Desperately need help getting rid of Trojan

M

musicteacher

New member
I hope someone here can help me! I'm the first to admit that I don't know much about the inner workings of my computer and really need help!

I've had Spybot on my computer for years and have had great success with it. I also had Norton on and have been trying to get rid of it, but can't seem to. My renewal subscription was due in June and when I didn't renew, my computer started having problems.

I've done some kind of Windows restore that lost all my email but kept my hard drive files intact. My husband and I had different profiles when we would log into Windows and we got to where it would log in and immediately log off. That's why I did that.

Now it just shows up as Owner and we've been able to stay on for the last 2 weeks.

I haven't been as watchful about updating virus software and so forth lately, and Tuesday night I visited a website of a Christian Rock Band and my computer screen sort of flashed at me, then shut down, then restarted.

Since then, I have a red circle with a white X in it in my lower right corner. I also have a message that keeps coming up telling me that I'm infected, but the message has 2 words spelled wrong in it. I've researched a little bit and I know that this happened because I got infected with something.

I can't start Spybot. I've tried deleting it and downloading it again, but I can't get it to install. When I had the big meltdown in late June and did the Windows restore thing, I installed anti-virus stuff from Comodo. I thought I had it set to keep the bad stuff away.

I've read many messages here about what to do before I ask for help. I've heard of Hijack This, but have never done anything with it.

I just clicked on a link and downloaded it, but when I click on the icon to install it, nothing happens.

I read about a site that has software called HouseCall but I can't get that to work either.

I went to the Ewido site and scanned for Trojans there. Immediately it found something and asked me what to do and I clicked on whatever made sense. The red circle with the white X disappeared for awhile, but when the computer restarted, it came right back.

I know this makes me sound so illiterate. I'm actually think I'm an intelligent person. I'm a music teacher with a Master's Degree so I don't think I'm a dumb person but I'll freely admit that I have no idea what I'm doing here.

I DID manage to get the sound going on my computer all by myself. Since I did the Windows restore thing in late June, we haven't had any sound. Last night I stumbled upon Device Manager, and under Sound I found 3 yellow questions marks. I right-clicked and saw something about reinstalling drivers, so I did that and now I can play CDs in my drive again!

I hope someone here can have the patience to help me through this problem. I would love to get my computer healthy again.

Thanks,
musicteacher
 
Hello musicteacher

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.






Delete Hijackthis you previously downloaded and try this one, install it this way.

Download Trendmicros Hijackthis to your desktop.
  • Double click it to install
  • Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Post the Malwarebytes log and a Hijackthis log please
 
Did It All

Thank you so much for your assistance. I hope I did everything correctly.



Malwarebytes' Anti-Malware 1.24
Database version: 1052
Windows 5.1.2600

12:06:38 PM 8/14/2008
mbam-log-8-14-2008 (12-06-38).txt

Scan type: Quick Scan
Objects scanned: 80812
Time elapsed: 58 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buritos (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\karina.dat -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winivstr.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Delete on reboot.
C:\WINDOWS\system32\buritos.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\buritos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:11 PM, on 8/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavemsrv.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\31741158.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5562 bytes
 
Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKUS\S-1-5-18\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'SYSTEM') G
O4 - HKUS\.DEFAULT\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe (User 'Default user')
O4 - Global Startup: hp center.lnk = C:\RECYCLER\NPROTECT\31741158.EXE

O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat


You have been infected with some nasty stuff, one of the reasons being is that your Operating System is very outdated and letting this garbage in. Before we proceed any further I need you to download and install Service Pack 1 (SP1)...DO NOT INSTALL SERVICE PACK 3 JUST YET

http://www.microsoft.com/downloads/...f8-1684-4202-b2d0-c6a43430f12a&displaylang=en



Install the service pack and post a new log please
 
Can't get SP to download

I did exactly what you told me to do with HJT.

Then I followed your link to Microsoft to get the SP, but I get this message:


Internet Explorer cannot download splaexpress_usa.exe from download.microsoft.com
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.


I was getting this message a few days ago when I was trying to get spybot and others to download.


