I Have Also Been Hit With The Nt_kernel Error 1256
From the sounds of the many posts on this board, I will have to stand in line to obtain some help on this issue. So I will be patient, and wait my turn.......
I am not at all proficient in the how to's, so any help will have to be specific and almost keystroke by keystroke.
From the information obtained in this forum, I did run the Vundofix V6.7.7 and managed to remove all but one file. The Windows Update and Help and Support Icons are still on my desktop. Managed to remove (?) all of those pesky .tmp files. Its been cleaned up enough to make this post without the computer grinding itself to a halt.
Here is my log from the HijackThis program
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:44 PM, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com
O4 - HKLM\..\Run: [984e9103] rundll32.exe "C:\WINDOWS\system32\mmodmydr.dll",b
O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9183 bytes
Thanks in advance to the people who are much smarter than me in these issues.
Comments
-
Hi,
I suggest while waiting for somebody to help you, you can prepare your computer and equip it with what is missing on your computer:
1- An anti virus: BitDefender has a free version: http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html
2- A firewall:Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions.
3-Antiadware and spyware:0 -
Hi,
I suggest while waiting for somebody to help you, you can prepare your computer and equip it with what is missing on your computer:
1- An anti virus: BitDefender has a free version: http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html
2- A firewall:Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions.
3-Antiadware and spyware:
Farbar:
Thank-you for sending me this information. I will give it a try.
I have been reading alot about this subject over the past few days, and will disable the existing security software on this computer before I enable the recommended.
Presently, the security software that is loaded on the computer is from my ISP. It has an antivirus, firewall, and spyware in the package. It has caught some virus's, and cleans out a good number of spyware cookies and of the like. The firewall blocks a lot of packets (?) on a daily basis.
Further to my last posting, my son thought he would help (?) me by trying to get rid of the file that VundoFix could not eliminate. He changed the .dll to a .****** and attempted to delete it. It still would not get rid of the offending file. So he changed it back to the .dll. After that, we started to get the pop ups reappearing. I re ran the VundoFix program, and found new files. Most of them were eliminated but the first offending file is still there, along with a new one, that seems to change name every time you re-run VundoFix.
The offending file has a pathway of C:\WINDOWS\System32\hggffee.dll
I have asked my son to leave well enough alone, and let the experts handle this one. In my line of work we have a simple rule when we are trying to repair something. Rule #1 = When attempting to fix something, DON'T make it worse.
Thanks again for all the expert advice.
S@S0 -
I don't press for the first two points as I didn't recognized your AV and firewall. But still insist on the third one.
To give you some clue as what you are dealing with you go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe, change the name of hijackthis.exe to something else like stare.exe, then double click stare.exe to make a new hijackthis log and you see the dll you could not remove and may be more start appearing on the HJT log.
I understand your son's attempt to improvise but agree with you and the rule you are applying in your work.
In any case I suggest the following:
Step 1.
Download ComboFix.exe to your desktop using this link:
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post.
ComboFix may need to reboot to finish its work. Let it.
Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Step 2. Go to your firewall Internet traffic and check, note, report and remove all suspicious allowed applications.
Step3.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button
step 4. Reboot and Post a new hijackthis log.
Please give me feedback about the the problems you face in doing the steps or any changes you notice.0 -
Farbar:
After I read your post I jumped right into step #1. I did not change the hijackthis.exe to stare.exe and run a log. If you still require this, I will repost the results. Sorry about that.
