Computer Hope
Software => Computer viruses and spyware => Topic started by: msu715 on February 02, 2009, 03:31:21 PM
-
Does anyone have a good recommendation for a free registry cleaner that REPAIRS the files for free, not just scans them? I have a DLL error that prevents me from using the internet and freezes my computer. If anyone has a solution I'd gladly appreciate it.
-
First and most important to know is that any Registry cleaner DO NOT repair the registry. The descriptions are misleading and have caused even 'healthy' computers to not boot back to Windows. NEVER run a registry cleaner on a PC that is having performance issues. You might as well just reformat and reinstall as that's likely what will happen if you do.
What is the exact .dll error or errors?
-
Well when I log-in to Windows this pops up, "Unable to display C:\Windows\Uhitovo.dll" then the background turns blue and I can't access the internet...any idea what this could be?
-
That is a virus.
Can you go to C:\Windows\Uhitovo.dll and try to delete the Uhitovo.dll file?
Do you have a flash drive to transfer over some tools so we can clean the malware?
-
How would I go about getting to that file and delete it? Sorry I'm somewhat new at this whole virus thing.
-
And yes I do have a flash drive to transfer over software to clean the malware.
-
First, what OS are you using? XP or Vista.
-
Its Windows XP
-
Use these directions and transfer the file (SDFix) to the infected computer. It will create a log when complete and hopefully it will get your Internet connection back. Either way I need to see the log.
Download SDFix by AndyManchesta (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with Administrative rights
* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.
Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
When your computer has started in safe mode, and you see the desktop, close all open Windows.
* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button.
C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).
-
I'm using roomates computer and can't copy the report from my infected laptop to this computer since my Internet on the infected one isn't working. However, the scan finished up and found a few trojans. Any way I can copy it over?
-
Yes you can put the .txt file on the flash drive and transfer it like you did SDFix.
Also transfer this next tool over and run it now please. Don't worry, well get it back to normal. Hopefully after running this next scan.
I need the ComboFix log even more than I do the SDFix log. It will tell me exactly what needs to be done next.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
When I try to run ComboFix, something pops up that says I don't have Windows Recovery Console and that I need to install it, but I need an internet connection, which I don't have. Do you think I should continue on without it or do I absolutely need it?
-
Yes please continue on. You can install it later but it won't be needed for what we are doing.
-
ComboFix 09-02-02.04 - Bob 2009-02-02 22:52:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.254 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Bob\Application Data\NI.GSCNS
c:\documents and settings\Bob\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Bob\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\cLkjQqru.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaubqsxjol.sys
c:\windows\system32\PVGgQqss.ini
c:\windows\system32\PVGgQqss.ini2
c:\windows\system32\senekaaqpmepcf.dll
c:\windows\system32\senekalnkpaswu.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\sackzllj.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SENEKA
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.
2009-02-02 22:01 . 2009-02-02 22:01 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-02 21:59 . 2009-02-02 22:00 <DIR> d-------- c:\windows\ERUNT
2009-02-02 21:53 . 2009-02-02 22:27 <DIR> d-------- C:\SDFix
2009-02-02 17:25 . 2009-02-02 17:25 <DIR> d-------- c:\program files\RegCure
2009-02-02 17:06 . 2009-02-02 17:06 <DIR> d-------- c:\program files\CCleaner
2009-02-02 16:58 . 2009-02-02 16:58 <DIR> d-------- c:\program files\RegSweep
2009-02-02 16:58 . 2009-02-02 16:58 <DIR> d-------- c:\documents and settings\Bob\Application Data\RegSweep
2009-02-01 23:53 . 2009-02-01 23:53 125,440 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-02-01 23:49 . 2009-02-01 23:50 135,168 --a------ c:\windows\ikoqurihikicil.dll
2009-01-27 00:53 . 2009-01-27 00:53 <DIR> d-------- c:\program files\NBA Jam Tournament Edition
2009-01-16 00:10 . 2009-01-16 00:10 <DIR> d-------- c:\documents and settings\Bob\Application Data\Viewpoint
2009-01-13 20:32 . 2009-01-13 20:32 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-13 20:32 . 2009-01-13 20:32 <DIR> d-------- c:\documents and settings\Bob\Application Data\SUPERAntiSpyware.com
2009-01-13 20:32 . 2009-01-13 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 20:18 . 2009-01-13 20:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 19:46 . 2009-01-11 19:46 655 --a------ c:\windows\wininit.ini
2009-01-11 18:22 . 2009-01-13 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 17:52 --------- d-----w c:\documents and settings\Bob\Application Data\MSN6
2009-02-02 07:30 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-01 18:57 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-01 18:57 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-06 23:14 --------- d-----w c:\program files\Google
2009-01-05 05:26 --------- d-----w c:\documents and settings\Bob\Application Data\AVGTOOLBAR
2009-01-02 09:17 --------- d-----w c:\program files\Soulseek
2008-12-12 08:10 --------- d-----w c:\documents and settings\Bob\Application Data\Twain
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:30 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-11 03:19 --------- d-----w c:\program files\Microsoft Works
2008-12-11 03:02 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-11 03:02 --------- d-----w c:\documents and settings\Bob\Application Data\GetRightToGo
2008-11-16 01:05 65,848 ----a-w c:\documents and settings\Bob\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
2002-08-29 05:41 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 04:42 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-02-01 23:53 125440 b6fe9dcc2857c2d8e472d260b5735ecf c:\windows\system32\userinit.exe
2009-02-01 23:53 125440 b6fe9dcc2857c2d8e472d260b5735ecf c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EA756889-2338-43DB-8F07-D1CA6FB9C90D}"= "c:\program files\AOL\AIM Toolbar 5.0\aoltb.dll" [2008-03-07 1090912]
[HKEY_CLASSES_ROOT\clsid\{ea756889-2338-43db-8f07-d1ca6fb9c90d}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{371A6A18-2D6A-4DF8-A4AA-61CA349B3C70}]
[HKEY_CLASSES_ROOT\AOLTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-13 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"RegSweep"="c:\program files\RegSweep\RegSweep.exe" [2008-12-16 6751480]
"Vwagux"="c:\windows\ikoqurihikicil.dll" [2009-02-01 135168]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-01 45056]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 13:57 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Bob\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-09-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-09-01 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-01 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-01 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-09-01 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-09-04 33752]
.
