I Have Also Been Hit With The Nt_kernel Error 1256

From the sounds of the many posts on this board, I will have to stand in line to obtain some help on this issue. So I will be patient, and wait my turn.......


I am not at all proficient in the how to's, so any help will have to be specific and almost keystroke by keystroke.


From the information obtained in this forum, I did run the Vundofix V6.7.7 and managed to remove all but one file. The Windows Update and Help and Support Icons are still on my desktop. Managed to remove (?) all of those pesky .tmp files. Its been cleaned up enough to make this post without the computer grinding itself to a halt.


Here is my log from the HijackThis program


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 8:59:44 PM, on 07/02/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16574)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\Ati2evxx.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


C:\WINDOWS\system32\Ati2evxx.exe


C:\WINDOWS\system32\LEXBCES.EXE


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\system32\LEXPPS.EXE


C:\WINDOWS\system32\CTsvcCDA.exe


C:\Program Files\Common Files\Command Software\dvpapi.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe


C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe


C:\WINDOWS\stsystra.exe


C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


C:\Program Files\Dell\Media Experience\PCMService.exe


C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


C:\Program Files\Real\RealPlayer\RealPlay.exe


C:\WINDOWS\system32\dla\tfswctrl.exe


C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


C:\Program Files\TELUS\eProtect Advisor\TEPA.exe


C:\Program Files\TELUS\TELUS Security service\Freedom.exe


C:\Program Files\NetWaiting\netWaiting.exe


C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe


C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe


C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


C:\Program Files\DellSupport\DSAgnt.exe


C:\Program Files\Messenger\msmsgs.exe


C:\Program Files\Veoh Networks\Veoh\VeohClient.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Digital Line Detect\DLG.exe


C:\Program Files\TELUS eCare\bin\mpbtn.exe


C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


C:\WINDOWS\explorer.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\WINDOWS\system32\taskmgr.exe


C:\Program Files\Internet Explorer\iexplore.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1


R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll


O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll


O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"


O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay


O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"


O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"


O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe


O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe


O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN


O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"


O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com


O4 - HKLM\..\Run: [984e9103] rundll32.exe "C:\WINDOWS\system32\mmodmydr.dll",b


O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"


O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe


O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R


O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"


O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - Global Startup: Digital Line Detect.lnk = ?


O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll


O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab


O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe


O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe


O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


--


End of file - 9183 bytes


Thanks in advance to the people who are much smarter than me in these issues.

Comments

  • farbar
    farbar
    edited February 2008

    Hi,


    I suggest while waiting for somebody to help you, you can prepare your computer and equip it with what is missing on your computer:


    1- An anti virus: BitDefender has a free version: http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html


    2- A firewall:Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions.


    3-Antiadware and spyware:


    Download Ad-Aware 2007 Free


    Download Spybot - Search and Destroy

  • Hi,


    I suggest while waiting for somebody to help you, you can prepare your computer and equip it with what is missing on your computer:


    1- An anti virus: BitDefender has a free version: http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html


    2- A firewall:Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions.


    3-Antiadware and spyware:


    Download Ad-Aware 2007 Free


    Download Spybot - Search and Destroy


    Farbar:


    Thank-you for sending me this information. I will give it a try.


    I have been reading alot about this subject over the past few days, and will disable the existing security software on this computer before I enable the recommended.


    Presently, the security software that is loaded on the computer is from my ISP. It has an antivirus, firewall, and spyware in the package. It has caught some virus's, and cleans out a good number of spyware cookies and of the like. The firewall blocks a lot of packets (?) on a daily basis.


    Further to my last posting, my son thought he would help (?) me by trying to get rid of the file that VundoFix could not eliminate. He changed the .dll to a .****** and attempted to delete it. It still would not get rid of the offending file. So he changed it back to the .dll. After that, we started to get the pop ups reappearing. I re ran the VundoFix program, and found new files. Most of them were eliminated but the first offending file is still there, along with a new one, that seems to change name every time you re-run VundoFix.


    The offending file has a pathway of C:\WINDOWS\System32\hggffee.dll


    I have asked my son to leave well enough alone, and let the experts handle this one. In my line of work we have a simple rule when we are trying to repair something. Rule #1 = When attempting to fix something, DON'T make it worse.


    Thanks again for all the expert advice.


    S@S

  • farbar
    farbar
    edited February 2008

    I don't press for the first two points as I didn't recognized your AV and firewall. But still insist on the third one.


    To give you some clue as what you are dealing with you go to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe, change the name of hijackthis.exe to something else like stare.exe, then double click stare.exe to make a new hijackthis log and you see the dll you could not remove and may be more start appearing on the HJT log.


    I understand your son's attempt to improvise but agree with you and the rule you are applying in your work.


    In any case I suggest the following:


    Step 1.


    Download ComboFix.exe to your desktop using this link:


    bleepingcomputer


    Close any open browsers.


    Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.


    Double click on combofix.exe to run the programme & then follow the prompts.


    When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post.


    ComboFix may need to reboot to finish its work. Let it.


    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall


    Step 2. Go to your firewall Internet traffic and check, note, report and remove all suspicious allowed applications.


    Step3.


    Please download ATF Cleaner by Atribune.


    Double-click ATF-Cleaner.exe to run the program.


    Under Main choose: Select All


    Click the Empty Selected button



    step 4. Reboot and Post a new hijackthis log.


    Please give me feedback about the the problems you face in doing the steps or any changes you notice.

  • Farbar:


    After I read your post I jumped right into step #1. I did not change the hijackthis.exe to stare.exe and run a log. If you still require this, I will repost the results. Sorry about that.


    Completed the Four steps as you had requested. You were specific enough that I (and my son) could follow. Here is the information that you had requested


    Step 1:


    Ran ComboFix and the log is attached. When the computer automatically rebooted, my installed security service automatically rebooted also, even though I had shut it down to run ComboFix. Hope it didn't mess something up. I have also removed the name listed in the computer with ***'s


    ComboFix 08-02.05.3 - **** ****** 2008-02-09 21:51:13.1 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.528 [GMT -7:00]


    Running from: C:\Documents and Settings\**** ******\Desktop\ComboFix.exe


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\WINDOWS\system32\ssqrq.dll


    C:\Documents and Settings\All Users\Application Data\storageprotector


    C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac


    C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em


    C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid


    C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user


    C:\Documents and Settings\**** ******\Application Data\storageprotector


    C:\Documents and Settings\**** ******\Application Data\storageprotector\Logs\update.log


    C:\Program Files\Common Files\StorageProtector


    C:\Program Files\Common Files\StorageProtector\goaway.exe


    C:\Program Files\Common Files\Yazzle1281OinAdmin.exe


    C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe


    C:\WINDOWS\cookies.ini


    C:\WINDOWS\system32\arqbcpor.ini


    C:\WINDOWS\system32\AutoRun.inf


    C:\WINDOWS\system32\hbubvrni.dll


    C:\WINDOWS\system32\hggffee.dll


    C:\WINDOWS\system32\ighxqcvw.ini


    C:\WINDOWS\system32\jldvhrhr.dll


    C:\WINDOWS\system32\jouuqflu.dll


    C:\WINDOWS\system32\kxksteww.ini


    C:\WINDOWS\system32\mcrh.tmp


    C:\WINDOWS\system32\pac.txt


    C:\WINDOWS\system32\qrqss.ini


    C:\WINDOWS\system32\qrqss.ini2


    C:\WINDOWS\system32\rdymdomm.ini


    C:\WINDOWS\system32\rhrhvdlj.ini


    C:\WINDOWS\system32\ropcbqra.dll


    C:\WINDOWS\system32\ssqrq.dll


    C:\WINDOWS\system32\vmcsvgfw.ini


    C:\WINDOWS\system32\votcybww.ini


    C:\WINDOWS\system32\windows


    .


    ((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))


    .


    2008-02-08 20:30 . 2008-02-08 20:30 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe


    2008-02-07 20:58 . 2008-02-07 20:58 <DIR> d-------- C:\Program Files\Trend Micro


    2008-02-06 21:10 . 2008-02-08 20:10 <DIR> d-------- C:\VundoFix Backups


    2008-02-05 21:04 . 2008-02-05 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard


    2008-02-05 21:03 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll


    2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys


    2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys


    2008-02-05 20:54 . 2008-02-05 20:54 <DIR> d-------- C:\Program Files\Hewlett-Packard


    2008-02-05 20:46 . 2008-02-05 20:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard


    2008-02-05 20:43 . 2007-03-08 12:20 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys


    2008-02-05 20:43 . 2007-03-08 12:20 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys


    2008-02-05 20:42 . 2008-02-05 20:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE


    2008-02-05 20:42 . 2007-03-17 23:11 675,840 --a------ C:\WINDOWS\system32\hpowiax3.dll


    2008-02-05 20:42 . 2007-03-17 23:11 569,344 --a------ C:\WINDOWS\system32\hpotscl3.dll


    2008-02-05 20:42 . 2007-03-08 12:20 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll


    2008-02-05 20:42 . 2007-03-08 12:20 309,760 --a------ C:\WINDOWS\system32\difxapi.dll


    2008-02-05 20:42 . 2007-03-17 23:11 303,104 --a------ C:\WINDOWS\system32\hpovst10.dll


    2008-02-05 20:42 . 2007-03-30 22:07 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll


    2008-02-05 20:42 . 2007-03-08 12:20 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys


