Many pop-ups and now freezing

Main.txt

Program did not produce extra.txt this time only main.txt



Deckard's System Scanner v20071014.68
Run by Mis on 2007-10-30 11:44:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Mis.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:43 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mis\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144210292859
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster.com/DRM/Client/FileOpen.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9814 bytes

-- Files created between 2007-09-30 and 2007-10-30 -----------------------------

2007-10-29 13:17:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-10-25 16:49:51 0 d-------- C:\Program Files\Trend Micro
2007-10-25 13:55:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-25 13:54:19 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-23 14:51:49 0 d-------- C:\VundoFix Backups
2007-10-22 12:53:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 12:20:33 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-10-22 12:20:28 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-22 12:12:17 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-22 12:12:17 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-21 21:45:13 0 d-------- C:\Documents and Settings\Mis\Application Data\Sunbelt Software
2007-10-19 16:36:30 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-12 19:23:45 0 d-------- C:\Program Files\iPod
2007-10-12 19:23:25 0 d-------- C:\Program Files\iTunes
2007-10-11 17:59:01 0 d-------- C:\Program Files\EZFace
2007-10-11 17:58:33 0 d-------- C:\temp
2007-09-30 17:20:57 0 d-------- C:\Program Files\Microsoft Works
2007-09-30 17:18:42 0 d-------- C:\Program Files\Microsoft.NET
2007-09-30 16:41:21 0 d-------- C:\Program Files\Symantec AntiVirus
2007-09-30 12:34:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-30 12:25:48 0 dr-h----- C:\MSOCache


-- Find3M Report ---------------------------------------------------------------

2007-10-30 11:39:16 0 d-------- C:\Documents and Settings\Mis\Application Data\.gaim
2007-10-29 13:15:00 0 d-------- C:\Documents and Settings\Mis\Application Data\AdobeUM
2007-10-21 11:28:37 36891 --a------ C:\WINDOWS\SharedDLLs.REG
2007-10-19 16:39:03 0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-30 17:20:06 0 d-------- C:\Program Files\Common Files
2007-09-30 16:43:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-30 16:42:22 0 d-------- C:\Program Files\Symantec
2007-09-27 16:18:55 0 d-------- C:\Program Files\Apple Software Update


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 10:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 10:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 10:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [11/19/2003 07:48 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/29/2005 06:56 AM]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [11/01/2006 03:48 PM]
"SigmatelSysTrayApp"="stsystra.exe" [09/10/2005 01:19 AM C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [02/23/2005 06:19 PM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03/28/2006 11:55 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 03:05 AM]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [07/12/2005 09:05 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 05:41 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [07/19/2006 07:26 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [09/27/2006 08:33 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/26/2007 02:42 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 02:09 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [3/28/2006 11:51:21 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 7:21:22 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqp.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2b426c-6945-11dc-b173-00142298d775}]
AutoRun\command- D:\LinksysConnectPC.exe




-- End of Deckard's System Scanner: finished at 2007-10-30 11:45:04 ------------
 
Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\awtqp.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Combofix.txt

ComboFix 07-10-30.5 - Mis 2007-10-30 18:36:03.2 - NTFSx86
Running from: C:\Documents and Settings\Mis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mis\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\awtqp.dll
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-28 17:50 <DIR> d-------- C:\Deckard
2007-10-25 18:54 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-25 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-25 13:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-23 14:51 <DIR> d-------- C:\VundoFix Backups
2007-10-22 12:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-22 12:12 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-10-22 12:12 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-10-21 21:45 <DIR> d-------- C:\Documents and Settings\Mis\Application Data\Sunbelt Software
2007-10-19 16:36 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-12 19:23 <DIR> d-------- C:\Program Files\iTunes
2007-10-12 19:23 <DIR> d-------- C:\Program Files\iPod
2007-10-11 17:59 <DIR> d-------- C:\Program Files\EZFace
2007-10-11 17:58 <DIR> d-------- C:\temp
2007-10-11 17:58 117,993 --a------ C:\temp\EZfaceOCXWindless.exe
2007-10-10 15:09 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-30 17:24 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-09-30 17:20 <DIR> d-------- C:\Program Files\Microsoft Works
2007-09-30 17:18 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-09-30 16:42 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-30 16:42 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-30 16:41 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-09-30 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-30 12:25 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 22:29 --------- d-----w C:\Documents and Settings\Mis\Application Data\.gaim
2007-10-29 17:15 --------- d-----w C:\Documents and Settings\Mis\Application Data\AdobeUM
2007-10-21 15:28 36,891 ----a-w C:\WINDOWS\SharedDLLs.REG
2007-10-19 20:39 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-30 20:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-30 20:42 --------- d-----w C:\Program Files\Symantec
2007-09-30 20:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-27 20:18 --------- d-----w C:\Program Files\Apple Software Update
2007-08-28 01:09 --------- d-----w C:\Program Files\QuickTime
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2007-07-12 23:31 765,952 ----a-w C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-09 13:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
2007-02-06 22:44 16,760 ----a-w C:\Documents and Settings\Mis\Application Data\GDIPFONTCACHEV1.DAT
2006-04-05 03:08 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-04-05 02:46 7,169,024 ----a-w C:\Program Files\Epson.exe
2006-08-12 23:44:40 104 --sh--r C:\WINDOWS\system32\8F71422C90.sys
2006-08-12 23:44:44 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-26_19.23.07.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 17:18:01 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 22:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 22:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 22:50]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 06:56]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-11-01 15:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 01:19 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-03-28 11:55]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 21:05]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 05:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 14:09]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-03-28 11:51:21]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 07:21:22]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= m s v 1 _ 0


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2b426c-6945-11dc-b173-00142298d775}]
AutoRun\command - D:\LinksysConnectPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-26 23:16:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 18:38:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 18:39:17
C:\ComboFix2.txt ... 2007-10-26 19:24
.
--- E O F ---
 
How is your PC running now? Any problems at all?