Contents of the 'Scheduled Tasks' folder
2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-02-03 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
2009-02-02 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
2009-02-03 c:\windows\Tasks\RegSweep Scheduled Scan.job
- c:\program files\RegSweep\RegSweep.exe [2008-12-16 17:01]
2009-02-03 c:\windows\Tasks\RegSweep Scheduled Scan.job
- c:\program files\RegSweep [2009-02-02 16:58]
.
- - - - ORPHANS REMOVED - - - -
BHO-{3332E765-3AFF-4823-BBF5-E09CBC32FCE4} - (no file)
BHO-{46487b65-3a2b-5f8c-4cbf-d0078049467c} - (no file)
BHO-{E075AEFB-325C-402A-82C3-59AC363FF35B} - (no file)
Notify-iifeeFYP - iifeeFYP.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-02 22:55:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(792)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-02-02 23:00:20 - machine was rebooted [Bob]
ComboFix-quarantined-files.txt 2009-02-03 04:00:16
Pre-Run: 128,087,625,728 bytes free
Post-Run: 127,998,791,680 bytes free
194 --- E O F --- 2009-01-15 08:02:01
-
OK I see what the problem is now. This is a very nasty rootkit you have picked up.
Are you able to connect to the internet with the infected computer now? We can fix it but it will be easier with a net connection.
-
Yes I have internet access now, what is the next step....
-
Good!
Give me a second to finish up with the fix.
In the mean time I need you to take the combofix.exe from E:\ComboFix.exe and move it directly to the desktop. It needs to be there for the next set of instructions.
BRB
-
OK here we go. I will need this next log as well to be sure it got everything.
RegSweep and RegCure are rouge security programs and we will get them with this fix.
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\SYSTEM32\userinit.exe
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\SYSTEM32\DLLCACHE\userinit.exe
Folder::
c:\program files\RegSweep
c:\documents and settings\Bob\Application Data\RegSweep
c:\program files\RegCure
File::
c:\windows\ikoqurihikicil.dll
c:\windows\Tasks\RegCure Program Check.job
c:\program files\RegCure\RegCure.exe
c:\windows\Tasks\RegCure.job
c:\windows\Tasks\RegSweep Scheduled Scan.job
c:\program files\RegSweep\RegSweep.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegSweep"=-
"Vwagux"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
I have big problems for some reason now...after I did the last step, it rebooted Windows and a blue screen popped up saying STOP: c0000135 (Unable to locate component) This applicatio nhas failed to start because USER32.dll was not found. Re-installling the application may fix the problem. I'm not sure what this is about.
-
I was afraid of that.
Does it go to the login screen?
-
No after the Windows XP thing shows up loading it goes to the blue screen. Please please tell me this is fixable...
-
When restarting the computer tap the F8 key and see if it will boot into safe mode.
Do you have an XP CD or can you borrow one?
-
It won't let me boot into safe mode and unfortunately I don't have an XP CD with me but I can get one soon. What exactly does this user32.dll mean?
-
I actually do have an XP CD i just found it.
-
What is the User32.dll file? http://support.microsoft.com/kb/142676
Once you have the CD you will need to do a repair install. How to Perform a Windows XP Repair Install http://www.michaelstevenstech.com/XPrepairinstall.htm#RI
-
I put in the CD but that blue screen still pops up, how do I boot it by using the CD, it says something about the BIOS but I don't know how to get to that.
-
Are you restarting the computer with the disk in?
-
I'll be away from the computer for a few minutes.
If needed see this link also. FREE F-Secure Rescue CD 3.00 to Clean Virus from Unbootable Windows http://www.raymond.cc/blog/archives/2008/07/26/free-f-secure-rescue-cd-300-to-clean-virus-from-unbootable-windows/
-
Yes but it still goes to that blue screen....is this error caused by the rookit or virus?
-
Caused by the rootkit. Try the rescue CD. It should work.
-
Can I download this to a USB drive or does it have to be a CD?
