Computer Hope
Software => Computer viruses and spyware => Topic started by: pineapplejeani on December 05, 2008, 06:06:38 PM
-
Hello.
I'm embarrassed to say that I'm back with another problem.
This time it's my mom's laptop. (She's in so much trouble--but I digress)
It's a Dell 1G w/ 256 RAM. Pentium III. Windows XP Pro w/sp3. She thought she was running all the right programs but she wasn't.
She was using Spyware Blaster, Ad-aware and SpyBot,
She tried to watch a video online, it asked something about running active x,
she says she clicked "no" but whatever it was installed anyway.
Step A -She had AVG 7.5 installed but I'm not sure if she used it or updated it. I tried to upgrade but 8.0 won't install in safe mode.
Step 1 -Nothing suspicious to remove
Step 2 -CCleaner removed 30Mb of crap
Step 3 -SuperAntispyware wouldn't install in safe mode
Step 4 -MBAM installed and ran fine -logs attached
Step 5 -Java is current
Step 6 -Hijack this installed and ran fine -logs attached
Thanks again, Jeani
[Saving space - attachment deleted by admin]
-
Disable Spybot's TeaTimer
While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.
1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.
Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.
----------
Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.
Download SDFix by AndyManchesta (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with Administrative rights
- Double click SDFix.exe and it will extract the files to %systemdrive%
- (this is the drive that contains the Windows Directory, typically C:\SDFix).
- DO NOT use it just yet.
Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Open the SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
- Copy and paste the contents of the results file Report.txt in your next reply.
.
Can you get to Normal mode now?
-
It seems to get a little farther into loading but still doesn't work right in normal mode. If I click any icons, the hourglass just keeps going and the program doesn't open. CTRL ALT DEL doesn't work either. I'm back in safe mode. Here's the report:
SDFix: Version 1.240
Run by Administrator on Sat 12/06/2008 at 07:19 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 19:26:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\69C26E207C187C00]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\Documents and Settings\Home\Desktop\69C26E207C187C00\69C26E207C187C00"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\69C26E207C187C00\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\69C26E207C187C00]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\Documents and Settings\Home\Desktop\69C26E207C187C00\69C26E207C187C00"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\69C26E207C187C00\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
scanning hidden registry entries ...
source file error: C:\Documents and Settings\Home\ntuser.dat
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files :
Files with Hidden Attributes :
Fri 19 Sep 2008 2,174,976 ...H. --- "C:\Program Files\Amazing Adventures - Around the World\AmazingAdventures2.exe"
Wed 2 Jul 2008 1,746,248 ...H. --- "C:\Program Files\The Secret of Margrave Manor\Margrave Manor.exe"
Sun 10 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
-
Download Dial-a-Fix (http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles) by djlizard, save it to the desktop then extract it to it's own folder.
- Open the folder and run Dial-a-fix.exe
- 2 windows will open. Close the one in the background labeled Restrictive Policies
- Check the box in section 1, Empty temp folders.
- Check the box in section 2, Fix Windows Installer.
- Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
- Check all boxes in Section 5, labeled Registration Center.
- Click Go
- OK any error messages if received, but write them down and post them here.
- Restart the computer when done.
How is everything now?
-
I was not able to check the box in section 2, but I ran sdfix with everything else you told me. I didn't get any error messages, and normal mode isn't any different.
-
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
For Windows XP Systems install the Recovery Console:
- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
I ran the combo fix. I kept checking on the laptop as it was running. The program automatically restarted. It got as far as a blue screen that said something like "this window will close in a minutes. Combo fix is producing a log. It will be saved in C:\Combofix" I waited a full ten minutes and nothing happened beyond that. I restarted in safe mode again but I can't find the log it was referring to. There are 3 *.txt documents in the folder: CF-RC, ComboFix, OsId, and pend.
-
Go to Start > Run and type c:\combofix.txt and then click OK. It should pop up for you.
-
I got an error message that windows cannot find 'c:\combofix.txt'. Make sure you typed the name correctly...
-
Run ComboFix again please.
-
I'm back in safe mode. Here's the log:
ComboFix 08-12-06.04 - Administrator 2008-12-06 22:28:10.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.134 [GMT -5:00]
Running from: c:\documents and settings\Administrator.HOME-VH06P3NS16.000\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.
