADAO2QQQkGTUCNDUD/ux7fsphm9G+56u08GO
5Du:/CMS+Tv+D3m20F15aUCQuVsPmbkgpJrk
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
****************************************************************************************
Here's the ComboFix log:
ComboFix 08-12-26.03 - Brian 2008-12-29 23:55:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.37 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\CombiFxx.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
FILE ::
c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_HLL_EVLULA
-------\Service_hll_evlula
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 15:53 . 2007-01-15 15:24 1,441 --a------ c:\windows\GtX73.ini
2008-11-22 04:15 . 2004-08-04 02:56 24,576 --a------ c:\windows\system32\stu2.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 05:07 480,920 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-30 05:07 35,750,432 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-30 05:07 2,010,400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-30 05:07 190,592 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-19 04:57 5,070,902 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-19 04:43 --------- d-----w c:\documents and settings\Brian\Application Data\MailFrontier
2008-11-23 04:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-06-08 17:44 116,432 -c--a-w c:\documents and settings\Ashley\Application Data\GDIPFONTCACHEV1.DAT
2006-05-13 15:31 116,432 ----a-w c:\documents and settings\Samantha\Application Data\GDIPFONTCACHEV1.DAT
2003-03-13 18:12 69,344 ----a-w c:\documents and settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-12-28_15.32.22.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 20:08:30 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-30 02:38:17 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-28 20:08:31 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-30 02:38:17 380,350 ----a-w c:\windows\system32\perfh009.dat
- 2008-12-28 20:20:12 729,048 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-30 03:04:51 729,048 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 70,816 2003-11-10 18:30:02 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 218,240 2004-08-05 21:23:14 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 172,122 2001-08-30 09:00:00 c:\program files\Creative\SBLive\Creative Diagnostics 2.0\bak\DIAGENT.EXE
----a-w 102,400 2001-03-28 01:00:00 c:\program files\Creative\SBLive\Program\bak\AHQInit.exe
----a-w 49,152 2004-09-13 20:49:00 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 19:49:00 c:\program files\HP\HP Software Update\hpwuSchd2.exe
----a-w 278,528 2005-10-06 23:03:14 c:\program files\iTunes\bak\iTunesHelper.exe
----a-w 53,248 2001-07-11 17:08:38 c:\program files\LexmarkX73\bak\AcBtnMgr_X73.exe
----a-w 53,248 2001-10-08 21:21:28 c:\program files\LexmarkX73\bak\ACMonitor_X73.exe
----a-w 204,800 2004-06-03 08:50:07 c:\program files\Microsoft IntelliPoint\bak\point32.exe
----a-w 155,648 2006-02-09 02:05:33 c:\program files\QuickTime\bak\qttask.exe
----a-w 1,415,824 2005-05-31 06:04:00 c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 1,833,296 2008-09-16 16:16:08 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 163,840 2001-09-23 15:14:48 c:\windows\bak\DELLMMKB.EXE
----a-w 13,312 2002-08-29 10:41:22 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 c:\windows\system32\ctfmon.exe
----a-w 36,864 2001-10-12 07:42:53 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [N/A]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"BOC-425"="c:\progra~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"zzzHPSETUP"="F:\Setup.exe" [N/A]
"nwiz"="nwiz.exe" [2004-10-29 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Photo TurboBackup"="c:\program files\FileStream\Photo TurboBackup\pbksche.exe" [2005-09-15 512000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk.disabled [2005-06-03 838]
AOL Companion.lnk.disabled [2005-12-28 1646]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk.disabled
backup=c:\windows\pss\BlackICE PC Protection.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 15:00 311350 c:\program files\Microsoft Works\WksSb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlackICE"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe
"MoneyStartUp"=c:\program files\Microsoft Money\System\Money Startup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
"UpdReg"=c:\windows\Updreg.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"{3C6A5D37-0766-1033-0918-010516010001}"="c:\program files\Common Files\{3C6A5D37-0766-1033-0918-010516010001}\Update.exe" te-110-12-0000213
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"DellTouch"=c:\windows\DELLMMKB.EXE
"DIAGENT"=c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2003-07-13 6097]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe [2007-11-28 69632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2002-12-29 28672]
R2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2002-12-29 64512]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2002-12-29 6942]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Brian\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 RapDrv;RapDrv;\??\c:\windows\System32\drivers\RapDrv.sys [2003-08-11 104636]
S3 RapFile;RapFile;\??\c:\windows\System32\drivers\RapFile.sys [2003-01-27 36644]
S3 RapNet;RapNet;\??\c:\windows\System32\drivers\RapNet.sys [2003-01-27 24344]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2003-07-13 299923]
S4 BlackICE;BlackICE;"c:\program files\ISS\BlackICE\blackd.exe" [2003-08-11 1206665]
S4 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\docume~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe []
S4 PBKNTService;PBKNTService;c:\program files\FileStream\Photo TurboBackup\PBKNTService.exe [2006-01-05 57344]
.