-
It's an ISO so you need a CD I'm pretty sure. http://www.f-secure.com/linux-weblog/2008/06/19/f-secure-rescue-cd-300-released/
-
After I burn it onto the CD do I just boot it with the CD in?
-
You’ll need to burn the ISO to a CD. Boot up the computer with the CD.
There is a quick guide here. http://www.raymond.cc/blog/archives/2008/07/26/free-f-secure-rescue-cd-300-to-clean-virus-from-unbootable-windows/
I'll be away from the computer for a few minutes now...
-
Still not working.....just goes to that blue screen automatically
-
You need to change your boot order in BIOS.
When your computer is first turned on, before windows starts, you should see a message that says to press a certain key to enter setup. It is usually an Fkey or esc or del. Pay attention, as the message may flash very quickly.
Once you get into setup, you want to look for BOOT ORDER or BOOT SEQUENCE or maybe even just BOOT. Set you CD drive as the first boot device and then place the CD in the master CD drive.
Now exit setup and SAVE changes.
When it starts back up, you may see a message that says: Press any key to boot to CD. Just keep tapping the space bar as the computer starts up.
-
Thanks JJ 3000 :)
-
Ok I got into the Windows Setup Mode...I'm not sure where to go from here it's telling me I can reinstall all of XP or repair it, what's the next step if you know by chance?
-
Did you boot to the XP CD or did you access the recovery partition on your hard drive?
Do you have any data on your computer that you want to keep?
If you reinstall XP you will lose all of your data.
If you choose to repair, your data should remain intact. However, if it's a virus that's causing you the blue screen, then the repair might not get rid of it.
So what do you want to do?
The XP CD has to be the same version as the OS you have installed on your computer. EG.. Professional, Home Edition, Media Center etc.
If your computer has Home Edition an XP Pro CD wont work. Get it?
Furthermore, if you choose to do the clean install, you will need your product key.
There should be a sticker on the side of your computer with the key. Do you have that?
-
I booted up using the reinstallation CD. Well I don't know if you read this whole thread, but the stuff evilfantasy had me doing worked very well, everything was running perfectly fine until the last reboot then the user32.dll error appeared. I'm assuming the virus caused this but I'm not sure. It is the same XP CD as when first installed so that's not an issue. I have the product key too. If I were to repair it, there's no guarantee it will work correct? I have some stuff on the computer that would be nice to keep, but isn't necessary to keep. I'd just like to know if the repair will definitely correct this user32 error
-
Well let's try the repair and see what happens.
http://www.michaelstevenstech.com/XPrepairinstall.htm
-
Ok I went through the setup steps, and it's now installing windows but this came up: "The file usbehci.sys could not be found" It lets me browse but I have no clue where to find it.
-
Fixed that problem, but it finished installing and now it goes back to setup, is this normal?
-
Take the CD out of the drive.
-
Gotcha
-
Are you able to log in now?
If so please see if the last ComboFix log was created and post it. It can be found in C:\combofix.txt
-
I am able to log in now finally. However, I tried to open internet explorer and it said "The procedure entry point SHRegGetValueW could not be located in the dynamic link library SHLWAPI.dll" What does this mean? Also, it won't let me find the last combo fix log.
-
OK part of the repair didn't work.
Put the XP CD in the drive and follow the instructions below:- Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file
-
I ran the scan, nothing popped up but the Internet still doesn't work...
-
Let me correct myself, my AOL Instant Messenger works fine, but Internet Explorer is unable to open, not sure if you knew that already.
-
Lets start here.
Try Dial-a-fix.
Download Dial-a-Fix (http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles) by djlizard, save it to the desktop then extract it to it's own folder.
- Open the folder and run Dial-a-fix.exe
- 2 windows will open. Close the one in the background labeled Restrictive Policies
- Check the box in section 1, Empty temp folders.
- Check the box in section 2, Fix Windows Installer.
- Check the box in section 3, Fix Windows Update.
- Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
- Check all boxes in section 5, labeled Registration Center.
- Click Go
- OK any error messages if received, but write them down and post them here.
- Restart the computer when done.
.
Is the problem fixed? If not...
Open Dial-a-fix and click the hammer icon.
Locate, Repair/reinstall IE and click Go
If at any time you are prompted for the XP CD, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change.
----------
If that didn't work try this.
1. Download IEFix.zip (http://windowsxp.mvps.org/utils/IEFix.zip) and run it.
2. Click the Apply button.
3. You'll be prompted for the Operating System CD or the Service Pack Files location.
4. Once finished Restart Windows.
-
Error: while trying to locate the unregistration entry point for C:\WINDOWS\system32\qmgr.dll. File version:6.0.2600.0
Error 0 was encountered while calling LoadLibrary(C:\WINDOWS\system32\inetcomm.dll)
Just restarted the computer
-
Ok after doing the 2nd step of reinstalling IE, I can reopen Internet Explorer and it seems to be working fine, there's just no address bar.
-
You should be able to right-click in an empty space up there and select address bar. If that doesn't work it may be the malware interfering.
Download random's system information tool (RSIT) (http://images.malwareremoval.com/random/RSIT.exe) by random/random from and save it to your Desktop.
- Double click on RSIT.exe to run.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open.
- log.txt <will be maximized and info.txt <will be minimized
- Please post the contents of both logs in the next reply.