    2008-02-05 20:41 . 2008-02-05 20:41 <DIR> d-------- C:\Program Files\HP


    2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys


    2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys


    2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys


    2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys


    2008-02-05 20:22 . 2008-02-05 21:07 122,771 --a------ C:\WINDOWS\hpoins14.dat


    2008-02-05 20:22 . 2007-09-21 04:55 1,996 --------- C:\WINDOWS\hpomdl14.dat


    2008-02-05 20:15 . 2008-02-05 20:15 90,688 --a------ C:\WINDOWS\system32\wvcqxhgi.dll


    2008-02-03 21:43 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll


    2008-02-03 21:43 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat


    2008-02-03 21:43 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui


    2008-02-03 21:43 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll


    2008-02-03 21:43 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll


    2008-02-03 21:43 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll


    2008-02-03 21:43 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll


    2008-02-03 21:43 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll


    2008-02-03 21:43 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe


    2008-02-03 20:23 . 2008-02-03 20:23 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon


    2008-02-03 20:21 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll


    2008-02-01 22:03 . 2008-02-01 22:03 <DIR> d-------- C:\WINDOWS\system32\nGpxx01


    2008-02-01 22:03 . 2008-02-03 17:53 <DIR> d-------- C:\Temp


    2008-01-14 19:44 . 2008-01-14 19:44 1,158 --a------ C:\WINDOWS\mozver.dat


    2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d--h----- C:\WINDOWS\PIF


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-09 04:08 8,496 ----a-w C:\Documents and Settings\**** ******\Application Data\wklnhst.dat


    2008-02-09 03:48 --------- d-----w C:\Program Files\Yahoo!


    2008-02-09 02:05 --------- d-----w C:\Program Files\Common Files\PestPatrol


    2008-02-08 22:23 --------- d-----w C:\Program Files\Common Files\Command Software


    2008-02-04 00:43 --------- d-----w C:\Documents and Settings\**** ******\Application Data\uTorrent


    2007-12-23 07:58 --------- d-----w C:\Documents and Settings\**** ******\Application Data\Yahoo!


    2007-03-01 16:18 63,624 ----a-w C:\Documents and Settings\**** ******\Application Data\GDIPFONTCACHEV1.DAT


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5187800A-5B6D-4996-BAC7-850294D477C3}]


    C:\WINDOWS\system32\mljgd.dll


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61ADDA09-8B2B-4C80-A9A3-44F40A213035}]


    C:\WINDOWS\system32\jkkjg.dll


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{879957D5-612A-4898-820E-63AE053ADE2A}]


    C:\WINDOWS\system32\vturp.dll


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{960E4924-EDF9-4616-BD5E-DE763AA89A10}]


    C:\WINDOWS\system32\vtstr.dll


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]


    "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]


    "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 13:32 700416]


    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    "IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]


    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]


    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]


    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 12:35 397312 C:\WINDOWS\stsystra.exe]


    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 09:56 761947]


    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43 45056]


    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]


    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]


    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-06-14 18:53 26112]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 18:54 98304]


    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]


    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]


    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]


    "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 16:03 36864]


    "Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-03-11 17:32 393216]


    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]


    "TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 16:48 2061816]


    "TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 14:56 180278]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    "IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 18:52:32 24576]


    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]


    TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-01-24 21:01:59 217088]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12


    hpdevmgmt REG_MULTI_SZ hpqcxs08


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-09 21:57:49


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\Program Files\Common Files\Command Software\dvpapi.exe


    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe


    C:\Program Files\TELUS eCare\bin\mpbtn.exe


    C:\WINDOWS\system32\wbem\wmiapsrv.exe


    C:\WINDOWS\system32\wscntfy.exe


    .


    **************************************************************************


    .


    Completion time: 2008-02-09 21:59:51 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-02-10 04:59:47


    .


    2008-02-05 05:07:25 --- E O F ---


    Step 2:


    Removed these suspicious files from the firewall that were allowed access


    Application Layer Gateway Service that was receiving from program in C:\Windows\System32\alg.exe


    Utorrent


    ffinstaller


    downldr


    Veoh Client


    Updater Sys Rep


    CLI Application


    Au_


    Run a DLL As An App


    Step 3:


    Downloaded and ran ATF cleaner.


    At the end of the cleaning it stated that it Freed 4,696,000 KB's


    Step 4:


    Rebooted and ran a new Hijackthis Scan


    This is the log that followed.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 10:19:35 PM, on 09/02/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16574)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\Program Files\Common Files\Command Software\dvpapi.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe


    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe


    C:\WINDOWS\stsystra.exe


    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\Dell\Media Experience\PCMService.exe


    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


    C:\Program Files\Real\RealPlayer\RealPlay.exe


    C:\WINDOWS\system32\dla\tfswctrl.exe


    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


    C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


    C:\Program Files\TELUS\eProtect Advisor\TEPA.exe


    C:\Program Files\TELUS\TELUS Security service\Freedom.exe


    C:\Program Files\NetWaiting\netWaiting.exe


    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe


    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


    C:\Program Files\DellSupport\DSAgnt.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Digital Line Detect\DLG.exe