Completed the Four steps as you had requested. You were specific enough that I (and my son) could follow. Here is the information that you had requested
Step 1:
Ran ComboFix and the log is attached. When the computer automatically rebooted, my installed security service automatically rebooted also, even though I had shut it down to run ComboFix. Hope it didn't mess something up. I have also removed the name listed in the computer with ***'s
ComboFix 08-02.05.3 - **** ****** 2008-02-09 21:51:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.528 [GMT -7:00]
Running from: C:\Documents and Settings\**** ******\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ssqrq.dll
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\**** ******\Application Data\storageprotector
C:\Documents and Settings\**** ******\Application Data\storageprotector\Logs\update.log
C:\Program Files\Common Files\StorageProtector
C:\Program Files\Common Files\StorageProtector\goaway.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\arqbcpor.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\hbubvrni.dll
C:\WINDOWS\system32\hggffee.dll
C:\WINDOWS\system32\ighxqcvw.ini
C:\WINDOWS\system32\jldvhrhr.dll
C:\WINDOWS\system32\jouuqflu.dll
C:\WINDOWS\system32\kxksteww.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini2
C:\WINDOWS\system32\rdymdomm.ini
C:\WINDOWS\system32\rhrhvdlj.ini
C:\WINDOWS\system32\ropcbqra.dll
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\vmcsvgfw.ini
C:\WINDOWS\system32\votcybww.ini
C:\WINDOWS\system32\windows
.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.
2008-02-08 20:30 . 2008-02-08 20:30 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-07 20:58 . 2008-02-07 20:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 21:10 . 2008-02-08 20:10 <DIR> d-------- C:\VundoFix Backups
2008-02-05 21:04 . 2008-02-05 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-02-05 21:03 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-05 20:54 . 2008-02-05 20:54 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-05 20:46 . 2008-02-05 20:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-05 20:43 . 2007-03-08 12:20 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-02-05 20:43 . 2007-03-08 12:20 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-02-05 20:42 . 2008-02-05 20:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-05 20:42 . 2007-03-17 23:11 675,840 --a------ C:\WINDOWS\system32\hpowiax3.dll
2008-02-05 20:42 . 2007-03-17 23:11 569,344 --a------ C:\WINDOWS\system32\hpotscl3.dll
2008-02-05 20:42 . 2007-03-08 12:20 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll
2008-02-05 20:42 . 2007-03-08 12:20 309,760 --a------ C:\WINDOWS\system32\difxapi.dll
2008-02-05 20:42 . 2007-03-17 23:11 303,104 --a------ C:\WINDOWS\system32\hpovst10.dll
2008-02-05 20:42 . 2007-03-30 22:07 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-02-05 20:42 . 2007-03-08 12:20 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-02-05 20:41 . 2008-02-05 20:41 <DIR> d-------- C:\Program Files\HP
2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 20:22 . 2008-02-05 21:07 122,771 --a------ C:\WINDOWS\hpoins14.dat
2008-02-05 20:22 . 2007-09-21 04:55 1,996 --------- C:\WINDOWS\hpomdl14.dat
2008-02-05 20:15 . 2008-02-05 20:15 90,688 --a------ C:\WINDOWS\system32\wvcqxhgi.dll
2008-02-03 21:43 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-03 21:43 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-03 21:43 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-03 21:43 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-03 21:43 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-03 21:43 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-03 21:43 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-03 21:43 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-03 21:43 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-03 20:23 . 2008-02-03 20:23 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-03 20:21 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-02-01 22:03 . 2008-02-01 22:03 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-01 22:03 . 2008-02-03 17:53 <DIR> d-------- C:\Temp
2008-01-14 19:44 . 2008-01-14 19:44 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d--h----- C:\WINDOWS\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 04:08 8,496 ----a-w C:\Documents and Settings\**** ******\Application Data\wklnhst.dat
2008-02-09 03:48 --------- d-----w C:\Program Files\Yahoo!
2008-02-09 02:05 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-02-08 22:23 --------- d-----w C:\Program Files\Common Files\Command Software
2008-02-04 00:43 --------- d-----w C:\Documents and Settings\**** ******\Application Data\uTorrent
2007-12-23 07:58 --------- d-----w C:\Documents and Settings\**** ******\Application Data\Yahoo!