-
Actually, as I go from page to page, IE encounters a problem and shuts down the little box shows up, but I'll download this thing and send you the logs
-
info.txt logfile of random's system information tool 1.05 2009-02-03 21:52:05
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8C E.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Media Player-->msiexec /qb /x {5C74694C-A687-E3EB-FF18-B018D4A76ECD}
Adobe Media Player-->MsiExec.exe /I{5C74694C-A687-E3EB-FF18-B018D4A76ECD}
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AIM 6-->C:\Program Files\AIM6\uninst.exe
AIM Toolbar 5.0-->"C:\Program Files\AOL\AIM Toolbar 5.0\uninstall.exe"
Apple Mobile Device Support-->MsiExec.exe /I{C7C895CA-331B-4D7D-A0FB-D3BC637949F9}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
C-Major Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D110 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Contextual Tool Adsoftinc-->C:\WINDOWS\system32\cont_adsoftinc-remove.exe
Dell Photo Printer 720-->C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBCUN5C.EXE -dDell Photo Printer 720
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Digital Line Detect-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe" -l0x9 ControlPanelAnyText
getPlus(R) for Adobe-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
iTunes-->MsiExec.exe /I{EA418519-2160-43A0-AABD-6608DDD8D87F}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007-->MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Media Content-->MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
PartyPoker-->"C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RegCure 1.5.2.7-->C:\Program Files\RegCure\uninst.exe
RegSweep-->MsiExec.exe /X{F33C7AAA-717E-4C6D-A7A7-18D36AE37F54}
SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WeatherBug-->MsiExec.exe /X{70DECFBF-9119-4434-B2D3-A3C283D15E45}
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
System event log
Computer Name: HOME-22NHO73DT0
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.
Record Number: 6776
Source Name: Service Control Manager
Time Written: 20090112003347.000000-300
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.
Record Number: 6775
Source Name: Service Control Manager
Time Written: 20090112003347.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: HOME-22NHO73DT0
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the stopped state.
Record Number: 6774
Source Name: Service Control Manager
Time Written: 20090112003338.000000-300
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 7036
Message: The IMAPI CD-Burning COM Service service entered the running state.
Record Number: 6773
Source Name: Service Control Manager
Time Written: 20090112003331.000000-300
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 7035
Message: The IMAPI CD-Burning COM Service service was successfully sent a start control.
Record Number: 6772
Source Name: Service Control Manager
Time Written: 20090112003331.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Application event log
Computer Name: HOME-22NHO73DT0
Event Code: 1800
Message: The Windows Security Center Service has started.
Record Number: 747
Source Name: SecurityCenter
Time Written: 20081024030718.000000-240
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 0
Message:
Record Number: 746
Source Name: Viewpoint Manager Service
Time Written: 20081024030718.000000-240
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 1
Message:
Record Number: 745
Source Name: Bonjour Service
Time Written: 20081024030718.000000-240
Event Type: information
User:
Computer Name: HOME-22NHO73DT0
Event Code: 1517
Message: Windows saved user HOME-22NHO73DT0\Bob registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Record Number: 744
Source Name: Userenv
Time Written: 20081024030630.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: HOME-22NHO73DT0
Event Code: 7
Message: Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
Record Number: 743
Source Name: crypt32
Time Written: 20081021212136.000000-240
Event Type: information
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
-
Logfile of random's system information tool 1.05 (written by random/random)
Run by Bob at 2009-02-03 21:51:47
Microsoft Windows XP Home Edition
System drive C: has 123 GB (94%) free of 131 GB
Total RAM: 503 MB (39% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:52, on 2009-02-03
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
E:\RSIT.exe
C:\Program Files\trend micro\Bob.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4083.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--End of file - 7575 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-01 1078552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
AOL Toolbar Launcher - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll [2008-03-07 1090912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-01 1968920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-06 251504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-06 657904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-06 522224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-01 1968920]
