MS Antivirus 2009 infection

[SBDad]

Hi all. Thanks in advance for any and all help. A couple of days ago the MS Antivirus 2009 popup occurred on my home computer. It is a Dimension 8200 @ 1.9 GHz with 256 MB of RDRAM running WinXP Home SP2. I made sure I didn't click the window and ended the program using task manager. I deleted all files/folders under C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd. and removed MS Antivirus 2009 with Add/Remove programs.

Many things have changed on the computer since that fateful popup. Among them are:

• Can no longer run Spybot S&D
• Folder Options is missing from the Tools menu item in Explorer
• Cannot change most options for Windows
• In Safe Mode, System Restore does list many Restore Points, but when I click on one (prior to the date of the popup) and then 'Next', nothing happens.

I will post a hjt log next. Thanks again!

 

[SBDad]

Here is the hjt log from SafeMode:

Logfile of HijackThis v1.99.1
Scan saved at 04:54:34 PM, on 12/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smetsys.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again for the help. Happy Holidays!

 

[SBDad]

Sorry, I forgot to add that I have disconnected the infected computer from the internet to hopefully stop any further additions to the problem. Thanks again!

 

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[SBDad]

Hi Blade81. Thank you for the help. I have downloaded 'ComboFix' and the 'Windows XP Home Edition with Service Pack 2 Utility- Setup Disks for Floppy Boot Install' to install the Recovery Console. I will be transfering these over to the home computer with a flash drive and then installing them. Once I have the ComboFix log I will run hjt again and post both logs.

Thanks again for the help!

P.S. Just curious, what does sUBs stand for (it's been awhile since I kept up )?

 

[SBDad]

Hi Blade81. I copied both files to the desktop on the home computer. I then dragged the file 'WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe' onto the top of the file 'ComboFix.exe' as instructed to in the ComboFix guide, but nothing happens.

• Should I turn off ZoneAlarm and SB TeaTimer first (even though that's the next step after the drag & drop)?
• I am not in SafeMode either, should I be?

I also forgot to mention that after the MS AV2009 infection that I can no longer run diags/commands from Run, like regedit, as I will get a Error Window that states 'Registry editing has be disabled by your administrator.', even though my login is setup as an Administrator. Maybe this is why the above step didn't work.

Thanks again!

 

[Blade81]

Hi

Please rename ComboFix.exe file -> CombiFxx.exe before transfering it to the infected system. Then try to run it there.


sUBs is the author of ComboFix

 

[SBDad]

Hi Blade81. Well, I had typed up a long response on what happened, but when I clicked Submit Reply I was redirected to login again, and of course everything I typed went by the wayside too. I will try and remember what I had typed up before.

Renaming the exe worked. A couple of problems came up though. Since I can't run SB, I didn't know how to shut down the TeaTimer, but something kind of weird happened. When I shut down ZoneAlarm, not only did the icon for ZA get removed from the System Tray, but the TeaTimer icon disappeared too. I went to the Task Manager to make sure the TeaTimer was not running, which it wasn't, and noticed that BOCore was running too (even though it has stopped working correctly), so I ended the task for it as well (as noted in the AV, FW, AMW disabling instructions).

ComboFix started to run as per the instructions, with a Dos Window and then prompts through popup windows. It made it to the Query Window "ComboFix has detected that this machine does not have the 'WINDOWS RECOVERY CONSOLE'. It would be in your BEST INTEREST to have it installed. Would you like to do so now? *Note* -This requires an active internet connection." Since the internet would be required, I plugged back in the network cable for the internet connection and then clicked Yes on the Query Window. Shortly after an Error Window came stating that the Recovery Console installation failed. While I was typing this up the Error Window disappeared along with the Taskbar, so I tried looking to see if it was under the Dos Window to make sure what the Error Window stated to relay it in this note. I then realized that the scan was already running and on Stage_32. I then remembered that if the scan was running I was not supposed to click on the window, and that the desktop might disappear during the scan as part of the normal process, which might be why the Error Window disappeared as well. When I clicked on the Dos Window, the scan went from Stage_32 to Stage_32A.