2007-03-01 16:18 63,624 ----a-w C:\Documents and Settings\**** ******\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5187800A-5B6D-4996-BAC7-850294D477C3}]
C:\WINDOWS\system32\mljgd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61ADDA09-8B2B-4C80-A9A3-44F40A213035}]
C:\WINDOWS\system32\jkkjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{879957D5-612A-4898-820E-63AE053ADE2A}]
C:\WINDOWS\system32\vturp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{960E4924-EDF9-4616-BD5E-DE763AA89A10}]
C:\WINDOWS\system32\vtstr.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 13:32 700416]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 12:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 09:56 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43 45056]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-06-14 18:53 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 18:54 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 16:03 36864]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-03-11 17:32 393216]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 16:48 2061816]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 14:56 180278]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 18:52:32 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-01-24 21:01:59 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 21:57:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-09 21:59:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 04:59:47
.
2008-02-05 05:07:25 --- E O F ---
Step 2:
Removed these suspicious files from the firewall that were allowed access
Application Layer Gateway Service that was receiving from program in C:\Windows\System32\alg.exe
Utorrent
ffinstaller
downldr
Veoh Client
Updater Sys Rep
CLI Application
Au_
Run a DLL As An App
Step 3:
Downloaded and ran ATF cleaner.
At the end of the cleaning it stated that it Freed 4,696,000 KB's
Step 4:
Rebooted and ran a new Hijackthis Scan
This is the log that followed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:35 PM, on 09/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {5187800A-5B6D-4996-BAC7-850294D477C3} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {61ADDA09-8B2B-4C80-A9A3-44F40A213035} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {879957D5-612A-4898-820E-63AE053ADE2A} - C:\WINDOWS\system32\vturp.dll (file missing)
O2 - BHO: (no name) - {960E4924-EDF9-4616-BD5E-DE763AA89A10} - C:\WINDOWS\system32\vtstr.dll (file missing)
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9249 bytes
After all of the above, the first thing that I noticed is that the popups have stopped. After I post, I will exit out of the "my computer" area, to see if the screen goes blank like it did in the past. Will let you know how it goes.
The Windows Update and Help ans Support Center Icons still remain on the Desktop, however, the computer is quite a bit more responsive.
As always, thanks for all your help in this matter.
S@S0 -
Good work.
1. Please go to add/remove programs. Uninstall anything with myway in it.
2. Uninstall utorrent and any other p2p program. You may install them after my last post. Remove its folders form program files and keep the files you want to keep.
3. Remove vundofix and its folder C:\VundoFix Backups.
4. Remove old Java versions due to serious security vulnerability (specially for Vundo family malware): Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) from here: http://java.sun.com/javase/downloads/index.jsp
But don't install it yet.
Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name and remove the folders from program files.
Reboot once all Java components are removed.
Apply ATF cleaner then innstall the new Java version.
5. Go to start-search-click all files and folders - click more advanced options and check: search system folders, search hidden files and folders and search subfolders- type the P*.tmp in the upper box click on search. If you find any of those files remove them manually.To do that highlight them all (select the first .tmp file- hold down Shift and scroll down to the last .tmp and highlight/select the last .tmp) and delete them using Shift+Del to bypass the Recycle bin.
6. Go to start-control panel- folder options- click view tab:uncheck hide extention for known files types. Click apply then OK.
Then go to the search box again and type downldr and report back the finding. Do the same for Au_0 -
6. Go to start-control panel- folder options- click view tab:uncheck hide extention for known files types. Click apply then OK.
Then go to the search box again and type downldr and report back the finding. Do the same for Au_
To be specific: I need in both cases the full path and file name.0 -
Farbar:
Here iare the outcomes from your instructions:
1) Removed "Myway Search Assistant" in the Add/Remove program section. There was no size of file indicated.
2) Removed the UTorrent program. It was not listed in the Add/Remove program section, but found it using the search function. Found it in C:\Program Files and C:\Program Files\utorrent. All removed, and then re-searched for it and it did not find it. Removed the icon on the desktop manually. Also removed a program called DivX as it is listed as a partial P2P program. Removed DivX programs using the Add/Remove program section.