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AIM Toolbar - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll [2008-03-07 1090912]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-06 251504]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\system32\msdxm.ocx [2002-06-25 843804]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-03-16 1392640]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-02-01 1601304]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-08 289576]
"combofix"=C:\WINDOWS\system32\CF4083.exe [2009-02-02 389120]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-11-29 761947]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-06-06 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-06-06 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-06-06 118784]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe [2002-06-25 13312]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-08-06 50472]
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe [2007-08-29 1347584]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-09-13 68856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-12-22 1830128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^Adobe Media Player.lnk]
C:\PROGRA~1\ADOBEM~1\ADOBEM~1.EXE [2008-08-30 260096]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-02-01 10520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-06-06 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PSEXESVC]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
-
======List of files/folders created in the last 1 months======
2009-02-03 21:51:49 ----D---- C:\Program Files\trend micro
2009-02-03 21:51:47 ----D---- C:\rsit
2009-02-03 21:31:46 ----D---- C:\WINDOWS\System32\CatRoot2
2009-02-03 21:29:46 ----D---- C:\WINDOWS\temp
2009-02-03 20:21:29 ----A---- C:\WINDOWS\System32\igfxres.dll
2009-02-03 20:17:25 ----D---- C:\WINDOWS\Prefetch
2009-02-03 20:09:30 ----D---- C:\WINDOWS\LastGood
2009-02-03 20:06:18 ----RAH---- C:\WINDOWS\System32\logonui.exe.manifest
2009-02-03 20:01:07 ----A---- C:\WINDOWS\pnplog.txt
2009-02-03 19:47:24 ----A---- C:\WINDOWS\System32\spxcoins.dll
2009-02-03 19:47:24 ----A---- C:\WINDOWS\System32\irclass.dll
2009-02-03 19:47:19 ----RA---- C:\WINDOWS\SET7F.tmp
2009-02-03 19:47:15 ----RA---- C:\WINDOWS\SET6F.tmp
2009-02-03 19:47:14 ----RA---- C:\WINDOWS\SET5D.tmp
2009-02-03 19:47:12 ----RA---- C:\WINDOWS\SET51.tmp
2009-02-03 19:17:23 ----A---- C:\WINDOWS\OEWABLog.txt
2009-02-03 19:15:25 ----A---- C:\WINDOWS\System32\qmgrprxy.dll
2009-02-03 19:15:25 ----A---- C:\WINDOWS\System32\qmgr.dll
2009-02-03 19:15:19 ----A---- C:\WINDOWS\System32\safrslv.dll
2009-02-03 19:15:19 ----A---- C:\WINDOWS\System32\safrdm.dll
2009-02-03 19:15:19 ----A---- C:\WINDOWS\System32\safrcdlg.dll
2009-02-03 19:15:19 ----A---- C:\WINDOWS\System32\racpldlg.dll
2009-02-03 19:15:16 ----A---- C:\WINDOWS\System32\srsvc.dll
2009-02-03 19:15:16 ----A---- C:\WINDOWS\System32\srrstr.dll
2009-02-03 19:15:16 ----A---- C:\WINDOWS\System32\srclient.dll
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\nmmkcert.dll
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\msconf.dll
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\mnmsrvc.exe
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\mnmdd.dll
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\isrdbg32.dll
2009-02-03 19:15:15 ----A---- C:\WINDOWS\System32\ils.dll
2009-02-03 19:15:11 ----A---- C:\WINDOWS\System32\msoert2.dll
2009-02-03 19:15:11 ----A---- C:\WINDOWS\System32\msoeacct.dll
2009-02-03 19:15:10 ----A---- C:\WINDOWS\System32\inetres.dll
2009-02-03 19:15:08 ----A---- C:\WINDOWS\System32\schedsvc.dll
2009-02-03 19:15:08 ----A---- C:\WINDOWS\System32\mstinit.exe
2009-02-03 19:15:08 ----A---- C:\WINDOWS\System32\mstask.dll
2009-02-03 19:15:07 ----A---- C:\WINDOWS\System32\isign32.dll
2009-02-03 19:15:07 ----A---- C:\WINDOWS\System32\inetcfg.dll
2009-02-03 19:15:07 ----A---- C:\WINDOWS\System32\icwphbk.dll
2009-02-03 19:15:07 ----A---- C:\WINDOWS\System32\icwdial.dll
2009-02-03 19:13:57 ----A---- C:\WINDOWS\System32\sndrec32.exe
2009-02-03 19:13:57 ----A---- C:\WINDOWS\System32\mplay32.exe
2009-02-03 19:13:57 ----A---- C:\WINDOWS\System32\accwiz.exe
2009-02-03 19:13:56 ----A---- C:\WINDOWS\System32\mspaint.exe
2009-02-03 19:13:56 ----A---- C:\WINDOWS\System32\hypertrm.dll
2009-02-03 19:13:56 ----A---- C:\WINDOWS\System32\clipbrd.exe
2009-02-03 19:13:55 ----A---- C:\WINDOWS\System32\wuauserv.dll
2009-02-03 19:13:55 ----A---- C:\WINDOWS\System32\wuaueng.dll
2009-02-03 19:13:55 ----A---- C:\WINDOWS\System32\wuauclt.exe
2009-02-03 19:13:55 ----A---- C:\WINDOWS\System32\spider.exe
2009-02-03 19:13:54 ----A---- C:\WINDOWS\System32\tscfgwmi.dll
2009-02-03 19:13:54 ----A---- C:\WINDOWS\System32\mstscax.dll
2009-02-03 19:13:53 ----RA---- C:\WINDOWS\System32\termsrv.dll
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\tscupgrd.exe