I did run HJT again and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:32 PM, on 8/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\karina.dat
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5093 bytes
 
Can't find Validate Button

This isn't going well. I click on the link that you provided, and it takes me to a page at microsoft. I follow their directions, which include telling me to scroll down and click on a validate button, but the button isn't anywhere on the page:

http://www.microsoft.com/genuine/Pr...en&sGuid=7730cf00-f564-49ae-bc3f-451d1eeca9c1

I've done a google search, and I've been clicking all over the Microsoft site trying to find how to validate my copy of Windows XP. I bought this computer 5 years ago at Circuit City and Windows was right on it. I registered it like I should have, so I shouldn't have any problem validating, if I can find the button to click.
 
I'm validated

OK. I finally got it to validate at the Microsoft website. I got a message congratulating me on my ability to validate.

So I tried to download the SP 1a again and I keep getting the same message as before.

What's next??

Thanks for all your trouble!
musicteacher
 
Open up Internet Explorer and go to Tools> Windows Updates and let it check and install updates. Lets see if this will work, if it does do not install SP3 at this time. The reason for my concern is that not always, but most times when an Operating System is as badly outdated as yours is , the main reason being is that the copy of windows is illegal and an illegal copy of windows will not let you update.



Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
Getting there

I disabled the Comodo anti-virus program, got my computer offline, and finally was able to run the Combofix. While some things on the computer seem to be running better, and that big red circle with the white X in the bottom right corner is GONE, along with that pesty message that kept popping up, all last night and this morning, the computer kept restarting on its own. It took quite a few attempts to finally have Combofix run all the way through, but it finally did. I'll paste the log here:




ComboFix 08-08-14.02 - Owner 2008-08-15 8:22:11.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\npptools.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\#SharedObjects\DJZ22NXW\interclick.com
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\#SharedObjects\DJZ22NXW\interclick.com\ud.sol
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\g32.txt
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\dllcache\npptools.dll
C:\WINDOWS\system32\k86.bin
C:\WINDOWS\system32\karina.dat
C:\WINDOWS\system32\msssc.dll
C:\WINDOWS\system32\npptools.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_ASPIMGR


((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.