3) Deleted VundoFix from the Desktop, and the file C:\Vundofix Backups.
4) Removed Java 2 Runtime Enviornment SE V1.4.2_03 in the Add/Remove program section. Closed out all windows and Rebooted computer. Ran the ATF cleaner, and it stated that it freed 2,612.0 KB's Downloaded (JRE) 6 Update 4 in which there were 3 files. Wasn't sure where or what folder they should be placed in, so I loaded them to the Desktop. Is that OK, or should I move them into a different folder, ie remove them from the desktop, and reload them into a different section?
5) Searched for P*.tmp per your instructions and no files were found
6) Changed the folder option per your request, and searched for the two files you asked about
a) downldr - No files found
Au_ - 2 files found
au_plcy.htm in folder C:\i386
au_plcy.htm in folder C:\WINDOWS\system32\oobe\setup
In my last reply, I had stated that when I closed the "my computer" section when I was having all of the problems, the screen would go blank, and it would take about a minute to reload the desktop. After I had made the previous changes, the blank screen issue had been resolved, and the desktop comes up immediately, and the icons reload.
Again, I thank you for your patience and your time. I feel like we are gaining control of this computer slow but sure.
Regards
S@S0 -
To install java you have to run the java installer for windows (Jre-6u4-windows-i586-.exe) by double clicking it. Then remove everything you have downloaded.
Step1
Go to Internet Options (Internet Explorer-under tools) set the privacy setting to default. It is lowered by the Vundo malware and you can reset it now since the Vundo is removed.
Step 2
Open notepad and copy/paste the text in the code box below into it:Folder::
C:\Program Files\MyWaySA
C:\WINDOWS\system32\nGpxx01
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Temp
File::
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\wvcqxhgi.dll
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5187800A-5B6D-4996-BAC7-850294D477C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61ADDA09-8B2B-4C80-A9A3-44F40A213035}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{879957D5-612A-4898-820E-63AE053ADE2A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{960E4924-EDF9-4616-BD5E-DE763AA89A10}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RealTray"=-
QuickTime Task"=-
Save this as CFScript.txt
Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif.
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
Step3
Reboot and run ATF cleaner. Check if the system is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.
See if you encounter any problem. Post the combofixlog and a fresh hijachthis log to make sure nothing is left behind.0 -
Farbar:
I learned a valuable lesson tonight. Type the reply to this board in a word file first, and then save it to the computer first, before you reboot the computer. Else, it is gone if you type it directly in this reply section. I had to retype the reply all over again which I am sure is a rookie mistake!!
I must be a bit thick on the uptake with reloading of Java. I revisited the downloading site, and the three files that can be downloaded for JRE 6 Update 4 are
jre-6u4-windows-x64.exe
jre-6u4-windows-i586-p.exe
jre-6u4-windows-i586-p.iftw.exe
You had asked me to load:
jre-6u4-windows-i586.exe ?
Am I in the wrong area for this Java download?
For the sake of expediency, I loaded jre-6u4-windows-i586-p.exe, and deleted the other two files. The Java program (JRE 6 Update 4) now appears in the Add/Remove program Area
Onto the rest of the reply
Step #1
The security setting in Internet Explorer is now reset to default, which is Medium-High
Step #2
Added the CFScript.txt file to ComboFix and ran ComboFix. Saved the log file which attached to the end of this post. The computer did not automatically roboot.
Step #3
Manually rebooted the computer (and lost my first reply) and ran ATF Cleaner. At the end it stated that ATF Cleaner has freed 3768.0 KB's. The system appears to be working much better than a week ago. Went into the System Restore, and check marked the "Turn off System Restore". As soon as I hit Apply, a pop up showed up stating
End Program - rundll.32.exe
This program is not responding.
I hit "end now" and immediately my antivirus program briefly flashed, and warned me that it disinfected a virus.