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\sessmgr.exe
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\remotepg.dll
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\rdshost.exe
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\rdsaddin.exe
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\rdchost.dll
2009-02-03 19:13:53 ----A---- C:\WINDOWS\System32\mstsc.exe
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\rdpwsx.dll
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\rdpsnd.dll
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\rdpclip.exe
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\qprocess.exe
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\mtxoci.dll
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\msdtcuiu.dll
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\icaapi.dll
2009-02-03 19:13:52 ----A---- C:\WINDOWS\System32\cfgbkend.dll
2009-02-03 19:13:51 ----A---- C:\WINDOWS\System32\xolehlp.dll
2009-02-03 19:13:51 ----A---- C:\WINDOWS\System32\msdtctm.dll
2009-02-03 19:13:51 ----A---- C:\WINDOWS\System32\msdtcprx.dll
2009-02-03 19:13:51 ----A---- C:\WINDOWS\System32\msdtclog.dll
2009-02-03 19:13:51 ----A---- C:\WINDOWS\System32\msdtc.exe
2009-02-03 19:13:50 ----A---- C:\WINDOWS\System32\mtxlegih.dll
2009-02-03 19:13:50 ----A---- C:\WINDOWS\System32\mtxex.dll
2009-02-03 19:13:50 ----A---- C:\WINDOWS\System32\mtxdm.dll
2009-02-03 19:13:50 ----A---- C:\WINDOWS\System32\dcomcnfg.exe
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\stclient.dll
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\comrepl.dll
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\comaddin.dll
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\colbact.dll
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\clbcatex.dll
2009-02-03 19:13:49 ----A---- C:\WINDOWS\System32\catsrvps.dll
2009-02-03 19:13:48 ----A---- C:\WINDOWS\System32\comuid.dll
2009-02-03 19:13:48 ----A---- C:\WINDOWS\System32\comsvcs.dll
2009-02-03 19:13:48 ----A---- C:\WINDOWS\System32\catsrvut.dll
2009-02-03 19:13:48 ----A---- C:\WINDOWS\System32\catsrv.dll
2009-02-03 19:13:47 ----A---- C:\WINDOWS\System32\comsnap.dll
2009-02-03 19:13:47 ----A---- C:\WINDOWS\System32\clbcatq.dll
2009-02-03 19:13:41 ----A---- C:\WINDOWS\System32\servdeps.dll
2009-02-03 19:13:41 ----A---- C:\WINDOWS\System32\mmfutil.dll
2009-02-03 19:13:41 ----A---- C:\WINDOWS\System32\licwmi.dll
2009-02-03 19:13:40 ----A---- C:\WINDOWS\System32\cmprops.dll
2009-02-03 19:09:33 ----A---- C:\WINDOWS\System32\ksuser.dll
2009-02-03 18:55:04 ----A---- C:\WINDOWS\imsins.BAK
2009-02-03 18:54:56 ----D---- C:\WINDOWS\LastGood.Tmp
2009-02-03 18:54:47 ----A---- C:\WINDOWS\System32\storprop.dll
2009-02-03 18:54:35 ----RA---- C:\WINDOWS\SET80.tmp
2009-02-03 18:54:33 ----RA---- C:\WINDOWS\SET70.tmp
2009-02-03 18:54:32 ----RA---- C:\WINDOWS\SET5E.tmp
2009-02-03 18:54:30 ----RA---- C:\WINDOWS\SET52.tmp
2009-02-03 18:52:34 ----A---- C:\WINDOWS\setuplog.txt
2009-02-02 23:35:46 ----A---- C:\WINDOWS\PSEXESVC.EXE
2009-02-02 23:33:37 ----SHD---- C:\RECYCLER
2009-02-02 23:33:08 ----D---- C:\ComboFix
2009-02-02 23:33:07 ----A---- C:\WINDOWS\System32\CF4083.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\zip.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\VFIND.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\SWSC.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\SWREG.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\sed.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\grep.exe
2009-02-02 22:40:37 ----A---- C:\WINDOWS\fdsv.exe
2009-02-02 22:38:04 ----D---- C:\WINDOWS\ERDNT
2009-02-02 22:38:04 ----D---- C:\Qoobox
2009-02-02 21:59:40 ----D---- C:\WINDOWS\ERUNT
2009-02-02 21:55:51 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-02 21:53:49 ----D---- C:\SDFix
2009-02-02 17:06:48 ----D---- C:\Program Files\CCleaner
2009-01-27 00:53:08 ----D---- C:\Program Files\NBA Jam Tournament Edition
2009-01-16 00:10:20 ----D---- C:\Documents and Settings\Bob\Application Data\Viewpoint
2009-01-13 20:32:36 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-13 20:32:24 ----D---- C:\Program Files\SUPERAntiSpyware
2009-01-13 20:32:24 ----D---- C:\Documents and Settings\Bob\Application Data\SUPERAntiSpyware.com
2009-01-13 20:18:51 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-01-11 19:46:42 ----A---- C:\WINDOWS\wininit.ini
2009-01-11 18:22:02 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 02:25:23 ----D---- C:\WINDOWS\Minidump
======List of files/folders modified in the last 1 months======
2009-02-03 21:51:49 ----RD---- C:\Program Files
2009-02-03 21:40:13 ----D---- C:\WINDOWS
2009-02-03 21:39:54 ----RSHDC---- C:\WINDOWS\System32\dllcache
2009-02-03 21:39:46 ----D---- C:\WINDOWS\security
2009-02-03 21:39:46 ----D---- C:\Program Files\Internet Explorer
2009-02-03 21:36:25 ----D---- C:\WINDOWS\Debug
2009-02-03 21:33:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-03 21:33:14 ----RD---- C:\WINDOWS\Web