Sorry, the memory is not as good as it once was. Hopefully this didn't mess up the scan. Let me know if you need me to restart the scan with ComboFix and also what I should do to fix the Recovery Console installation failure. Many, many thanks again for the help. Hope your weekend is going well.

 

[Blade81]

Hi SBDad

It's possible that recovery console installation must be done later if malware is still blocking the connection. Let ComboFix finish and then post back its log & a fresh hjt log

 

[SBDad]

Hi Blade81. Thanks . The forum logged me out again; is there a way to increase the timeout?

Here's what happened since the last post (I'm listing all of the steps so as you know what I did and encountered and to help with future assistance to anyone):

• During the process, ComboFix rebooted the computer. I logged back in and ComboFix restarted, but since the computer rebooted ZA and SD TeaTimer restarted as well (I cannot run SB so I can't shut down the TeaTimer). The Dos window came up with "Preparing Log Report. Do not run any programs until ComboFix has finished." and a Warning Window came up that stated "ComboFix has detected the following real time scanner(s) to be active: *ZoneAlarm Security Suite Antivirus. Antivirus and intrusion prevention programs are know to interfere with ComboFix's running. This may lead to unpredictable results or possible machine damage. Please disable these scanners before clicking 'OK'." Not to mention the numberous SB popups detecting registry changes.
• I unplugged the network cable and shut down ZA and the SysTray icon did disappear, and this time the TeaTimer icon stayed. I was able to right click on the TeaTimer icon and uncheck the Resident, and then right click again and shut down the Resident.
• I ran Task Manager to verify and found both TeaTimer.exe and BOCore.exe, so I ended both tasks.
• I then clicked on the Warning Window's OK to finish ComboFix.
• After a bit the following line came up in the Dos window Find3M= FINDSTR: Cannot open temp01
• Of course and tried very carefully to be patient, and finally the log.txt window (in Notepad) appeared.

*****************************************************
Here's the ComboFix log:

ComboFix 08-12-26.03 - Brian 2008-12-28 14:19:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.97 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\CombiFxx.exe
Command switches used :: c:\documents and settings\Brian\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\asembl~1
c:\program files\asembl~1\?vchost.exe
c:\program files\Common Files\{3C6A5~1
c:\program files\dobe~1
c:\program files\dobe~1\WNSXS~1\ctxad-530.0000
c:\program files\dobe~1\WNSXS~1\ctxad-530.0001
c:\program files\dobe~1\WNSXS~1\ctxad-530.0002
c:\program files\dobe~1\WNSXS~1\ctxad-530.0003
c:\program files\dobe~1\WNSXS~1\ctxad-530.0004
c:\program files\dobe~1\WNSXS~1\ctxad-530.0005
c:\program files\dobe~1\wuauclt.exe
c:\windows\IE4 Error Log.txt
c:\windows\msettings.ini
c:\windows\system32\bb1.dat
c:\windows\system32\cmds.txt
c:\windows\system32\cs.dat
c:\windows\system32\dl.txt
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\mdm.exe
c:\windows\system32\ps1.dat
c:\windows\system32\rc.dat
c:\windows\system32\tb.dr
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\unsvchosts.lzma
c:\windows\system32\vgf32.dll
c:\windows\system32\wapiit.exe