    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\TELUS eCare\bin\mpbtn.exe


    C:\WINDOWS\system32\wbem\wmiapsrv.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1


    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll


    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


    O2 - BHO: (no name) - {5187800A-5B6D-4996-BAC7-850294D477C3} - C:\WINDOWS\system32\mljgd.dll (file missing)


    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll


    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll


    O2 - BHO: (no name) - {61ADDA09-8B2B-4C80-A9A3-44F40A213035} - C:\WINDOWS\system32\jkkjg.dll (file missing)


    O2 - BHO: (no name) - {879957D5-612A-4898-820E-63AE053ADE2A} - C:\WINDOWS\system32\vturp.dll (file missing)


    O2 - BHO: (no name) - {960E4924-EDF9-4616-BD5E-DE763AA89A10} - C:\WINDOWS\system32\vtstr.dll (file missing)


    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


    O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"


    O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


    O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay


    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"


    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"


    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe


    O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


    O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe


    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


    O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN


    O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"


    O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"


    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe


    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R


    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"


    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"


    O4 - Global Startup: Digital Line Detect.lnk = ?


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll


    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe


    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe


    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    --


    End of file - 9249 bytes


    After all of the above, the first thing that I noticed is that the popups have stopped. After I post, I will exit out of the "my computer" area, to see if the screen goes blank like it did in the past. Will let you know how it goes.


    The Windows Update and Help ans Support Center Icons still remain on the Desktop, however, the computer is quite a bit more responsive.


    As always, thanks for all your help in this matter.


    S@S

  • Good work.


    1. Please go to add/remove programs. Uninstall anything with myway in it.


    2. Uninstall utorrent and any other p2p program. You may install them after my last post. Remove its folders form program files and keep the files you want to keep.


    3. Remove vundofix and its folder C:\VundoFix Backups.


    4. Remove old Java versions due to serious security vulnerability (specially for Vundo family malware): Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) from here: http://java.sun.com/javase/downloads/index.jsp


    But don't install it yet.


    Go to control panel -add/remove programsuninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name and remove the folders from program files.


    Reboot once all Java components are removed.


    Apply ATF cleaner then innstall the new Java version.


    5. Go to start-search-click all files and folders - click more advanced options and check: search system folders, search hidden files and folders and search subfolders- type the P*.tmp in the upper box click on search. If you find any of those files remove them manually.To do that highlight them all (select the first .tmp file- hold down Shift and scroll down to the last .tmp and highlight/select the last .tmp) and delete them using Shift+Del to bypass the Recycle bin.


    6. Go to start-control panel- folder options- click view tab:uncheck hide extention for known files types. Click apply then OK.


    Then go to the search box again and type downldr and report back the finding. Do the same for Au_

  • farbar
    farbar
    edited February 2008

    6. Go to start-control panel- folder options- click view tab:uncheck hide extention for known files types. Click apply then OK.


    Then go to the search box again and type downldr and report back the finding. Do the same for Au_


    To be specific: I need in both cases the full path and file name.

  • Farbar:


    Here iare the outcomes from your instructions:


    1) Removed "Myway Search Assistant" in the Add/Remove program section. There was no size of file indicated.


    2) Removed the UTorrent program. It was not listed in the Add/Remove program section, but found it using the search function. Found it in C:\Program Files and C:\Program Files\utorrent. All removed, and then re-searched for it and it did not find it. Removed the icon on the desktop manually. Also removed a program called DivX as it is listed as a partial P2P program. Removed DivX programs using the Add/Remove program section.


    3) Deleted VundoFix from the Desktop, and the file C:\Vundofix Backups.


    4) Removed Java 2 Runtime Enviornment SE V1.4.2_03 in the Add/Remove program section. Closed out all windows and Rebooted computer. Ran the ATF cleaner, and it stated that it freed 2,612.0 KB's Downloaded (JRE) 6 Update 4 in which there were 3 files. Wasn't sure where or what folder they should be placed in, so I loaded them to the Desktop. Is that OK, or should I move them into a different folder, ie remove them from the desktop, and reload them into a different section?


    5) Searched for P*.tmp per your instructions and no files were found


    6) Changed the folder option per your request, and searched for the two files you asked about


    a) downldr - No files found


    B) Au_ - 2 files found


    au_plcy.htm in folder C:\i386


    au_plcy.htm in folder C:\WINDOWS\system32\oobe\setup


    In my last reply, I had stated that when I closed the "my computer" section when I was having all of the problems, the screen would go blank, and it would take about a minute to reload the desktop. After I had made the previous changes, the blank screen issue had been resolved, and the desktop comes up immediately, and the icons reload.


    Again, I thank you for your patience and your time. I feel like we are gaining control of this computer slow but sure.


    Regards


    S@S

  • farbar
    farbar
    edited February 2008

    To install java you have to run the java installer for windows (Jre-6u4-windows-i586-.exe) by double clicking it. Then remove everything you have downloaded.