2009-02-03 21:33:10 ----SHD---- C:\WINDOWS\Installer
2009-02-03 21:32:10 ----D---- C:\WINDOWS\system32
2009-02-03 21:32:01 ----D---- C:\WINDOWS\System32\CatRoot
2009-02-03 21:31:23 ----HD---- C:\Program Files\WindowsUpdate
2009-02-03 21:00:34 ----D---- C:\WINDOWS\Registration
2009-02-03 20:22:03 ----A---- C:\WINDOWS\System32\PerfStringBackup.INI
2009-02-03 20:21:41 ----HD---- C:\WINDOWS\inf
2009-02-03 20:18:02 ----SHD---- C:\System Volume Information
2009-02-03 20:18:02 ----D---- C:\WINDOWS\System32\Restore
2009-02-03 20:15:22 ----D---- C:\WINDOWS\System32\config
2009-02-03 20:10:18 ----D---- C:\Temp
2009-02-03 20:09:48 ----D---- C:\WINDOWS\AppPatch
2009-02-03 20:09:42 ----D---- C:\WINDOWS\System32\drivers
2009-02-03 20:09:23 ----D---- C:\Program Files\Windows Media Player
2009-02-03 20:07:32 ----A---- C:\WINDOWS\ODBCINST.INI
2009-02-03 20:06:12 ----RAH---- C:\WINDOWS\System32\cdplayer.exe.manifest
2009-02-03 20:06:03 ----A---- C:\WINDOWS\win.ini
2009-02-03 20:05:55 ----D---- C:\WINDOWS\System32\oobe
2009-02-03 20:05:37 ----D---- C:\WINDOWS\System32\Com
2009-02-03 20:05:01 ----D---- C:\Program Files\MSN
2009-02-03 20:04:45 ----SH---- C:\boot.ini
2009-02-03 19:47:30 ----A---- C:\WINDOWS\system.ini
2009-02-03 19:47:20 ----ASH---- C:\Documents and Settings\All Users\Application Data\desktop.ini
2009-02-03 19:15:31 ----D---- C:\WINDOWS\srchasst
2009-02-03 19:15:24 ----D---- C:\Program Files\Movie Maker
2009-02-03 19:15:15 ----D---- C:\Program Files\NetMeeting
2009-02-03 19:15:11 ----D---- C:\Program Files\Outlook Express
2009-02-03 19:15:11 ----D---- C:\Program Files\Common Files\System
2009-02-03 19:13:56 ----D---- C:\Program Files\Windows NT
2009-02-03 14:43:30 ----D---- C:\WINDOWS\System32\Setup
2009-02-03 14:43:30 ----D---- C:\WINDOWS\system
2009-02-03 14:43:24 ----D---- C:\WINDOWS\System32\usmt
2009-02-03 14:43:24 ----D---- C:\WINDOWS\Help
2009-02-03 14:43:01 ----RSD---- C:\WINDOWS\Fonts
2009-02-03 14:42:58 ----D---- C:\WINDOWS\ime
2009-02-03 14:42:56 ----D---- C:\WINDOWS\Media
2009-02-03 14:42:48 ----D---- C:\WINDOWS\twain_32
2009-02-03 14:42:47 ----D---- C:\WINDOWS\System32\wbem
2009-02-03 14:42:22 ----D---- C:\WINDOWS\System32\icsxml
2009-02-03 14:42:06 ----D---- C:\WINDOWS\System32\npp
2009-02-03 14:41:57 ----D---- C:\WINDOWS\msagent
2009-02-03 14:41:33 ----D---- C:\WINDOWS\System32\ias
2009-02-03 14:41:23 ----D---- C:\WINDOWS\System32\1033
2009-02-03 14:38:51 ----D---- C:\WINDOWS\WinSxS
2009-02-03 14:38:51 ----D---- C:\WINDOWS\Driver Cache
2009-02-02 23:35:17 ----D---- C:\Program Files\Common Files
2009-02-02 23:34:41 ----SD---- C:\WINDOWS\Tasks
2009-02-02 12:52:05 ----D---- C:\Documents and Settings\Bob\Application Data\MSN6
2009-02-02 02:30:01 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-02-02 02:25:51 ----HD---- C:\$AVG8.VAULT$
2009-02-01 13:57:18 ----A---- C:\WINDOWS\System32\avgrsstx.dll
2009-01-15 03:01:53 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-12 22:03:41 ----A---- C:\WINDOWS\System32\9bbc377b-.txt
2009-01-11 15:41:22 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-09 20:35:28 ----A---- C:\WINDOWS\System32\MRT.exe
2009-01-06 18:14:24 ----D---- C:\Program Files\Google
2009-01-06 17:29:49 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-05 00:26:47 ----D---- C:\Documents and Settings\Bob\Application Data\AVGTOOLBAR
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-02-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-02-01 107272]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-06-25 12032]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2002-06-25 13056]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS [2005-05-03 1033728]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-05-03 208384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-06-06 1168860]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-11-29 191936]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-06-25 50688]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-06-25 21760]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-06-25 18944]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-05-03 705408]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-02-01 27656]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\System32\drivers\UIUSys.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-09-05 36864]
S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2001-08-17 24832]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-02-01 903960]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2004-03-04 311296]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2007-03-16 20480]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-08 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-06 137200]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
-----------------EOF-----------------
-
Sorry, it wouldn't let me fit it all in one post so I broke it up.
-
Try running the first set of Dial-a-fix instructions again, or can you install another browser like Firefox until we are done so this will be easier for you?