----- BITS: Possible infected sites -----

hxxp://auf-jeder.com
c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_CORE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TDSSSERV.SYS
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 15:53 . 2007-01-15 15:24 1,441 --a------ c:\windows\GtX73.ini
2008-12-19 00:06 . 2008-12-19 00:06 73,728 --a------ c:\windows\system32\TDSScfum.dll
2008-12-19 00:06 . 2008-12-19 00:06 31,232 --a------ c:\windows\system32\TDSSriqp.dll
2008-12-19 00:06 . 2008-12-19 00:06 29,696 --a------ c:\windows\system32\TDSSnrsr.dll
2008-12-19 00:06 . 2008-12-19 00:06 2,710 --a------ c:\windows\system32\TDSSlxwp.dll
2008-12-19 00:06 . 2008-12-19 00:06 441 --a------ c:\windows\system32\TDSSosvd.dat
2008-12-19 00:05 . 2008-12-19 00:06 35,840 --a------ c:\windows\system32\TDSSofxh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 20:28 35,664,416 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-28 20:09 2,004,768 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-28 19:31 479,576 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-28 19:31 189,944 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-19 04:43 --------- d-----w c:\documents and settings\Brian\Application Data\MailFrontier
2008-11-23 04:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-06-08 17:44 116,432 -c--a-w c:\documents and settings\Ashley\Application Data\GDIPFONTCACHEV1.DAT
2006-05-13 15:31 116,432 ----a-w c:\documents and settings\Samantha\Application Data\GDIPFONTCACHEV1.DAT
2003-03-13 18:12 69,344 ----a-w c:\documents and settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 70,816 2003-11-10 18:30:02 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 218,240 2004-08-05 21:23:14 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 172,122 2001-08-30 09:00:00 c:\program files\Creative\SBLive\Creative Diagnostics 2.0\bak\DIAGENT.EXE

----a-w 102,400 2001-03-28 01:00:00 c:\program files\Creative\SBLive\Program\bak\AHQInit.exe

----a-w 49,152 2004-09-13 20:49:00 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 19:49:00 c:\program files\HP\HP Software Update\hpwuSchd2.exe

----a-w 278,528 2005-10-06 23:03:14 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 53,248 2001-07-11 17:08:38 c:\program files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-10-08 21:21:28 c:\program files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 204,800 2004-06-03 08:50:07 c:\program files\Microsoft IntelliPoint\bak\point32.exe

----a-w 155,648 2006-02-09 02:05:33 c:\program files\QuickTime\bak\qttask.exe

----a-w 1,415,824 2005-05-31 06:04:00 c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 1,833,296 2008-09-16 16:16:08 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

----a-w 163,840 2001-09-23 15:14:48 c:\windows\bak\DELLMMKB.EXE

----a-w 13,312 2002-08-29 10:41:22 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 c:\windows\system32\ctfmon.exe

----a-w 36,864 2001-10-12 07:42:53 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [N/A]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [N/A]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"BOC-425"="c:\progra~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"zzzHPSETUP"="F:\Setup.exe" [N/A]
"nwiz"="nwiz.exe" [2004-10-29 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Photo TurboBackup"="c:\program files\FileStream\Photo TurboBackup\pbksche.exe" [2005-09-15 512000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk.disabled [2005-06-03 838]
AOL Companion.lnk.disabled [2005-12-28 1646]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk.disabled
backup=c:\windows\pss\BlackICE PC Protection.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 15:00 311350 c:\program files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlackICE"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe
"MoneyStartUp"=c:\program files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
"UpdReg"=c:\windows\Updreg.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"{3C6A5D37-0766-1033-0918-010516010001}"="c:\program files\Common Files\{3C6A5D37-0766-1033-0918-010516010001}\Update.exe" te-110-12-0000213
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"DellTouch"=c:\windows\DELLMMKB.EXE
"DIAGENT"=c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2003-07-13 6097]
R1 hll_evlula;hll_evlula;\??\c:\program files\Common Files\System\hll_evlula32.dll [2008-11-22 19456]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2002-12-29 6942]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Brian\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 RapDrv;RapDrv;\??\c:\windows\System32\drivers\RapDrv.sys [2003-08-11 104636]
S3 RapFile;RapFile;\??\c:\windows\System32\drivers\RapFile.sys [2003-01-27 36644]
S3 RapNet;RapNet;\??\c:\windows\System32\drivers\RapNet.sys [2003-01-27 24344]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2003-07-13 299923]
.
Contents of the 'Scheduled Tasks' folder