2008-08-14 23:31 . 2008-08-14 23:31 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-08-14 12:49 . 2008-08-14 12:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-08-14 09:09 . 2008-08-14 09:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-08-14 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 09:07 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 09:05 . 2008-08-14 09:07 <DIR> d-------- C:\Program Files\Malwarebytes
2008-08-08 22:41 . 2008-08-08 22:42 382,352 --a------ C:\Program Files\jre-6u7-windows-i586-p-iftw.exe
2008-08-08 07:23 . 2008-08-08 07:23 42,496 --a------ C:\Fixing computer instructions.doc
2008-08-08 07:12 . 2008-08-08 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-08-06 20:52 . 2008-08-06 20:52 15,083,520 --a------ C:\Program Files\spybotsd160.exe
2008-08-06 07:48 . 2008-08-14 21:37 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-08-05 22:10 . 2008-08-07 19:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-08-05 20:30 . 2008-08-05 20:30 8,560 --a------ C:\WINDOWS\system32\core3.sys
2008-08-04 21:23 . 2008-08-04 21:23 <DIR> d-------- C:\Program Files\New Folder
2008-07-31 11:03 . 2008-07-31 11:03 <DIR> d-------- C:\Program Files\Disney
2008-07-29 23:01 . 2008-07-29 23:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-07-27 17:26 . 2008-07-27 17:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-07-25 23:31 . 2008-07-25 23:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2008-07-25 21:56 . 2001-08-17 22:24 135,040 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-07-25 21:56 . 2001-08-17 22:24 134,144 --a------ C:\WINDOWS\system32\drivers\ks.sys
2008-07-25 21:56 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-07-25 21:56 . 2001-08-17 14:01 57,344 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-07-25 21:56 . 2001-08-17 14:01 42,752 --a------ C:\WINDOWS\system32\drivers\stream.sys
2008-07-25 21:56 . 2001-08-17 22:37 22,016 --a------ C:\WINDOWS\system32\wdmaud.drv
2008-07-25 21:56 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-07-22 20:55 . 2008-07-22 20:55 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\FUJIFILM
2008-07-21 20:47 . 2008-07-21 20:47 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\ACD Systems
2008-07-21 08:27 . 2008-07-21 08:27 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Microsoft Web Folders
2008-07-20 23:34 . 2008-07-21 16:40 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Spyware Terminator
2008-07-20 23:33 . 2008-07-20 23:33 <DIR> d-------- C:\TBR5LanguageAct
2008-07-20 23:33 . 2008-07-20 23:33 <DIR> d-------- C:\Languages
2008-07-20 23:10 . 2002-07-27 00:24 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\WINDOWS
2008-07-20 23:10 . 2008-07-21 21:15 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\VERITAS
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Symantec
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Share-to-Web Upload Folder
2008-07-20 23:10 . 2002-07-27 00:23 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\InterTrust
2008-07-20 23:10 . 2008-07-21 08:44 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000
2008-07-20 21:40 . 2004-07-15 15:44 18,939 --a------ C:\WINDOWS\hpbvspst.hi2
2008-07-20 21:40 . 2004-07-15 15:44 478 --a------ C:\WINDOWS\hpbvspst.bu2
2008-07-20 21:39 . 2001-07-21 14:40 3,144 --a--c--- C:\WINDOWS\system32\dllcache\srgb.icm
2008-07-19 21:36 . 2008-07-19 22:07 <DIR> d-------- C:\Program Files\Crawler
2008-07-19 17:49 . 2008-08-07 19:26 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-07-19 17:49 . 2008-07-19 22:01 <DIR> d-------- C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Spyware Terminator
2008-07-19 17:49 . 2008-08-07 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-07-19 17:49 . 2008-07-19 17:49 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-07-19 17:46 . 2008-07-19 17:46 8,160,016 --a------ C:\Program Files\SpywareTerminatorSetup.exe
2008-07-19 13:33 . 2008-07-19 13:34 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-07-17 23:34 . 2004-09-20 15:20 16,121,856 --------- C:\WINDOWS\system32\alsndmgr.cpl
2008-07-17 23:34 . 2004-09-21 11:13 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe
2008-07-17 23:34 . 2004-10-01 10:24 2,279,424 --------- C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-07-17 23:34 . 2004-09-10 10:12 208,896 --------- C:\WINDOWS\alcupd.exe
2008-07-17 23:34 . 2004-09-07 14:23 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-07-17 23:34 . 2002-02-05 13:54 141,016 --------- C:\WINDOWS\system32\alsndmgr.wav
2008-07-17 23:34 . 2004-09-01 20:04 139,264 --------- C:\WINDOWS\alcrmv.exe
2008-07-17 23:34 . 2004-09-16 20:39 69,632 --------- C:\WINDOWS\soundman.exe
2008-07-17 23:34 . 2004-09-07 13:47 57,344 --------- C:\WINDOWS\Alcxmntr.exe
2008-07-17 23:34 . 2004-02-25 18:00 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2008-07-17 21:55 . 2008-07-17 21:55 2,369,474 --a------ C:\Project1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 02:36 --------- d---a-w C:\Program Files\WildTangent
2008-08-06 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 00:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-05 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 21:40 --------- d-----w C:\Program Files\PicturesToExe
2008-07-31 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-29 23:51 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-29 23:48 --------- d-----w C:\Program Files\ACD Systems
2008-07-28 11:45 73,728 ----a-w C:\WINDOWS\system32\CavEmLSP.dll
2008-07-28 11:45 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-28 11:45 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2008-07-28 11:45 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-28 11:45 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2008-07-28 11:45 102,400 ----a-w C:\WINDOWS\system32\drivers\cavasm.sys
2008-07-28 11:45 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2008-07-27 21:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-23 00:55 --------- d-----w C:\Program Files\FinePixViewer
2008-07-21 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-21 03:38 --------- d-----w C:\Program Files\SymNetDrv
2008-07-19 22:34 --------- d-----w C:\Program Files\FileSubmit
2008-07-19 21:55 --------- d-----w C:\Program Files\Viewpoint
2008-07-19 21:55 --------- d-----w C:\Program Files\Lycos
2008-07-14 15:56 --------- d-----w C:\Program Files\WildGames
2008-07-12 20:38 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Viewpoint
2008-07-11 01:25 --------- d-----w C:\Program Files\Coupons
2008-07-11 01:23 1,277,680 ----a-w C:\Program Files\CouponPrinter.exe
2008-07-10 01:57 --------- d-----w C:\Program Files\AIM6
2008-07-10 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-10 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-10 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-07-10 01:47 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\acccore
2008-07-08 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-08 11:21 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-08 11:13 --------- d-----w C:\Program Files\NOS
2008-07-06 21:06 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Corel
2008-07-01 02:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ACD Systems
2008-07-01 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-30 14:05 --------- d-----w C:\Program Files\Comodo
2008-06-30 11:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Snapfish
2008-06-30 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-06-30 00:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Microsoft Web Folders
2008-06-30 00:27 --------- d-----w C:\Program Files\OpenOffice
2008-06-30 00:16 --------- d-----w C:\Program Files\Comodo Free
2008-06-29 22:05 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\VERITAS
2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\MSN6
2008-06-28 12:41 --------- d-----w C:\Program Files\CCleaner
2008-06-28 11:14 --------- d-----w C:\Program Files\Java
2008-06-26 21:26 --------- d-----w C:\Documents and Settings\Craig\Application Data\WeatherBug
2008-06-26 03:05 --------- d-----w C:\Documents and Settings\Betsy\Application Data\WeatherBug
2008-06-15 10:55 --------- d-----w C:\Documents and Settings\Betsy\Application Data\Roxio
2008-06-15 01:19 --------- d-----w C:\Documents and Settings\Betsy\Application Data\Creative
2008-05-26 10:58 1,470,464 ----a-w C:\Program Files\clipart.exe
2008-04-26 11:06 2,751,368 ----a-w C:\Program Files\ccsetup206.exe
2008-01-21 23:55 119,992 ----a-w C:\Documents and Settings\Betsy\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 03:04 16,291,424 ----a-w C:\Program Files\Java.exe
2005-01-15 11:13 9,893,152 ----a-w C:\Program Files\PatternViewerInst.exe
2004-07-22 10:39 2,150,574 ----a-w C:\Program Files\Ad-aware.exe
2004-05-23 19:26 2,403,357 ----a-w C:\Program Files\Reg Mechanic Install.exe
2004-05-02 20:17 10,241,609 ----a-w C:\Program Files\Vendio-SMPro.exe
2003-08-13 10:30 1,291,040 ----a-w C:\Program Files\WindowsXP-KB823980-x86-ENU.exe
2003-07-28 11:16 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w C:\WINDOWS\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w C:\WINDOWS\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2003-05-07 01:53 0 ----a-w C:\Program Files\Gevalia.jsp
2003-02-09 22:36 78,516 ----a-w C:\Program Files\AuctionManagerPro.exe
2002-11-30 21:16 1,803,464 ----a-w C:\Program Files\winzip81.exe
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