2008-12-06 20:25 . 2008-12-06 20:26 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-06 19:55 . 2008-12-06 19:55 <DIR> d-------- c:\documents and settings\Home\Application Data\Malwarebytes
2008-12-06 19:18 . 2008-12-06 19:18 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-06 19:17 . 2008-12-06 19:17 <DIR> d-------- c:\windows\ERUNT
2008-12-06 19:14 . 2008-12-06 19:29 <DIR> d-------- C:\SDFix
2008-12-04 22:28 . 2008-12-04 22:28 <DIR> d-------- c:\program files\Trend Micro
2008-12-04 22:04 . 2008-12-04 22:04 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 22:04 . 2008-12-04 22:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 22:04 . 2008-12-04 22:04 <DIR> d-------- c:\documents and settings\Administrator.HOME-VH06P3NS16.000\Application Data\Malwarebytes
2008-12-04 22:04 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 22:04 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 21:53 . 2008-12-04 21:53 <DIR> d-------- c:\program files\CCleaner
2008-12-04 20:12 . 2008-12-04 21:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-04 20:12 . 2008-12-04 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 20:03 . 2008-12-04 21:59 <DIR> d-------- c:\documents and settings\Administrator.HOME-VH06P3NS16.000
2008-12-04 13:15 . 2008-12-04 13:15 <DIR> d-------- c:\documents and settings\Administrator.HOME-VH06P3NS16
2008-12-04 12:49 . 2008-12-04 12:49 <DIR> d-------- c:\documents and settings\Administrator
2008-12-02 18:42 . 2008-12-02 18:42 <DIR> dr-h----- C:\$VAULT$.AVG
2008-11-28 15:45 . 2008-11-28 15:45 <DIR> d-------- c:\documents and settings\Home\Application Data\Artogon
2008-11-12 06:27 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 06:27 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 07:09 . 2008-11-11 07:09 <DIR> d-------- c:\windows\Sun
2008-11-09 13:33 . 2008-11-09 13:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ERS G-Studio
2008-11-09 12:21 . 2008-11-09 14:41 <DIR> d-------- c:\program files\Hidden Mysteries - Buckingham Palace
2008-11-08 19:02 . 2008-11-08 19:02 <DIR> d-------- c:\documents and settings\Home\Saved Games
2008-11-08 19:02 . 2008-11-08 19:02 <DIR> d-------- c:\documents and settings\Home\Application Data\Flood Light Games
2008-11-08 19:02 . 2008-11-08 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Flood Light Games
2008-11-08 10:33 . 2008-11-08 10:33 <DIR> d-------- c:\program files\IObit
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 03:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 02:55 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-12-05 02:55 --------- d-----w c:\documents and settings\Home\Application Data\AVG7
2008-12-05 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-11-28 22:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2008-11-25 17:54 --------- d-----w c:\documents and settings\Home\Application Data\HPAppData
2008-11-09 15:39 --------- d-----w c:\program files\bfgclient
2008-11-08 14:41 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 18:27 --------- d-----w c:\program files\HP
2008-11-04 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2008-11-04 18:24 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-11-04 18:24 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-11-04 18:23 --------- d-----w c:\program files\Hewlett-Packard
2008-10-26 17:13 --------- d-----w c:\documents and settings\All Users\Application Data\Slapdash Games
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 00:29 --------- d-----w c:\documents and settings\Home\Application Data\OpenOffice.org
2008-10-20 00:15 --------- d-----w c:\program files\OpenOffice.org 3
2008-10-20 00:15 --------- d-----w c:\program files\JRE
2008-10-20 00:14 --------- d-----w c:\program files\Java
2008-10-20 00:13 --------- d-----w c:\program files\Common Files\Java
2008-10-19 23:23 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-19 16:52 --------- d-----w c:\documents and settings\All Users\Application Data\iWin Games
2008-10-19 16:45 --------- d-----w c:\documents and settings\Home\Application Data\Mushroom Age
2008-10-19 16:11 --------- d-----w c:\program files\iWin.com
2008-10-19 15:39 --------- d-----w c:\documents and settings\Home\Application Data\Restorer
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-06_21.11.33.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 01:47:37 42,930 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-07 02:34:03 44,082 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 01:47:37 316,908 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-07 02:34:03 318,968 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
S2 69C26E207C187C00;69C26E207C187C00;\??\c:\documents and settings\Home\Desktop\69C26E207C187C00\69C26E207C187C00 []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
c:\windows\Downloaded Program Files\stg_drm.ocx - c:\windows\Downloaded Program Files\CONFLICT.1\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.2\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.3\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.4\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.5\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.6\stg_drm.ocx
c:\windows\Downloaded Program Files\CONFLICT.7\stg_drm.ocx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Dr.%20Lynch%20-%20Grave%20Secrets/Images/stg_drm.ocx
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Wizard's%20Pen/Images/armhelper.ocx
FireFox -: Profile - c:\documents and settings\Administrator.HOME-VH06P3NS16.000\Application Data\Mozilla\Firefox\Profiles\34imw5cl.default\
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 22:30:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\69C26E207C187C00]
"ImagePath"="\??\c:\documents and settings\Home\Desktop\69C26E207C187C00\69C26E207C187C00"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\69C26E207C187C00]
"ImagePath"="\??\c:\documents and settings\Home\Desktop\69C26E207C187C00\69C26E207C187C00"
.