Go to Add/Remove Programs and uninstall:
- RegCure
- RegSweep
- Viewpoint Media Player
.
----------
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4083.exe /c C:\ComboFix\Combobatch.bat
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
----------
Go to Start > Run and type notepad.exe then click OK
Copy and paste the below into Notepad and save as fixme.reg to Your Desktop
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.
Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.
Delete the fixme.reg from the Desktop.
----------
Now download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 and save it to your Desktop.
- Extract avenger.exe from the Zip file and save it to your Desktop
- Run avenger.exe by double-clicking on it.
- Do not change any check box options!!
- Copy everything in the Code box below, and paste it into the Input script here window:
Comment:
Files to delete:
C:\WINDOWS\SET7F.tmp
C:\WINDOWS\SET6F.tmp
C:\WINDOWS\SET5D.tmp
C:\WINDOWS\SET51.tmp
C:\WINDOWS\SET80.tmp
C:\WINDOWS\SET70.tmp
C:\WINDOWS\SET5E.tmp
C:\WINDOWS\SET52.tmp
C:\WINDOWS\System32\CF4083.exe
C:\WINDOWS\zip.exe
C:\WINDOWS\VFIND.exe
C:\WINDOWS\SWXCACLS.exe
C:\WINDOWS\SWSC.exe
C:\WINDOWS\SWREG.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\NIRCMD.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\fdsv.exe
Folders to delete:
C:\ComboFix
- Now click the Execute button.
- Click Yes to the prompt to confirm you want to execute.
- Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
- Your PC should reboot, if not, reboot it yourself.
- A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
.
- Add the Avenger log in your next post.
----------
Download Malwarebytes' Anti-Malware (MBAM) (http://www.besttechie.net/tools/mbam-setup.exe)
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
-
Where do I download HijackThis?
-
Go to C:\Program Files\trend micro
There should be a file there named Hijackthis.exe or maybe Bob.exe. That is HijackThis.
If not then download it here http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
-
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\SET7F.tmp" deleted successfully.
File "C:\WINDOWS\SET6F.tmp" deleted successfully.
File "C:\WINDOWS\SET5D.tmp" deleted successfully.
File "C:\WINDOWS\SET51.tmp" deleted successfully.
File "C:\WINDOWS\SET80.tmp" deleted successfully.
File "C:\WINDOWS\SET70.tmp" deleted successfully.
File "C:\WINDOWS\SET5E.tmp" deleted successfully.
File "C:\WINDOWS\SET52.tmp" deleted successfully.
File "C:\WINDOWS\System32\CF4083.exe" deleted successfully.
File "C:\WINDOWS\zip.exe" deleted successfully.
File "C:\WINDOWS\VFIND.exe" deleted successfully.
File "C:\WINDOWS\SWXCACLS.exe" deleted successfully.
File "C:\WINDOWS\SWSC.exe" deleted successfully.
File "C:\WINDOWS\SWREG.exe" deleted successfully.
File "C:\WINDOWS\sed.exe" deleted successfully.
File "C:\WINDOWS\NIRCMD.exe" deleted successfully.
File "C:\WINDOWS\grep.exe" deleted successfully.
File "C:\WINDOWS\fdsv.exe" deleted successfully.
Folder "C:\ComboFix" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
-
Did you get MalwareBytes to run?
-
I installed it and ran it and it found 2 errors which were then cleaned up.
-
Can you post the log please so I know what we are dealing with.
It can be found under the logs tab in MalwareBytes.
-
Malwarebytes' Anti-Malware 1.33
Database version: 1725
Windows 5.1.2600
2009-02-03 13:42:31
mbam-log-2009-02-03 (13-42-31).txt
Scan type: Quick Scan
Objects scanned: 53024
Time elapsed: 4 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\RegSweep (Rogue.RegSweep) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Explorer1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
-
Download DrWeb CureIt (http://www.freedrweb.com/) & save it to your desktop.
Scan with DrWeb-CureIt as follows:
- Double-click on drweb-cureit.exe and then click Start.
- An Express Scan of your PC notice will appear.
- Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the Scan tab and UNcheck Heuristic analysis and click OK
- Back at the main window, select the Complete scan button.
- Then click the Green Arrow (http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg) Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
- When the scan is done.
- In the Dr.Web CureIt menu on top left, click File and choose Save report list.
- Save the DrWeb.csv report to your Desktop.
- Exit Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
[/COLOR]- After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
- Copy and paste that log in the next reply
-
Sorry aobut the delay, here's the log:
data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4\A0002379.exe\data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4\A0002379.exe;Archive contains infected objects;;
A0002379.exe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4;Archive contains infected objects;Moved.;
A0002381.exe;C:\System Volume Information\_restore{887FE045-9D63-4968-936F-793AB5517D1C}\RP4;Tool.Prockill;Incurable.Deleted.;
-
Nothing new was found. How is the computer running now?
-
Pretty good, the only problem is IE shuts down every once in a while, I tried to install the newest version and also Firefox, but it says my service pack doesn't support the installation or something. Other than that the computer is running fine.
-
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
How is it now?
-
When I try to update, it says I don't have all the files needed or something...my IE has been getting worse too and I have no clue why.