Rebooted the computer, and as it was starting back up, I initially thought I had the blue screen of death come up. After about 3 - 5 seconds, the windows XP symbol showed up in the upper right hand corner, and the following statement came on the screen.
Checking file system on C:
The type of the file system is NTSF
The volume is dirty
CHKDSK is verifying files.
---Then there was a blur of activity on the screen, and then Windows started up normally. Whew!---
System "appears" to be running normally. The two icons <Windows Update> and <Help and Support Center> are still on my desktop.
I did do a search for the offending file that Vundofix did not take care of. The search feature did find it, but there was an additional extention on it.
hggffee.dll.vir located in flolder C:\QooBox\Quarantine\C\WINDOWS\system32
Re ran Hijackthis, and the log file is attached.
Again, thanks for all your help, and being patient with me.
Regards
S@S
ComboFix 08-02.05.3 - Jeff Hatton 2008-02-11 20:54:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -7:00]Running from: C:\Documents and Settings\**** ******\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\**** ******\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\wvcqxhgi.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Temp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\wvcqxhgi.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.
2008-02-11 20:30 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-11 20:29 . 2008-02-11 20:30 <DIR> d-------- C:\Program Files\Java
2008-02-11 20:29 . 2008-02-11 20:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-09 21:48 . 2004-08-04 03:00 388,608 --a------ C:\kmd.exe
2008-02-07 20:58 . 2008-02-07 20:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-05 21:04 . 2008-02-05 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-02-05 21:03 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-05 20:54 . 2008-02-05 20:54 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-05 20:46 . 2008-02-05 20:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-05 20:43 . 2007-03-08 12:20 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-02-05 20:43 . 2007-03-08 12:20 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-02-05 20:42 . 2008-02-05 20:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-05 20:42 . 2007-03-17 23:11 675,840 --a------ C:\WINDOWS\system32\hpowiax3.dll
2008-02-05 20:42 . 2007-03-17 23:11 569,344 --a------ C:\WINDOWS\system32\hpotscl3.dll
2008-02-05 20:42 . 2007-03-08 12:20 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll
2008-02-05 20:42 . 2007-03-08 12:20 309,760 --a------ C:\WINDOWS\system32\difxapi.dll
2008-02-05 20:42 . 2007-03-17 23:11 303,104 --a------ C:\WINDOWS\system32\hpovst10.dll
2008-02-05 20:42 . 2007-03-30 22:07 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll
2008-02-05 20:42 . 2007-03-08 12:20 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-02-05 20:41 . 2008-02-05 20:41 <DIR> d-------- C:\Program Files\HP
2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-05 20:22 . 2008-02-05 21:07 122,771 --a------ C:\WINDOWS\hpoins14.dat
2008-02-05 20:22 . 2007-09-21 04:55 1,996 --------- C:\WINDOWS\hpomdl14.dat
2008-02-03 21:43 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-02-03 21:43 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-02-03 21:43 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-02-03 21:43 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-02-03 21:43 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-02-03 21:43 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-02-03 21:43 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-02-03 21:43 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-02-03 21:43 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-03 20:21 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-14 19:44 . 2008-01-14 19:44 1,158 --a------ C:\WINDOWS\mozver.dat
2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d--h----- C:\WINDOWS\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 03:53 8,638 ----a-w C:\Documents and Settings\**** ******\Application Data\wklnhst.dat
2008-02-12 02:51 --------- d-----w C:\Program Files\Common Files\Command Software
2008-02-11 02:51 --------- d-----w C:\Program Files\DivX
2008-02-09 03:48 --------- d-----w C:\Program Files\Yahoo!
2008-02-09 02:05 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-02-04 00:43 --------- d-----w C:\Documents and Settings\**** ******\Application Data\uTorrent
2007-12-23 07:58 --------- d-----w C:\Documents and Settings\**** ******\Application Data\Yahoo!