2004-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://antwrp.gsfc.nasa.gov/apod/
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 15:28:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpqxt.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\Nhksrv.exe
c:\windows\system32\PackethSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-28 15:36:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 20:36:36

Pre-Run: 41,481,265,152 bytes free
Post-Run: 41,315,061,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

235

*****************************************************
Here's a fresh hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 03:46:55 PM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [zzzHPSETUP] F:\Setup.exe \RESET
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

*****************************************************
Thanks again Blade81 for the help!

 

[Blade81]

Hi


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
• On the left hand side, click on Tools
• Then click on the Resident icon in the list
• Uncheck
  Resident TeaTimer
  and OK any prompts.
• Restart your computer

Download ResetTeaTimer.bat to the Desktop (right click the link and select save)
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).



Upload following files to http://www.virustotal.com and post back the scanning results:
c:\windows\x73_lut.dat
c:\windows\GtX73.ini
c:\windows\system32\userinit.exe



Open notepad and copy/paste the text in the quotebox below into it:

Driver::
hll_evlula
TDSSserv.sys

File::
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSofxh.dll
c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\drivers\TDSSpqxt.sys

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
• Scroll down to where it says
  The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

 

[SBDad]

Hi Blade81. Thanks again.

I'll see if I can open Spybot now; after the MS AV2009 infection I could no longer open/run it, even though the TeaTimer would show up in the SysTray. I tried to run it from the desktop icon, the Start Menu icon, and the TeaTimer icon to no avail. Also the infection hide all the exe files and removed the folder options menu item under Tools in Explorer, so I could re-check the 'Show Hidden Files and Folders' box so I could see the exe to try and run Spybot from there. That's why I couldn't disable the TeaTimer other than stopping it after it started.

I'll download the items and report back on the Spybot issue. Thanks again!

 

[Blade81]

Ok. Shall wait for your input

 

[SBDad]

Hi Blade81. Thanks again. I almost made it through all of the steps; the system BSoD'ed on the Kaspersky scanner, so I'll wait to here back what the next step should be. Here's the latest update (sorry for the length):

• I am now able to run Spybot, so I was able to disable the TeaTimer. Restarted computer.
• I also thought to disable the firewall/virus protection (as per previous instructions) so I disabled ZoneAlarm as well, even though it is not listed. I did this by unchecking "Load ZoneAlarm Security Suite at startup" in Overview--Preferences tab-General section, then right-click on the SysTray icon and shutdown ZoneAlarm.
• Ran the file ResetTeaTimer.bat.
• Copied the requested files to a flash drive and uploaded from the flash drive to virustotal.com; see results below.
  • The file userinit.exe came up "File has already been analysed" so I have the last report if you need it, but I clicked "Reanalyse file now" and posted those results below.
  • I think the X73 files are for the Lexmark X73 printer, but better safe than sorry.
• Created the textfile CFScript.txt, copied to a flash drive and then ontop the home computers desktop, closed all windows, then dragged the file onto CombiFxx and let ComboFix run; see log below.
• Sun Java
  • Downloaded latest JRE (the steps are a little different than you listed), copied to a flash drive, and copied to the home computer desktop.
  • Removed Java 2 Runtime Environment, SE v1.4.2_05, 137.00MB.
  • Removed Java(TM) 6 Update 2, 133.00MB.
  • Restarted the computer.
  • Ran the file jre-6u11-windows-i586-p.exe from the desktop but there was now option for the MSN toolbar option. (I Was going to update Java shortly before the infection, but alas it was not to be at the time .)
    • The installation requested an internet connection, so I plugged the network cable back in and verified the connection, but I never seen anything come of the request for internet.
• Downloaded the Atribune Temp File Cleaner to a flash drive, copied it to the desktop, and performed the requested task.
  • Freed 6,736.000 KBs. I don't use Firefox or Opera (yet ).
  • As a side note, I think the Cache Cleaner in ZoneAlarm takes care of most of these and maybe a few more, but I'm not sure if it covers all of the listed items.
• Kaspersky Online Scanner
  • The network cable was still plugged in with an active connection (from the Java update), so I was able to run this.
  • For some reason now all of the pictures in IE have a icon in place of them where you need to right-click and click show picture, but this doesn't work in the separate window that opens for the KOS v7.0.
  • I wasn't sure which scans you wanted me to run (i.e. Critical Areas, My Computer, Folder..., File...), so I ran the My Computer scan.
  • About 30 minutes into the scan a window came up stating that "ScanningProcess.exe has encountered a problem and needs to close....", so I clicked on 'Don't Send' and the scan then continued on.
  • Left the scan running overnight. The next morning found it was hung and not progressing anymore. Time was stuck at 02:42:39. Clicked on Stop Scan but it did not work.
  • Rebooted computer and opened ie, typed in the kaspersky address.
  • During the kaspersky webpage opening, the computer blue-screened with the following:
    • *** STOP: 0X00000024 (0X001902FE, 0XF5F184D8, 0XF5F181D4, 0XF98D383F)
    • *** Ntfs.sys - Address F98D383F base at F98AD000, DateStamp 45cc5656a7