I just want to check some file


Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\temp\EZfaceOCXWindless.exe
  • Click on the submit button
  • Please post the results in your next reply.
 
My computer is running much better now. I don't have any pop-ups and it stopped freezing. It is still running a little slow when I start it up and when I intially open a browser window. Thank you for all your help



File: EZfaceOCXWindless.exe_
Status: OK
MD5: ada8a9bbba2c1c839c1deef4c64ed906
Packers detected: PE_PATCH
Bit9 reports: File not found



Scan taken on 31 Oct 2007 00:30:13 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
 
Looking good

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.



Also please post a new HijackThis log.
 
Major Problem

So i ran the Dr.web cure it and it found about 10 things so i said cure all and now i cant get windows to boot normally. I cured all the things it said it found and then i rebooted and went it tried to start windows again it asked me for the user password but i dont have one set.I tried everything I could thing of and nothing worked.I tried to boot in safe mode and it gives me the option of logging on as an administrator or user and i can't get either of those to work. Eventually i got it to log on as a guest in normal mode but when i do that there isnt anything there. It does not recognize it's internal wireless card,my modem, my printer,etc. soas of right now my computer is useless as it can not do anything.any ideas what happened or what I can to do fix? Thanks
 
Hello SupermanMD

This is a bizarre error, I have never heard of Dr. Web Cureit doing this before.

So i ran the Dr.web cure it and it found about 10 things
Click to expand...
Any idea what it found? Can you post the report by logging into the guest account and getting it?

any ideas what happened or what I can to do fix?
Click to expand...
I think a good idea would be to try a System Restore at the moment while I see about another fix.
 
I can't get the report. I saved it to the desktop and when i am logged on as a guest the desktop doesn't have any of my files or programs. When I am logged on as the guest it doesn't even have the Dr.WebCureit program. There is also nothing in "My Documents" I can't do a system restore because the guest account doesn't have the administrator privledges. When I am logged in as a guest I can not do anything to the computer, for instance I couldn't even get the "search" function for windows to work. Sorry I can't be more helpful but right now my computer is just a big paperweight:)
 
Do you remember any of the names Dr. Web Cureit found?

I have no idea why this happened, it is so strange...I am currently asking a Tech friend since he knows a lot more about this sort of thing. Hold tight for me please.
 
Try this

Have you tried just leaving the password entry window empty and pressing - Enter ? Tell me how that goes


If that doesn't work, then reboot into Safe Mode, and try leave the password entry window empty and press enter. If that works then go to Control Panel - User Accounts to change the login password for your username account to anything you want.
 
I have tried leaving the password blank and that's how I can log on as a guest, but that does not work in regular mode or in safe mode for my user or the administrator. I have also tried using "admin" "user" "setup" "password" plus any of my passwords I could think of to log on in both regular and safe modes. I also went to the boot menu (i pushed F12 on start up to get to another menu) and in there it had a menu for administrator password and setup password and both of those were set to "none". Also, on the menu where you select to start in safe mode I tried selecting "Last known good configuration" to see if that would be and better but nothing changed, I still couldn't log on.
I don't remember any of the specific names of the things that Dr.Cureit found but the description of them all said something like "possible backdoor trojan"
 
Hey SupermanMD

It seems like Dr. Web Cureit is responsible. I am going to try ask somebody who is involved with the tool. I am also asking a Tech friend for more ideas.

Sit tight for a little longer.
 
I have been asking around and so far no one has ever heard of a problem like mine. At this point I am ready just to reinstall windows because I need to get back onto my computer. Do you think this is the best solution at this point?
 
Lets not re-install Windows yet. This solution will hopefully work.

Log into your guest account and go to this file

C:\WINDOWS\ERDNT\subs\erdnt.exe


Double click on the file erdnt.exe, follow any prompts, and reboot your PC after you have done all that. Let me know how that goes. Also make sure to let me know if you have any trouble
 
When I get into the folder, C:\WINDOWS\ERDNT\subs\, there is only a folder labeled "F3M" (no program named "erdnt.exe"). The only thing in F3M is a file called "system."

Additionally, when I tried clicking on iTunes, I get the error message: "The Windows Installer Service cannot be accessed. This can occur if you are running Windows in Safe Mode or if the Windows Installer is not correctly installed." And this is when I am logged in as Guest (not in Safe Mode).

Just trying to give you as much info as I can.
 
Look in this folder for erdnt.exe

C:\Qoobox

It might be in a sub-folder in Qoobox

Let me know how that goes.
 
I was able to find the program in a subfolder called "hiv-backup."

I ran the program, but it told me "Unable to create backup of current registry file C:\Windows\System32\config\security." So I clicked "OK," and I got an error stating, "Error restoring C:\Qoobox\hiv-backup\security to C:\Windows\System32\config\security."

It asks me if I want to continue to the next file. I said, "Yes." But then I got new identical errors for "...\software," "...\system," and "...\sam."

It finished, and I rebooted, but nothing happened.
 
Can you try it one more time please.

Can you also go to

C:/Documents and settings/Your user name here/Dr Web/Quarantine

and take a screenshot of the files in there, and list them out if possible.

System Restore still won't work? How about booting into your main account in normal or safe mode?
 
I tried it three times. All i get are the error messages. I can not get into the user folder from the guest account it says "access restricted" System restore still does not work. I still can not log on as my user in either normal or safe modes. I am just going to reinstall windows
 
You must log in or register to reply here.
Back
Top