Completion time: 2008-12-06 22:31:37
ComboFix-quarantined-files.txt 2008-12-07 03:31:19
Pre-Run: 12,369,674,240 bytes free
Post-Run: 12,358,193,152 bytes free
138 --- E O F --- 2008-11-13 15:57:55
-
I'm really not seeing anything.
Please download from DDS by sUBs (http://www.techsupportforum.com/sectools/sUBs/dds/) and save it to your Desktop.
Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
- Double click on dds to run it.
- When done, DDS.txt will open.
- You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
- When done, Attach.txt will open.
- Please copy and paste the contents of DDS.txt and Attach.txt in your next reply.
-
DDS:
DDS (Version 1.0) - NTFSx86 NETWORK
Run by Administrator at 22:53:42.91 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.93 [GMT -5:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.HOME-VH06P3NS16.000\Desktop\dds.com
============== Pseudo HJT Report ===============
BHO: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12 611664]
S2 69C26E207C187C00;69C26E207C187C00;\??\c:\documents and settings\home\desktop\69c26e207c187c00\69C26E207C187C00 []
=============== Created Last 30 ================
2008-12-06 21:03 <DIR> a-dshr-- C:\cmdcons
2008-12-06 21:00 161,792 a------- c:\windows\SWREG.exe
2008-12-06 21:00 98,816 a------- c:\windows\sed.exe
2008-12-06 20:25 <DIR> --d----- c:\windows\system32\CatRoot2
2008-12-06 19:18 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-06 19:17 <DIR> --d----- c:\windows\ERUNT
2008-12-06 19:14 <DIR> --d----- C:\SDFix
2008-12-04 22:28 <DIR> --d----- c:\program files\Trend Micro
2008-12-04 22:04 <DIR> --d----- c:\docume~1\administrator.home-vh06p3ns16.000\application data\Malwarebytes
2008-12-04 22:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-04 22:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 22:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 22:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-04 21:53 <DIR> --d----- c:\program files\CCleaner
2008-12-04 20:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-04 20:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 20:03 <DIR> --d----- c:\documents and settings\Administrator.HOME-VH06P3NS16.000
2008-12-02 18:42 <DIR> --d-hr-- C:\$VAULT$.AVG
2008-11-12 06:27 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 06:27 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-09 13:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ERS G-Studio
2008-11-09 12:21 <DIR> --d----- c:\program files\Hidden Mysteries - Buckingham Palace
2008-11-08 19:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Flood Light Games
2008-11-08 10:33 <DIR> --d----- c:\program files\IObit
==================== Find3M ====================
2008-11-18 13:01 139,775 a------- c:\windows\hpoins15.dat
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 08:20 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
============= FINISH: 22:54:10.55 ===============
Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Version 1.0)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/9/2008 6:29:14 PM
System Uptime: 12/6/2008 10:41:39 PM (0 hours ago)
Motherboard: Dell Computer Corporation | | Latitude C610
Processor: Intel(R) Pentium(R) III Mobile CPU 1000MHz | Microprocessor | 996/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 19 GiB total, 11.645 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_01\3&61AAA01&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_2486&SUBSYS_4C21134D&REV_01\3&61AAA01&0&FE
Service:
==== System Restore Points ===================
RP49: 10/26/2008 3:21:49 AM - System Checkpoint
RP50: 10/28/2008 11:23:02 AM - System Checkpoint
RP51: 10/29/2008 7:09:21 PM - System Checkpoint
RP52: 10/30/2008 7:20:20 PM - System Checkpoint
RP53: 11/1/2008 2:59:49 AM - System Checkpoint
RP54: 11/2/2008 3:51:08 AM - System Checkpoint
RP55: 11/3/2008 11:22:02 AM - System Checkpoint