Contents of the 'Scheduled Tasks' folder
2004-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://antwrp.gsfc.nasa.gov/apod/
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 00:10:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\devldr32.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 0:19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 05:19:24
ComboFix2.txt 2008-12-28 20:36:47
Pre-Run: 42,361,987,072 bytes free
Post-Run: 42,284,314,624 bytes free
215
****************************************************************************************
Here's the Kaspersky Online Scanner report:
** Blue screen - not available at this time.
****************************************************************************************
Here's a fresh hjt log:
** Blue screen - not available at this time.
****************************************************************************************
Thanks again Blade81 for the help. I left the BSoD up waiting for what step you'd like next. Thanks again!
Hi
Better uninstall BoClean for now. You may reinstall it later if you want.
Have you defragged hard drive lately? If not I recommend to do so. Then please try Kaspersky online scanner again making sure antivirus program is disabled during the scan.
Hi Blade81. Here's what I did:
Logged in as my normal user (which is an Administrator).
Used BOClean's Uninstall to remove program and verfied in Add/Remove Programs it was gone.
Scheduled a Error Check for the C: drive, rebooted and let the disk check run on the C: drive.
Rebooted to SafeMode.
Defragmented the C: drive. It was around 8% fragmented, but ran it anyways.
Rebooted and logged in as my normal user.
Revisited the thought on if any virus scanner was running, then remembered that even though I had shut down ZoneAlarm's firewall and prevented it from loading at startup, ZA Security Suite does have built in Anti-Virus and Anti-Spyware, so I brought ZA back up and turned both the AV and AS off. Shut down ZA again.
Plugged in the network cable, rebooted, and logged in as my normal user.
Started IE. Directed to the Kaspersky web page and clicked on Start Scan.
All of the pictures in IE still have a icon in place of them where you need to right-click and click show picture, but this doesn't work in the separate window that opens for the KOS v7.0.
After KOS v7.0 window opened and finished the updates, clicked on Scan and selected My Computer.
The scanner is currently running. When finished (fingers crossed) I will post the report and a fresh hjt log as well.
Is there anything else you will need if the scan runs ok other than the fresh hjt log?
Thanks again!!
Hi Blade81. I just checked the home computer to see how the KOS scan was going. It hung again, this time at 00:13:06. It does show 1 Threat names and 2 Infected objects, but it is stuck. Does the graphics issue have anything to do with the issue, or something else? Anything else to try then?
Thanks again and Have a Happy New Year!! :present: :band:
Hi
Graphics problem doesn't necessarily have anything to do with the problem. Anyway, since Kaspersky gets stuck let's try another scanner.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
Hi Blade81, Happy New Year!
Thanks again for your help with this.
I clicked on Stop Scan in KOS, waited a while to make sure it had stopped (just in case it was still doing something?), then closed the seperate window it was in.