    Step1


    Go to Internet Options (Internet Explorer-under tools) set the privacy setting to default. It is lowered by the Vundo malware and you can reset it now since the Vundo is removed.


    Step 2


    Open notepad and copy/paste the text in the code box below into it:


    Folder::
    C:\Program Files\MyWaySA
    C:\WINDOWS\system32\nGpxx01
    C:\Documents and Settings\All Users\Application Data\SalesMon
    C:\Temp


    File::
    C:\WINDOWS\system32\VundoFixSVC.exe
    C:\WINDOWS\system32\wvcqxhgi.dll
    C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


    Registry::

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5187800A-5B6D-4996-BAC7-850294D477C3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{61ADDA09-8B2B-4C80-A9A3-44F40A213035}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{879957D5-612A-4898-820E-63AE053ADE2A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{960E4924-EDF9-4616-BD5E-DE763AA89A10}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    RealTray"=-
    QuickTime Task"=-


    Save this as CFScript.txt


    Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif.


    ComboFix will now run a scan on your system.


    It may reboot your system when it finishes. This is normal.


    Step3


    Reboot and run ATF cleaner. Check if the system is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.


    See if you encounter any problem. Post the combofixlog and a fresh hijachthis log to make sure nothing is left behind.

  • Farbar:


    I learned a valuable lesson tonight. Type the reply to this board in a word file first, and then save it to the computer first, before you reboot the computer. Else, it is gone if you type it directly in this reply section. I had to retype the reply all over again which I am sure is a rookie mistake!!


    I must be a bit thick on the uptake with reloading of Java. I revisited the downloading site, and the three files that can be downloaded for JRE 6 Update 4 are


    jre-6u4-windows-x64.exe


    jre-6u4-windows-i586-p.exe


    jre-6u4-windows-i586-p.iftw.exe


    You had asked me to load:


    jre-6u4-windows-i586.exe ?


    Am I in the wrong area for this Java download?


    For the sake of expediency, I loaded jre-6u4-windows-i586-p.exe, and deleted the other two files. The Java program (JRE 6 Update 4) now appears in the Add/Remove program Area


    Onto the rest of the reply


    Step #1


    The security setting in Internet Explorer is now reset to default, which is Medium-High


    Step #2


    Added the CFScript.txt file to ComboFix and ran ComboFix. Saved the log file which attached to the end of this post. The computer did not automatically roboot.


    Step #3


    Manually rebooted the computer (and lost my first reply) and ran ATF Cleaner. At the end it stated that ATF Cleaner has freed 3768.0 KB's. The system appears to be working much better than a week ago. Went into the System Restore, and check marked the "Turn off System Restore". As soon as I hit Apply, a pop up showed up stating


    End Program - rundll.32.exe


    This program is not responding.


    I hit "end now" and immediately my antivirus program briefly flashed, and warned me that it disinfected a virus.


    Rebooted the computer, and as it was starting back up, I initially thought I had the blue screen of death come up. After about 3 - 5 seconds, the windows XP symbol showed up in the upper right hand corner, and the following statement came on the screen.


    Checking file system on C:


    The type of the file system is NTSF


    The volume is dirty


    CHKDSK is verifying files.


    ---Then there was a blur of activity on the screen, and then Windows started up normally. Whew!---


    System "appears" to be running normally. The two icons <Windows Update> and <Help and Support Center> are still on my desktop.


    I did do a search for the offending file that Vundofix did not take care of. The search feature did find it, but there was an additional extention on it.


    hggffee.dll.vir located in flolder C:\QooBox\Quarantine\C\WINDOWS\system32


    Re ran Hijackthis, and the log file is attached.


    Again, thanks for all your help, and being patient with me.


    Regards


    S@S


    ComboFix 08-02.05.3 - Jeff Hatton 2008-02-11 20:54:26.2 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.572 [GMT -7:00]Running from: C:\Documents and Settings\**** ******\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\**** ******\Desktop\CFScript.txt


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    FILE


    C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll


    C:\WINDOWS\system32\VundoFixSVC.exe


    C:\WINDOWS\system32\wvcqxhgi.dll


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\All Users\Application Data\SalesMon


    C:\Temp


    C:\WINDOWS\system32\nGpxx01


    C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe


    C:\WINDOWS\system32\VundoFixSVC.exe


    C:\WINDOWS\system32\wvcqxhgi.dll


    .


    ((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))


    .