P.S. I was wondering if I shouldn't go to Add/Remove programs and remove Comodo BOClean since at every boot up a window comes up stating that "Comodo BOClean has encountered a problem and needs to close....", not to mention I haven't been able to update it in a while. After each bootup during this process I have been going to TaskManager and end the BOCore task.

****************************************************************************************
Here's the results from virustotal (reformatted for readability):

=========================================================
File GtX73.ini received on 12.30.2008 04:33:18 (CET)
Current status: finished

Result: 0/39 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.29 -
VBA32 3.12.8.10 2008.12.28 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 1441 bytes

MD5...: 57cabaff52940fc6dfb15b1542987cd3

SHA1..: d82411d4954f66c067574d3700b6751b4be4b23b

SHA256: 92c42835d5f257493a3bf255446bf6394533e42b811555613556b91ff68b968f

SHA512: e11b23ec1b14034e168e95435ef46222b581784940478451772aa3c5b0c7053c
dcc11fcdb1ad60d8e49e1447f1e33b450affcfbb0acf8b9ecdb1bee9c3432453

ssdeep: 24:8h/Kv9I12il2BLs3sAsTIlH3jaKUhcXk0sOuuf5IErKMRMGUb/09nTHh23WL9
jug:8h/Kv9I12iiW7ScXVyWPnuA9tfh

PEiD..: -

TrID..: File type identification
Generic INI configuration (100.0%)

PEInfo: -

=========================================================
File userinit.exe received on 12.30.2008 05:11:18 (CET)
Current status: Loading ... finished

Result: 0/39 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.28 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 24576 bytes

MD5...: 39b1ffb03c2296323832acbae50d2aff

SHA1..: e5aedcbe25a97c89101f1f3860ff846e94d70445

SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7

SHA512: ae81b19b8d778a368cf460016a9678676dfd7b8bfdeb236e8f87ef9a6c755323
227b340924d0713698350ce30bb0b3d09789c90897710cd48b3fe84ddca4a551

ssdeep: 384NkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCS
F4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7

PEiD..: -

TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10050e5
timedatestamp.....: 0x41107b78 (Wed Aug 04 06:00:24 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4db8 0x4e00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14c 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xb60 0xc00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> KERNEL32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW

( 0 exports )

=========================================================
File X73_DS.ini received on 12.30.2008 05:24:12 (CET)
Current status: Loading ... finished

Result: 0/39 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Prevx1 V2 2008.12.30 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -

Additional information

File size: 288 bytes

MD5...: 949264f8c9a4fe5c8033a1bf0065385e

SHA1..: e722abadbfbd4e5ce25830b9644e3ef5fad77151

SHA256: c9594f6e0a634dc44c2c0e0fa1ad3bd38743a2f3353a838643d774c2195c4439

SHA512: 29abf8d2847a5f79060dfe824f68b650cc40d0db4e5a698f39ca6f013f20efa4
d543db8abfbebdee9700eb5c4c20fc5623bd32b312d260f123b2ed2c4d9c92ac

ssdeep: 6:l1m5U9GdIY3lIXoKLe+9U/dn6cp1yUfbYAGARZP/n:l1mJdIXYie+9Udn/1yUj
Y3ARZP/n

PEiD..: -

TrID..: File type identification
file seems to be plain text/ASCII (0.0%)

PEInfo: -

=========================================================
File x73_lut.dat received on 12.30.2008 05:34:21 (CET)
Current status: Loading ... finished

Result: 0/37 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 -
AhnLab-V3 2008.12.25.0 2008.12.30 -
AntiVir 7.9.0.45 2008.12.29 -
Authentium 5.1.0.4 2008.12.29 -
Avast 4.8.1281.0 2008.12.29 -
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.29 -
F-Prot 4.4.4.56 2008.12.29 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 -
Ikarus T3.1.1.45.0 2008.12.30 -
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 -
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.29 -
NOD32 3722 2008.12.29 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.29 -
Rising 21.10.02.00 2008.12.29 -
SecureWeb-Gateway 6.7.6 2008.12.29 -
Sophos 4.37.0 2008.12.30 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 -
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.30 -
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1539 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -

Additional information
File size: 768 bytes

MD5...: 244a70f5e1b299bbec2167d83c6349f2

SHA1..: 2039d2d5e8752a598b5873d7333b6f41f2a598f3

SHA256: 14e8cb0e012de29c114113185b2ab34d720c693e8bdeb89e595f2002b41e49a9

SHA512: c3728e31a4610cf5d5308541f143c3e6996ede653cee37a87a1aaf512906501c
a84707c86df3e690b9765991513a6419cffa2c54ee0683bb40edf88794364e01

ssdeep: 12:EmYyCF10j5SfG9zmorO0+D3mBADAO2QQQkGTUCNDUD/ux7fsphm9G+56u08GO
5Du:/CMS+Tv+D3m20F15aUCQuVsPmbkgpJrk

PEiD..: -

TrID..: File type identification
Unknown!

PEInfo: -


****************************************************************************************
Here's the ComboFix log:

ComboFix 08-12-26.03 - Brian 2008-12-29 23:55:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255.37 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\CombiFxx.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point

FILE ::
c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\hll_evlula32.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HLL_EVLULA
-------\Service_hll_evlula
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2100-02-23 14:35 . 2001-02-22 09:54 768 --a------ c:\windows\x73_lut.dat
2100-02-08 15:53 . 2007-01-15 15:24 1,441 --a------ c:\windows\GtX73.ini
2008-11-22 04:15 . 2004-08-04 02:56 24,576 --a------ c:\windows\system32\stu2.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-30 05:07 480,920 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-30 05:07 35,750,432 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-30 05:07 2,010,400 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-30 05:07 190,592 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-19 04:57 5,070,902 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-19 04:43 --------- d-----w c:\documents and settings\Brian\Application Data\MailFrontier
2008-11-23 04:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2006-06-08 17:44 116,432 -c--a-w c:\documents and settings\Ashley\Application Data\GDIPFONTCACHEV1.DAT
2006-05-13 15:31 116,432 ----a-w c:\documents and settings\Samantha\Application Data\GDIPFONTCACHEV1.DAT
2003-03-13 18:12 69,344 ----a-w c:\documents and settings\Cheryl\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_15.32.22.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 20:08:30 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-30 02:38:17 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-28 20:08:31 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-30 02:38:17 380,350 ----a-w c:\windows\system32\perfh009.dat
- 2008-12-28 20:20:12 729,048 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-30 03:04:51 729,048 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 70,816 2003-11-10 18:30:02 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 218,240 2004-08-05 21:23:14 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 172,122 2001-08-30 09:00:00 c:\program files\Creative\SBLive\Creative Diagnostics 2.0\bak\DIAGENT.EXE