I directed IE to the page in your link, clicked the Yes box, but there was no Start to click.
This is a result of the graphics issue, so I moved the mouse around until it changed, and hoping that this was the link (since I actually couldn't see it), and once the mouse changed I clicked the mouse.
It was the link, but of course the Windows pop-up blocker came up, so I clicked on it to download the activex control. Maybe this is why the scanners are having issues, but I'm not sure how to turn it off or any of the other build-in Windows security s/w. One note is that the Windows Firewall is off as ZA is the firewall (ZA is off too) as I did make sure in the Windows Security Center that all items were off.
Once the activex control loaded the I followed the rest of the steps you listed.
The scan is currently running. Hopefully it will finish. If you need me to stop it to correct any Windows s/w that should be turned off that I forgot, let me know. Thank you very much again for the help!
Shall wait for your input regarding the results :)
Hi Blade81. Here's the logs for ESET and hjt:
****************************************************************************************
Here's the ESET log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3729 (20090101)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=43e242f5135f1c429c58e38cda805831
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-01 07:19:55
# local_time=2009-01-01 02:19:55 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1342761
# found=10
# scan_time=12189
C:\Qoobox\Quarantine\C\Program Files\ASEMBL~1\?vchost.exe.vir a variant of Win32/Adware.PurityScan application 9B7EB623628F7811C12BDA9A3E41B22E
C:\Qoobox\Quarantine\C\Program Files\DOBE~1\wuauclt.exe.vir a variant of Win32/TrojanDownloader.PurityScan trojan 674451427EEBC5C595F81AA4BDA8DBB1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Win32/Agent.ODG trojan 697DE522509C28C9998D9933E3FA6FB7
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Win32/Agent.OIK trojan 0EAF34F90B433A3C5642ECEA7FD70D1F
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSofxh.dll.vir Win32/Agent.ODG trojan 3F28E5E6A394E7F668D701B1F7125B64
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Win32/Agent.OIK trojan 151FF4CDF759481534A1535F0F03160D
C:\Qoobox\Quarantine\C\WINDOWS\system32\tyshb36rfjdf.dll.vir Win32/TrojanDownloader.Small.NTQ trojan 273CEA4DD4B9F72EF935585266BD59DE
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/TrojanDownloader.FakeAlert.TG trojan E854F146BA1C18BB11F8925FA6E5EF2E
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Win32/Agent.ODG trojan EA21523530E157FA0AC2ECBCF1DC75E5
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip »ZIP »TDSSpqxt.sys Win32/Agent.ODG trojan 00000000000000000000000000000000
****************************************************************************************
Here's a fresh hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 05:34:32 PM, on 01/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
****************************************************************************************
Thanks again Blade81 for the help!
Hi
All ESET findings are in quarantine folder which we'll get rid of a bit later.
Start hjt and fix O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k entry.
Reboot and post a fresh hjt log. How's the system running.
Hi Blade81. I fixed the requested entry in hjt, rebooted, and re-ran hjt. A new log is posted below.
I'm not sure how it's running as I haven't tried to use it yet, other than the requested work on it. Seems to be running better, but there is still the picture issue in IE. Of course once the FW, AV, AMW, and anything else we bring back up for security will slow it down as it only has 256K memory (RDRAM, so it still pretty expensive to put more in and getting harder to find some; @#@?# Dell for using this memory :sad: :hair: :mad:).
I have a new version of ZoneAlarm Security Suite to load, but was going to ask you if I should use a different AV solution (like AVG-Free), and what should I use for a Anti-Malware as well as any other suggestions, but this can wait until we're done cleaning it up.
****************************************************************************************
Here's the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 07:25:02 PM, on 01/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
****************************************************************************************
Thanks again Blade81!!
Hi
Your system looks ok now from malware fighter's point of view. Please see if this (http://support.microsoft.com/kb/283807) Microsoft's article helps with the IE picture issue.