    2008-02-11 20:30 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl


    2008-02-11 20:29 . 2008-02-11 20:30 <DIR> d-------- C:\Program Files\Java


    2008-02-11 20:29 . 2008-02-11 20:29 <DIR> d-------- C:\Program Files\Common Files\Java


    2008-02-09 21:48 . 2004-08-04 03:00 388,608 --a------ C:\kmd.exe


    2008-02-07 20:58 . 2008-02-07 20:58 <DIR> d-------- C:\Program Files\Trend Micro


    2008-02-05 21:04 . 2008-02-05 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard


    2008-02-05 21:03 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll


    2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys


    2008-02-05 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys


    2008-02-05 20:54 . 2008-02-05 20:54 <DIR> d-------- C:\Program Files\Hewlett-Packard


    2008-02-05 20:46 . 2008-02-05 20:46 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard


    2008-02-05 20:43 . 2007-03-08 12:20 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys


    2008-02-05 20:43 . 2007-03-08 12:20 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys


    2008-02-05 20:42 . 2008-02-05 20:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE


    2008-02-05 20:42 . 2007-03-17 23:11 675,840 --a------ C:\WINDOWS\system32\hpowiax3.dll


    2008-02-05 20:42 . 2007-03-17 23:11 569,344 --a------ C:\WINDOWS\system32\hpotscl3.dll


    2008-02-05 20:42 . 2007-03-08 12:20 364,544 --a------ C:\WINDOWS\system32\hppldcoi.dll


    2008-02-05 20:42 . 2007-03-08 12:20 309,760 --a------ C:\WINDOWS\system32\difxapi.dll


    2008-02-05 20:42 . 2007-03-17 23:11 303,104 --a------ C:\WINDOWS\system32\hpovst10.dll


    2008-02-05 20:42 . 2007-03-30 22:07 267,864 --a------ C:\WINDOWS\system32\hpzids01.dll


    2008-02-05 20:42 . 2007-03-08 12:20 49,920 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys


    2008-02-05 20:41 . 2008-02-05 20:41 <DIR> d-------- C:\Program Files\HP


    2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys


    2008-02-05 20:40 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys


    2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys


    2008-02-05 20:39 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys


    2008-02-05 20:22 . 2008-02-05 21:07 122,771 --a------ C:\WINDOWS\hpoins14.dat


    2008-02-05 20:22 . 2007-09-21 04:55 1,996 --------- C:\WINDOWS\hpomdl14.dat


    2008-02-03 21:43 . 2007-10-10 16:55 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll


    2008-02-03 21:43 . 2007-06-30 20:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat


    2008-02-03 21:43 . 2007-06-30 20:36 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui


    2008-02-03 21:43 . 2007-10-10 16:55 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll


    2008-02-03 21:43 . 2007-10-10 16:55 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll


    2008-02-03 21:43 . 2007-10-10 16:55 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll


    2008-02-03 21:43 . 2007-10-10 16:55 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll


    2008-02-03 21:43 . 2007-10-10 16:55 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll


    2008-02-03 21:43 . 2007-10-10 03:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe


    2008-02-03 20:21 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll


    2008-01-14 19:44 . 2008-01-14 19:44 1,158 --a------ C:\WINDOWS\mozver.dat


    2008-01-12 00:56 . 2008-01-12 00:56 <DIR> d--h----- C:\WINDOWS\PIF


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-12 03:53 8,638 ----a-w C:\Documents and Settings\**** ******\Application Data\wklnhst.dat


    2008-02-12 02:51 --------- d-----w C:\Program Files\Common Files\Command Software


    2008-02-11 02:51 --------- d-----w C:\Program Files\DivX


    2008-02-09 03:48 --------- d-----w C:\Program Files\Yahoo!


    2008-02-09 02:05 --------- d-----w C:\Program Files\Common Files\PestPatrol


    2008-02-04 00:43 --------- d-----w C:\Documents and Settings\**** ******\Application Data\uTorrent


    2007-12-23 07:58 --------- d-----w C:\Documents and Settings\**** ******\Application Data\Yahoo!


    2007-03-01 16:18 63,624 ----a-w C:\Documents and Settings\**** ******\Application Data\GDIPFONTCACHEV1.DAT


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]


    "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]


    "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 13:32 700416]


    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 09:55 667718]


    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 09:56 602182]


    "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 12:35 397312 C:\WINDOWS\stsystra.exe]


    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 09:56 761947]


    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 12:43 45056]


    "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 18:15 290816]


    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 18:29 49152]


    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-06-14 18:53 26112]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-14 18:54 98304]


    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]


    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]


    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]


    "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-09-14 16:03 36864]


    "Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2007-03-11 17:32 393216]


    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 15:16 1121792]


    "TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-03-20 16:48 2061816]


    "TELUS Security service"="C:\Program Files\TELUS\TELUS Security service\Freedom.exe" [2005-05-19 14:56 180278]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    "IndexCleaner"="C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe" [2005-05-19 14:50 53248]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-14 18:52:32 24576]


    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 23:01:04 83360]


    TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2007-01-24 21:01:59 217088]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12


    hpdevmgmt REG_MULTI_SZ hpqcxs08


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-11 20:56:18


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-02-11 20:56:52


    ComboFix-quarantined-files.txt 2008-02-12 03:56:36


    ComboFix2.txt 2008-02-10 04:59:51


    .