------- Sigcheck -------

2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-04 02:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 17:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 19:39 81920]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 07:42 176128]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2008-07-28 07:45 110592]
"nwiz"="nwiz.exe" [2002-05-03 20:06 364544 C:\WINDOWS\system32\nwiz.exe]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]

C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Start Menu\Programs\Startup\
AutoPlay.exe [2001-09-17 21:22:52 36864]
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Betsy\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [2007-06-04 21:33:41 325632]
PowerReg Scheduler V3.exe [2008-02-23 19:23:15 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 7.0 Tray Icon.lnk - C:\Program Files\America Online 7.0\aoltray.exe [2002-11-29 17:24:20 32839]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-22 21:51:56 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-30 13:03:47 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 04:00:00 65588]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-11-30 15:02:16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
2008-07-28 07:45 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\core3.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 core3;HTCore Controller;C:\WINDOWS\System32\core3.sys [2008-08-05 20:30]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-07-19 17:49]
.
Contents of the 'Scheduled Tasks' folder

2008-07-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Hewlett-Packard\EZ Internet Signup\HPSdpApp.exe [2002-04-20 00:10]

2002-07-27 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BOC-426 - (no file)
Notify-xatcore - xatcore.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://srch-us6.hpwis.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar = hxxp://srch-us6.hpwis.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 08:29:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\cavbase99 118640 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comodo\Common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\CavAUD.exe
.
**************************************************************************
.
Completion time: 2008-08-15 8:43:06 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-15 12:42:55

Pre-Run: 38,384,062,464 bytes free
Post-Run: 38,321,852,416 bytes free

270
 
Latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:49 PM, on 8/15/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.34.14/ttinst.cab
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5424 bytes
 
I Can Download SP 1a!!!