I have a new version of ZoneAlarm Security Suite to load, but was going to ask you if I should use a different AV solution (like AVG-Free), and what should I use for a Anti-Malware as well as any other suggestions, but this can wait until we're done cleaning it up.
Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
But if you have already paid for ZoneAlarm then it may be better to use it.
For firewall I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).
For antispyware program Spybot and maybe Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php).
Hi Blade81. Hope all is well. Thank you very much again for all of the help. Sorry, I've been away a couple of days. The link to MS about the graphics issue helped fix the problem; the Show Pictures option in Tools-Internet Options was un-checked, the infection must have changed it as it was checked prior to MSAV2009. Thanks again. I have some questions on the different s/w you suggested and a 'oops' to discuss.
I'll start with the s/w. ZA Security Suite includes a Firewall, Anti-Virus, and Anti-Spyway. For a firewall, do you suggest
ZoneAlarm (http://www.zonealarm.com),
Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html), or
Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (minus the listed items)?
For an Anti-Virus, do you suggest
ZoneAlarm,
Avira Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html), or
Avast! (http://www.avast.com/eng/download-avast-home.html)?
I know that you should only use one Anti-Virus s/w so if the other two are better, then I will turn off ZA's AV if I load it for the firewall (I think it does uncheck the AV section automatically if it sees a different AV program) and load one of the other ones. I noticed you did not suggest AVG-Free like some others, is this not as good as the other two?
As for Anti-Malware/Anti-Spyware (are these one and the same?), I already have Spybot and ZA has an Anti-Spyware section. I think that you can use multiple s/w programs for this. I used to use Ad-aware along with Spybot, but stopped when they changed from the SE Personal version as the new version was slowing down the system too much. Should I use Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php) in conjunction with Spybot. Also, I did have Comodo's BOClean as well as SpywareBlaster up until they stopped updating and eventually stopped working; should I still try and reload these as well (of course the newer versions)?
Thanks again for all of your help and suggestions on the above items.
Now for the opps. While I was away, my daughter thought she would help (long story), but she had missed some of the steps we already had covered, and she tried to run the online Kaspersky scanner again. This time it made it to about 02:53:10 before it hung up, and it shows 15 Threat names and 16 Infected objects. I know we still have to remove the items in the quarantine folder from the ESET scan, but there were only 10 there if I remember correctly. So it is possible that there is still more items that needs to be removed?
Once again thank you very much for all of your help!!
I noticed you did not suggest AVG-Free like some others, is this not as good as the other two?
Hi
It's giving quite much false alarms. Basically it's not bad av either but if I can choose Antivir or Avast then I would take one of those :)
Should I use Malwarebytes' Anti-Malware in conjunction with Spybot. Also, I did have Comodo's BOClean as well as SpywareBlaster up until they stopped updating and eventually stopped working; should I still try and reload these as well (of course the newer versions)?
MBAM is capable program and using it together with Spybot is recommended. You may also think about reloading other two you mentioned. I usually leave choosing for user :)
So it is possible that there is still more items that needs to be removed?
It's possible that Kaspersky detects more of those items in quarantines than ESET did. Without knowing which objects were flagged as bad it's difficult to say if there're items in other places than system restore or quarantine folder that need to be removed. I would just do system resetting and ComboFix uninstallation and see if there's any item flagged after that.
Thanks Blade81 for your suggestions. So, what should I do next?
Hi
Let's clean system restore and uninstall ComboFix now. Then you may try if Kaspersky scanner worked to see if it still finds something.
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type "c:\documents and settings\Brian\Desktop\CombiFxx.exe" /u in the runbox and click OK
Hi Blade81. Thanks again. I performed the following tasks:
1. Turned off System Restore.
2. Rebooted computer.
3. Turned on System Restore.
4. Uninstalled ComboFix.
What's next?
Thanks again!!!
Then you may try if Kaspersky scanner worked to see if it still finds something.