    2008-02-05 05:07:25 --- E O F ---

  • Farbar


    Hit the Send button too early:


    Here is the Hijackthis log.


    Sorry about that.


    S@S


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 9:31:09 PM, on 11/02/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16574)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\CTsvcCDA.exe


    C:\Program Files\Common Files\Command Software\dvpapi.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe


    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe


    C:\WINDOWS\stsystra.exe


    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\Dell\Media Experience\PCMService.exe


    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe


    C:\Program Files\Real\RealPlayer\RealPlay.exe


    C:\WINDOWS\system32\dla\tfswctrl.exe


    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


    C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


    C:\Program Files\TELUS\eProtect Advisor\TEPA.exe


    C:\Program Files\TELUS\TELUS Security service\Freedom.exe


    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe


    C:\Program Files\NetWaiting\netWaiting.exe


    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe


    C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe


    C:\Program Files\DellSupport\DSAgnt.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe


    C:\Program Files\Digital Line Detect\DLG.exe


    C:\Program Files\TELUS eCare\bin\mpbtn.exe


    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe


    C:\Program Files\internet explorer\iexplore.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS Security service\pkR.dll


    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\TELUS\TELUS Security service\FreeBHOR.dll


    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"


    O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


    O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay


    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"


    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"


    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe


    O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


    O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe


    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe


    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall


    O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN


    O4 - HKLM\..\Run: [TELUS Security service] "C:\Program Files\TELUS\TELUS Security service\Freedom.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"


    O4 - HKLM\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"


    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe


    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R


    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"


    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\RunOnce: [indexCleaner] "C:\Program Files\TELUS\TELUS Security service\IndexCleanerR.exe"


    O4 - Global Startup: Digital Line Detect.lnk = ?


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL


    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe


    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe


    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe


    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe


    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    --


    End of file - 8678 bytes

  • farbar
    farbar
    edited February 2008

    stare@screen,



    Everything looks clean. You have worked hard. About the losing what you have typed when you sent it, it has happened to me also, I make also a file before posting.


    I checked and you have installed the right Java.


    If you wanted please do these last steps to make sure there are no leftovers and damaged files on your system:


    Step1


    Go to Internet Options (Internet Explorer-under tools) set the privacy setting to default (you have not mentioned it, may be you rest the security but not the privacy). It is lowered by the Vundo malware and you can reset it now since the Vundo is removed.


    Step 2.


    Uninstall combofix to do that go to: Start >> Run... Type: Combofix /u (there is space before /) and click OK.


    If you face any problem with uninstalling manually remove combofix and C:\Qoobox


    This removes all the files removed by combofix. The dll you named was also removed and placed in quarantine by combofix. TThat is why you found it there.


    Step 3.


    You have many unnecessary applications running at startup. These applications could be run at demand and need not to be running all the time. They make the boot up time longer, use memory and CPU without doing anything most of the time.


    To fix that Run hijackthis, click "Do a system scan only", check the following items, close all windows including this one and click on fix checked. They are placed in the backup and you can undoe them anytime.


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe


    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay


    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"


    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"


    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup


    O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe


    MotiveSB.exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"


    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R


    O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"


    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


    Step 4.


    Run ATF cleaner.


    Please download and run Bit Defender 8 online scanner


    Install the program and then follow the prompts to download all available updates.


    Select Antivirus and then click the Settings button. Click Default. Click Ok.


    Select Local Drives and click Scan. let it disinfect or move the infected files.


    When the scan is complete save the log and post it back here in your next reply if you wanted.


    You can later on uninstall it from add/remove programs or keep it for on demand scan.


    Step 5.


    Download AVG Anti Spyware


    Use the link under "AVG Anti-Spyware Free Edition"


    Install AVG Anti Spyware


    Double-click the icon on Desktop to launch AVG


    On the top of the main screen click Shield


    Click the word active to change it to inactive


    On the top of the main screen click Update.


    Then click on Start Update. The update will start and a progress bar will show the updates being installed.


    Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.


    Once in the Settings screen click on "Recommended actions" and then select "Quarantine".


    Under "Reports"

    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"


      Under scanner: Select Complete system Scan and let the scan runs. Then let it remove the infected files.


      Post the content of the scan log into your reply if you wanted.

    Step 6.


    Go to the Run box on the Start Menu and type in: sfc /scannow


    Note that there is space before /


    It checks the integrity of windows system files and if needed replaces them from the windows backup. If the backups are corrupted too you it asks for your Windows installation CD.


    Step 7.


    Remove the icons on the desktop using "desktop cleanup wizard" to do that ritght click on your desktop with all the windows closed, select "Arrange Icons By"-run desktop cleanup wizard-next- what you want to clean should be checked-finish.


    Could you finally managed to make a new restore point?