2007-03-01 16:18 63,624 ----a-w C:\Documents and Settings\**** ******\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 13:32 700416]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 12:35 397312 C:\WINDOWS\stsystra.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 09:56 761947]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43 45056]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-06-14 18:53 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 18:54 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 16:03 36864]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-03-11 17:32 393216]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 16:48 2061816]
"TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 14:56 180278]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 18:52:32 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-01-24 21:01:59 217088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 20:56:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-11 20:56:52
ComboFix-quarantined-files.txt 2008-02-12 03:56:36
ComboFix2.txt 2008-02-10 04:59:51
.
2008-02-05 05:07:25 --- E O F ---0 -
Farbar
Hit the Send button too early:
Here is the Hijackthis log.
Sorry about that.
S@S
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:09 PM, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\Program Files\TELUS\TELUS Security service\Freedom.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8678 bytes0 -
stare@screen,
Everything looks clean. You have worked hard. About the losing what you have typed when you sent it, it has happened to me also, I make also a file before posting.
I checked and you have installed the right Java.
If you wanted please do these last steps to make sure there are no leftovers and damaged files on your system:
Step1
Go to Internet Options (Internet Explorer-under tools) set the privacy setting to default (you have not mentioned it, may be you rest the security but not the privacy). It is lowered by the Vundo malware and you can reset it now since the Vundo is removed.
Step 2.
Uninstall combofix to do that go to: Start >> Run... Type: Combofix /u (there is space before /) and click OK.
If you face any problem with uninstalling manually remove combofix and C:\Qoobox
This removes all the files removed by combofix. The dll you named was also removed and placed in quarantine by combofix. TThat is why you found it there.
Step 3.
You have many unnecessary applications running at startup. These applications could be run at demand and need not to be running all the time. They make the boot up time longer, use memory and CPU without doing anything most of the time.
To fix that Run hijackthis, click "Do a system scan only", check the following items, close all windows including this one and click on fix checked. They are placed in the backup and you can undoe them anytime.
O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
MotiveSB.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
Step 4.
Run ATF cleaner.
Please download and run Bit Defender 8 online scanner
Install the program and then follow the prompts to download all available updates.
Select Antivirus and then click the Settings button. Click Default. Click Ok.
Select Local Drives and click Scan. let it disinfect or move the infected files.
When the scan is complete save the log and post it back here in your next reply if you wanted.
You can later on uninstall it from add/remove programs or keep it for on demand scan.
Step 5.
Download AVG Anti Spyware
Use the link under "AVG Anti-Spyware Free Edition"
Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Under scanner: Select Complete system Scan and let the scan runs. Then let it remove the infected files.
Post the content of the scan log into your reply if you wanted.
Go to the Run box on the Start Menu and type in: sfc /scannow
Note that there is space before /
It checks the integrity of windows system files and if needed replaces them from the windows backup. If the backups are corrupted too you it asks for your Windows installation CD.
Step 7.
Remove the icons on the desktop using "desktop cleanup wizard" to do that ritght click on your desktop with all the windows closed, select "Arrange Icons By"-run desktop cleanup wizard-next- what you want to clean should be checked-finish.
Could you finally managed to make a new restore point?
If you did the steps and needed me to look at the scans post both of them (BD and AVG scan logs). The HJT log is not needed.
How is your computer running?0 -
Farbar:
Now that was a long evening. Here are the outcomes of your recommended steps
Step 1:
Under internet options in Windows Explorer, the privacy setting has been reset to default, which is Medium.
Step 2:
Uninstalled Combofix per your instructions. All went smoothly and it was uninstalled without a hitch. The Combofix icon has been removed from the desktop.
Step 3:
Ran Hijackthis, and check marked the files indicated. Closed all windows and clicked on fix checked. The Hijackthis screen went blank, and was ready for another scan. Ran the scan only, and it looks like the files check marked are gone.
Step 4:
Ran ATF cleaner, and it freed 3,384.0 KB’s
BitDefender wouldn’t let me download because of an ActiveX Controller issue (?) So I used the online scanner. The first scan yielded the following report.