Hi Blade81. Thanks. You did say to try Kaspersky when done; guess I should read more carefully :) .
Hopefully this is ok, so just to see if it would make it, I tried the "Folder..." option instead of the "My Computer" option for the scan, and set it to scan just the C: drive and its sub-folders. I left out the D: drive this time as that's where KOS usually hangs. It's currently scanning. I'll let you know later this evening how it did.
On a side note, for security s/w, I was going to duplicate your suggestions on my home computer for my daughter's laptop she takes to school. It's a Vista system that will run on a University network, hardwired in the dorm and wireless around campus. Would the same suggestions for the WinXP home computer apply for the Vista laptop, or because of Vista would there be some different s/w to load/run for a FW, Anti-Virus, Anti-Spyware, and Anti-Malware? If you want me to start a different thread for this, I understand.
Once again, Thank You very much for all of the help and responses to my questions. I'll get back with you tonight after the KOS scan of the C: drive is completed (hopefully). Take care...
Hi
Basically same programs would fit to Vista. Firewall is not absolute must since Vista has better firewall by default than XP had :)
Hi Blade81. Well, it didn't make it through the Kaspersky scan. It hung at 01:32:17, but states 93% completion. I shows 5 threat names and 6 Infected objects. It's been stuck at the same state since late last night. Next steps? Thanks again!
Hi
Nothing much I can think up if system hangs during the scan. You could try scanning critical areas only.
Hi Blade81. I tryed the Kaspersky scan with scan "Critial Areas" option. This time it made it to 83% before it hanged at 01:22:47 and it shows no Threat names or Infected objects. Thanks again for the help. What would you like me to do next? Have a great day!
Hi
Looks like we can't use Kaspersky since it hangs all the time. That could be hardware issue or then something else. Hard to say. Anyway, if you want you may try if malwarebytes' anti-malware works without hanging.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Hi Blade81. I downloaded Malwarebytes Anti-Malware and installed on the home computer, following the steps you outlined. Here's the contents of the log:
Malwarebytes' Anti-Malware 1.32
Database version: 1628
Windows 5.1.2600 Service Pack 2
01/07/2009 05:49:35 PM
mbam-log-2009-01-07 (17-49-35).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 309828
Time elapsed: 1 hour(s), 6 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Once again thank you for the help.
Hi
Please post a fresh hjt log and let me know how's the system running :) We have to skip Kaspersky scan since you couldn't finish it successfully.
Hi Blade81. Here's a fresh hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 12:21:30 PM, on 01/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\Scan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thanks again for all of the help!
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Hi Blade81. Thanks again. The system seems fine, I guess I find out more as I start to use it again. It looks like it will take a while to follow the steps you outlined, I will post back once I'm done. I would assume once those steps are completed, we will remove the quarantined items and turn back on the FW and AV, and also probably load new AMW as well.
I hope there isn't any issues with the new updates from MS. I spent quite some time installing XP SP2 last time on the home computer, especially researching on the internet the fixes. I just updated my daughters Vista laptop to Vista SP1 and ran into that "Stage 3 of 3" boot error which took a while to fix. Checking on the web I found that this has been an issue for about a year and thousands of users with the problem but no response from MS yet. I found the fix on some web sites; made sure that multiple sites had the same so as not to break it further. But sorry, I'm going off on a tangent about MS and their failure to fix issues with SP's.
Once again, thank you very much Blade81 for your help with this. I'll post back when I'm done completing the tasks you listed. Talk to you soon!
Hi Blade81. I installed the XP SP3 update, but then the computer would not boot. I searched the web and found that this is still a common occurance (for quite some time) and the only fix I could find for now was to revert back to SP2. I'll let you know how it goes. Thanks again for the help!
Ok. If you have troubles reverting back to sp2 you may ask guiding at http://forums.pcpitstop.com or http://forums.techguy.org for example :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.