    If you did the steps and needed me to look at the scans post both of them (BD and AVG scan logs). The HJT log is not needed.


    How is your computer running?

  • Farbar:


    Now that was a long evening. Here are the outcomes of your recommended steps


    Step 1:


    Under internet options in Windows Explorer, the privacy setting has been reset to default, which is Medium.


    Step 2:


    Uninstalled Combofix per your instructions. All went smoothly and it was uninstalled without a hitch. The Combofix icon has been removed from the desktop.


    Step 3:


    Ran Hijackthis, and check marked the files indicated. Closed all windows and clicked on fix checked. The Hijackthis screen went blank, and was ready for another scan. Ran the scan only, and it looks like the files check marked are gone.


    Step 4:


    Ran ATF cleaner, and it freed 3,384.0 KB’s


    BitDefender wouldn’t let me download because of an ActiveX Controller issue (?) So I used the online scanner. The first scan yielded the following report.


    BitDefender Online Scanner - Real Time Virus Report


    Generated at: Tue, Feb 12, 2008 - 20:20:02


    Scan Info


    Scanned Files 180348


    Infected Files 2


    Virus Detected


    Trojan.Downloader.Agent.YYA 2


    This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.


    Re scanned to ensure all infected files were removed, and the log was:


    BitDefender Online Scanner - Real Time Virus Report


    Generated at: Tue, Feb 12, 2008 - 21:04:05


    Scan Info


    Scanned Files 188502


    Infected Files 0


    Virus Detected


    No virus found.


    When I scanned with my ISP Antivirus, if found an additional virus which was “W32/Backdoor-based” located in D:\System Volume Information\Restore(-----) It said it could not remove it. I will look after that one later.


    Step 5:


    Downloaded the AVG Anti – Spyware free edition V7.5.1 to the Desktop. Everything scanned A-OK No spyware was found. When I went to copy the log and put it to this reply, the computer automatically rebooted itself, and I am not quite sure what happened. Everything came back, and seems to be functioning properly. Weird!


    Step 6:


    Ran the sfc /scannow.


    It did come up with a warning about half way through the scan that stated:


    ‘Files that are required for Windows to run properly must be copied to the DLL cache’ Insert the Windows CD-ROM now.


    Couldn’t put my hands on the Dell disk with the operating system on it, so it will be a project for this weekend. I know that we have it, it’s just a matter of locating it in the CD box we have.


    Let the program run through to the end and closed by itself with no further issues.


    Step 7:


    Used the desktop cleanup wizard and eliminated the two offending files on the desktop. The Help and Support Center, and Windows Update folders on the desktop are gone!!


    Again, thanks for all your help on this issue. I will get back to you about the reloading of the Windows file once I locate the CD-ROM that was supplied to me from DELL.


    Regards


    S@S

  • farbar
    farbar
    edited February 2008

    S@S,


    It has been indeed a long night.


    About the Trojan discovered by your AV, it resides in the system volume where the restore points are saved, you don't get access to that folder to remove anything, but when you make a new restore point the Trojan would be cleaned automatically.


    The spontaneous reboot may mean one of the windows files is corrupted or there is something else going on. You have from now until weekend time to monitor how your computer is behaving.


    Keep an eye on your firewall. Run updated AV and AVG regularly.


    If you have other 'log' in accounts than administrator and your own log in you may remove them. A guest account without password is not a good idea.

  • Farbar:


    Back home from being away at a remote worksite.


    First of all I want to thank-you for all of your help and guidance that you have given me over the past week. Without your help and expertise, there would not have been any hope in repairing our computer of this malware. I could not have repaired this on my own. My family is impressed that the computer is working again. I was quick to point out, I didn’t fix it, I just followed your expert instructions.


    The computer is now functioning properly and at what I would consider normal speed. My son did locate the CD-ROM with the Windows operating system as supplied by DELL, and I re-ran the sfc /scannow. It reloaded the corrupted files.


    The only minor irritation is that my ISP antivirus is still telling me from time to time that I have a virus in the D:/ drive. From your previous post, you had mentioned to me that it is in my restore (?) area. I once again followed your instructions about clearing the restore memory, and we will see if this time it is finally cleared out. If it continues, I will post a new item on this forum to clear up this small issue.


    Again, thank-you for all of your help.


    Regards


    Stare@Screen

  • I am glad everything is fine and you are most welcome. You were fantastic in carrying out the steps and reporting back, and it was inspiring for me. It is a good practise to keep an eye on your firewall from time to time .


    For your information the system volume folder where the restore points are made becomes clean once you remove the old restore points and make a new restore point according to the procedure I have explained. The infection on D drive however may have other sources. Like if you have downloaded an infected file and saved on D drive. So let your hole system be scanned by your AV and AVG.


    If you find anything unusual and need guidance don't hesitate to come back. If you wanted to reopen this thread or post a new thread you may let me know with a PM.


    Take care,


    farbar