----a-w 102,400 2001-03-28 01:00:00 c:\program files\Creative\SBLive\Program\bak\AHQInit.exe

----a-w 49,152 2004-09-13 20:49:00 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2004-09-13 19:49:00 c:\program files\HP\HP Software Update\hpwuSchd2.exe

----a-w 278,528 2005-10-06 23:03:14 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 53,248 2001-07-11 17:08:38 c:\program files\LexmarkX73\bak\AcBtnMgr_X73.exe

----a-w 53,248 2001-10-08 21:21:28 c:\program files\LexmarkX73\bak\ACMonitor_X73.exe

----a-w 204,800 2004-06-03 08:50:07 c:\program files\Microsoft IntelliPoint\bak\point32.exe

----a-w 155,648 2006-02-09 02:05:33 c:\program files\QuickTime\bak\qttask.exe

----a-w 1,415,824 2005-05-31 06:04:00 c:\program files\Spybot - Search & Destroy\bak\TeaTimer.exe
--sha-r 1,833,296 2008-09-16 16:16:08 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

----a-w 163,840 2001-09-23 15:14:48 c:\windows\bak\DELLMMKB.EXE

----a-w 13,312 2002-08-29 10:41:22 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 c:\windows\system32\ctfmon.exe

----a-w 36,864 2001-10-12 07:42:53 c:\windows\system32\spool\drivers\w32x86\3\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [N/A]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"BOC-425"="c:\progra~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"zzzHPSETUP"="F:\Setup.exe" [N/A]
"nwiz"="nwiz.exe" [2004-10-29 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Photo TurboBackup"="c:\program files\FileStream\Photo TurboBackup\pbksche.exe" [2005-09-15 512000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 8.0 Tray Icon.lnk.disabled [2005-06-03 838]
AOL Companion.lnk.disabled [2005-12-28 1646]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackICE PC Protection.lnk.disabled
backup=c:\windows\pss\BlackICE PC Protection.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer 2000.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer 2000.lnk
backup=c:\windows\pss\Camio Viewer 2000.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2000-08-08 15:00 311350 c:\program files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlackICE"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SymWSC"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe
"MoneyStartUp"=c:\program files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_05\bin\jusched.exe
"UpdReg"=c:\windows\Updreg.exe
"WorksFUD"=c:\program files\Microsoft Works\wkfud.exe
"{3C6A5D37-0766-1033-0918-010516010001}"="c:\program files\Common Files\{3C6A5D37-0766-1033-0918-010516010001}\Update.exe" te-110-12-0000213
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"DellTouch"=c:\windows\DELLMMKB.EXE
"DIAGENT"=c:\program files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\DRIVERS\sonyhcb.sys [2003-07-13 6097]
R2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe [2007-11-28 69632]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2002-12-29 28672]
R2 PackethSvc;Virtual NIC Service;c:\windows\System32\PackethSvc.exe [2002-12-29 64512]
R3 Msikbd2k;DellTouch;c:\windows\system32\DRIVERS\msikbd2k.sys [2002-12-29 6942]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Brian\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 RapDrv;RapDrv;\??\c:\windows\System32\drivers\RapDrv.sys [2003-08-11 104636]
S3 RapFile;RapFile;\??\c:\windows\System32\drivers\RapFile.sys [2003-01-27 36644]
S3 RapNet;RapNet;\??\c:\windows\System32\drivers\RapNet.sys [2003-01-27 24344]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\DRIVERS\sonyhcs.sys [2003-07-13 299923]
S4 BlackICE;BlackICE;"c:\program files\ISS\BlackICE\blackd.exe" [2003-08-11 1206665]
S4 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\docume~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe []
S4 PBKNTService;PBKNTService;c:\program files\FileStream\Photo TurboBackup\PBKNTService.exe [2006-01-05 57344]
.
Contents of the 'Scheduled Tasks' folder