BitDefender Online Scanner - Real Time Virus Report
Generated at: Tue, Feb 12, 2008 - 20:20:02
Scan Info
Scanned Files 180348
Infected Files 2
Virus Detected
Trojan.Downloader.Agent.YYA 2
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.
Re scanned to ensure all infected files were removed, and the log was:
BitDefender Online Scanner - Real Time Virus Report
Generated at: Tue, Feb 12, 2008 - 21:04:05
Scan Info
Scanned Files 188502
Infected Files 0
Virus Detected
No virus found.
When I scanned with my ISP Antivirus, if found an additional virus which was “W32/Backdoor-based” located in
\System Volume Information\Restore(-----) It said it could not remove it. I will look after that one later.
Step 5:
Downloaded the AVG Anti – Spyware free edition V7.5.1 to the Desktop. Everything scanned A-OK No spyware was found. When I went to copy the log and put it to this reply, the computer automatically rebooted itself, and I am not quite sure what happened. Everything came back, and seems to be functioning properly. Weird!
Step 6:
Ran the sfc /scannow.
It did come up with a warning about half way through the scan that stated:
‘Files that are required for Windows to run properly must be copied to the DLL cache’ Insert the Windows CD-ROM now.
Couldn’t put my hands on the Dell disk with the operating system on it, so it will be a project for this weekend. I know that we have it, it’s just a matter of locating it in the CD box we have.
Let the program run through to the end and closed by itself with no further issues.
Step 7:
Used the desktop cleanup wizard and eliminated the two offending files on the desktop. The Help and Support Center, and Windows Update folders on the desktop are gone!!
Again, thanks for all your help on this issue. I will get back to you about the reloading of the Windows file once I locate the CD-ROM that was supplied to me from DELL.
Regards
S@S0 -
S@S,
It has been indeed a long night.
About the Trojan discovered by your AV, it resides in the system volume where the restore points are saved, you don't get access to that folder to remove anything, but when you make a new restore point the Trojan would be cleaned automatically.
The spontaneous reboot may mean one of the windows files is corrupted or there is something else going on. You have from now until weekend time to monitor how your computer is behaving.
Keep an eye on your firewall. Run updated AV and AVG regularly.
If you have other 'log' in accounts than administrator and your own log in you may remove them. A guest account without password is not a good idea.0 -
Farbar:
Back home from being away at a remote worksite.
First of all I want to thank-you for all of your help and guidance that you have given me over the past week. Without your help and expertise, there would not have been any hope in repairing our computer of this malware. I could not have repaired this on my own. My family is impressed that the computer is working again. I was quick to point out, I didn’t fix it, I just followed your expert instructions.
The computer is now functioning properly and at what I would consider normal speed. My son did locate the CD-ROM with the Windows operating system as supplied by DELL, and I re-ran the sfc /scannow. It reloaded the corrupted files.
The only minor irritation is that my ISP antivirus is still telling me from time to time that I have a virus in the/ drive. From your previous post, you had mentioned to me that it is in my restore (?) area. I once again followed your instructions about clearing the restore memory, and we will see if this time it is finally cleared out. If it continues, I will post a new item on this forum to clear up this small issue.
Again, thank-you for all of your help.
Regards
Stare@Screen0 -
I am glad everything is fine and you are most welcome. You were fantastic in carrying out the steps and reporting back, and it was inspiring for me. It is a good practise to keep an eye on your firewall from time to time .
For your information the system volume folder where the restore points are made becomes clean once you remove the old restore points and make a new restore point according to the procedure I have explained. The infection on D drive however may have other sources. Like if you have downloaded an infected file and saved on D drive. So let your hole system be scanned by your AV and AVG.
If you find anything unusual and need guidance don't hesitate to come back. If you wanted to reopen this thread or post a new thread you may let me know with a PM.
Take care,
farbar0