I'm sorry to leave so many messages, but out of curiosity, I went back this link that you gave me:

http://www.microsoft.com/downloads/d...displaylang=en

and I tried it again and this time the Service Pack downloaded!!! Yeah!!!

I have this message telling me that before I install it I should back up all programs. Not sure what to do about that, and I don't think my System Restore is working or turned on.

I'm not doing anything with Service Pack 1a until I have instructions from you.
 
Hello,

Your logs look fine :bigthumb: Please understand that if you can't update your Operating System your just going to keep getting infected. How are things running now??
 
Lets check a few things.


Depending on how your manufacturer set up your system, you may or may not need the Windows XP CD. If you have a I386 folder on your C:\ drive you may not need the disk.
  • Click Start>Run
  • Type in sfc /scannow, hit Enter.
  • Note: there is a space between sfc and /scannow
  • This should replace any corrupted/missing system files and will hopefully fix things.



Please run the MGA Diagnostic Tool and post back the report it creates:
  • Download MGADiag to your desktop.
  • Double-click on MGADiag.exe to launch the program
  • Click "Continue"
  • Ensure that the "Windows" tab is selected (it should be by default).
  • Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
  • Paste the MGA Diagnostic Report back here in your next reply.
 
Did everything

You are the best. I can't believe how the computer is running now. Hope it keeps up. When do we do all the updating?


Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-BRVBB-38MQ9-3PMFT
Windows Product Key Hash: 2V2VyxlfhiaCt/JkDzYQfiNOHMA=
Windows Product ID: 55277-OEM-2111907-00106
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.0.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {196FDD5F-9A16-4BEE-BF82-88D84E2D38A5}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.18.5
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: Microsoft
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{196FDD5F-9A16-4BEE-BF82-88D84E2D38A5}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.0.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3PMFT</PKey><PID>55277-OEM-2111907-00106</PID><PIDType>2</PIDType><SID>S-1-5-21-4212676017-135449575-3207847200</SID><SYSTEM><Manufacturer>HP Pavilion 05</Manufacturer><Model>DA179A-ABA 743g</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>6.00</Version><SMBIOSVersion major="2" minor="31"/><Date>20020925******.******+***</Date><SLPBIOS>HP PAVILION</SLPBIOS></BIOS><HWID>DCB23B4F01842052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Hewlett-Packard</name><model>Pavilion</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
 
SP error message

Good morning Ken. I decided to try and get Service Pack 1a installed, if I could.

I can get it from the Microsoft website, and it downloads. But when I try to install it, it get to a point where I get an error message that says:

Service Pack 1 Setup Error

The file c:\windows\servicepackfiles\i386\svcsys
is open or in use by another application.
Close all other applications and then click retry.

And then there are 2 buttons: Retry and cancel

I DO have everything else closed, but when I hit retry, it just keeps beeping at me until I hit the cancel button.

I'm so close!!!!

My daughter keeps asking me if she can go play games on Club Penguin, but I won't let her go to any websites until I get the service packs done, because I don't want to get infected again. What's next?
 
Good Morning,

The tool I had you run shows that your copy of Windows is legal and validated so there are some issue we cant see preventing the installation of SP1a. After thats installed then we can proceed to SP3 but SP3 cannot be installed without SP1a.

Lets try booting your computer to Safemode with Network Support, then go to the Microsoft site again and give it another try.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with Network Support
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
 
Safe mode

I restarted and got into Safe Mode with Networking like you said.

I double-clicked on the SP 1a icon that I had installed on my desktop and tried to install again. The same message pops up.

Is something wrong with that one file?
 
You must log in or register to reply here.
Back
Top