2004-01-10 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 14:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://antwrp.gsfc.nasa.gov/apod/
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 00:10:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\devldr32.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-30 0:19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 05:19:24
ComboFix2.txt 2008-12-28 20:36:47

Pre-Run: 42,361,987,072 bytes free
Post-Run: 42,284,314,624 bytes free

215


****************************************************************************************
Here's the Kaspersky Online Scanner report:

** Blue screen - not available at this time.

****************************************************************************************
Here's a fresh hjt log:

** Blue screen - not available at this time.

****************************************************************************************

Thanks again Blade81 for the help. I left the BSoD up waiting for what step you'd like next. Thanks again!

 

[Blade81]

Hi

Better uninstall BoClean for now. You may reinstall it later if you want.

Have you defragged hard drive lately? If not I recommend to do so. Then please try Kaspersky online scanner again making sure antivirus program is disabled during the scan.

 

[SBDad]

Hi Blade81. Here's what I did:

• Logged in as my normal user (which is an Administrator).
• Used BOClean's Uninstall to remove program and verfied in Add/Remove Programs it was gone.
• Scheduled a Error Check for the C: drive, rebooted and let the disk check run on the C: drive.
• Rebooted to SafeMode.
• Defragmented the C: drive. It was around 8% fragmented, but ran it anyways.
• Rebooted and logged in as my normal user.
• Revisited the thought on if any virus scanner was running, then remembered that even though I had shut down ZoneAlarm's firewall and prevented it from loading at startup, ZA Security Suite does have built in Anti-Virus and Anti-Spyware, so I brought ZA back up and turned both the AV and AS off. Shut down ZA again.
• Plugged in the network cable, rebooted, and logged in as my normal user.
• Started IE. Directed to the Kaspersky web page and clicked on Start Scan.
  • All of the pictures in IE still have a icon in place of them where you need to right-click and click show picture, but this doesn't work in the separate window that opens for the KOS v7.0.
• After KOS v7.0 window opened and finished the updates, clicked on Scan and selected My Computer.

The scanner is currently running. When finished (fingers crossed) I will post the report and a fresh hjt log as well.

Is there anything else you will need if the scan runs ok other than the fresh hjt log?

Thanks again!!

 

[SBDad]

Hi Blade81. I just checked the home computer to see how the KOS scan was going. It hung again, this time at 00:13:06. It does show 1 Threat names and 2 Infected objects, but it is stuck. Does the graphics issue have anything to do with the issue, or something else? Anything else to try then?

Thanks again and Have a Happy New Year!! resent: :band:

 

[Blade81]

Hi

Graphics problem doesn't necessarily have anything to do with the problem. Anyway, since Kaspersky gets stuck let's try another scanner.


* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

 

[SBDad]

Hi Blade81, Happy New Year!

Thanks again for your help with this.

• I clicked on Stop Scan in KOS, waited a while to make sure it had stopped (just in case it was still doing something?), then closed the seperate window it was in.
• I directed IE to the page in your link, clicked the Yes box, but there was no Start to click.
• This is a result of the graphics issue, so I moved the mouse around until it changed, and hoping that this was the link (since I actually couldn't see it), and once the mouse changed I clicked the mouse.
• It was the link, but of course the Windows pop-up blocker came up, so I clicked on it to download the activex control. Maybe this is why the scanners are having issues, but I'm not sure how to turn it off or any of the other build-in Windows security s/w. One note is that the Windows Firewall is off as ZA is the firewall (ZA is off too) as I did make sure in the Windows Security Center that all items were off.
• Once the activex control loaded the I followed the rest of the steps you listed.

The scan is currently running. Hopefully it will finish. If you need me to stop it to correct any Windows s/w that should be turned off that I forgot, let me know. Thank you very much again for the help!

 

[Blade81]

Shall wait for your input regarding the results