RP56: 11/4/2008 10:54:10 AM - Removed HP Smart Web Printing
RP57: 11/4/2008 10:54:49 AM - Removed HPSU306Stub
RP58: 11/4/2008 10:54:59 AM - Removed HP Update
RP59: 11/4/2008 10:55:26 AM - Removed HPSSupply
RP60: 11/4/2008 1:27:56 PM - Installed HPSU306Stub
RP61: 11/6/2008 11:22:29 AM - System Checkpoint
RP62: 11/8/2008 10:35:11 AM - Advanced WindowsCare RestorePoint
RP63: 11/9/2008 5:42:51 PM - System Checkpoint
RP64: 11/10/2008 6:45:54 PM - System Checkpoint
RP65: 11/11/2008 7:15:08 PM - System Checkpoint
RP66: 11/13/2008 10:42:28 AM - Software Distribution Service 3.0
RP67: 11/14/2008 2:05:50 PM - System Checkpoint
RP68: 11/15/2008 6:16:34 PM - System Checkpoint
RP69: 11/16/2008 7:24:43 PM - System Checkpoint
RP70: 11/17/2008 8:59:50 PM - System Checkpoint
RP71: 11/18/2008 10:22:56 PM - System Checkpoint
RP72: 11/20/2008 1:20:05 PM - System Checkpoint
RP73: 11/21/2008 7:02:51 PM - System Checkpoint
RP74: 11/22/2008 8:48:51 PM - System Checkpoint
RP75: 11/23/2008 9:58:44 PM - System Checkpoint
RP76: 11/24/2008 10:22:41 PM - System Checkpoint
RP77: 11/26/2008 7:03:30 AM - System Checkpoint
RP78: 11/27/2008 7:49:47 AM - Removed Adobe Media Player
RP79: 11/28/2008 6:01:33 PM - System Checkpoint
RP80: 11/29/2008 7:28:49 PM - System Checkpoint
RP81: 11/30/2008 9:14:43 PM - System Checkpoint
RP82: 12/1/2008 11:05:28 PM - System Checkpoint
RP83: 12/3/2008 6:52:42 AM - System Checkpoint
==== Installed Programs ======================
32 Bit HP CIO Components Installer
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Advanced WindowsCare Personal
AIO_Scan
Amazing Adventures: Around the World
ArcSoft PhotoImpression
Big Fish Games Client
Broadcom 802.11 Wireless LAN Adapter
BufferChm
C4200
C4200_doccd
c4200_Help
CCleaner (remove only)
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPProductAssistant
HPSSupply
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
MarketResearch
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
OpenOffice.org 3.0
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
Scan
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SolutionCenter
Spybot - Search & Destroy
SpywareBlaster 4.1
Status
The Secret of Margrave Manor
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VideoToolkit01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows XP Service Pack 3
==== Event Viewer Messages ===================
12/4/2008 12:51:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avg7Core Avg7RsW Avg7RsXP Fips P3
12/4/2008 12:50:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/3/2008 7:13:52 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
12/3/2008 6:32:43 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/3/2008 6:32:43 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
12/3/2008 6:31:57 AM, error: Service Control Manager [7022] - The Protected Storage service hung on starting.
12/3/2008 6:31:55 AM, error: Service Control Manager [7022] - The IPSEC Services service hung on starting.
12/3/2008 6:30:37 AM, error: Service Control Manager [7000] - The Ati HotKey Poller service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/3/2008 6:30:37 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Ati HotKey Poller service to connect.
12/1/2008 3:42:26 AM, error: Service Control Manager [7034] - The AVG E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
11/29/2008 8:07:22 PM, error: HPZipr12 [43] -
12/4/2008 1:02:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/4/2008 1:02:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/4/2008 1:17:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service Avg7Alrt with arguments "" in order to run the server: {3486DF65-1D90-406A-A072-30629910F113}
12/4/2008 1:22:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service Avg7UpdSvc with arguments "" in order to run the server: {F82EDB94-BE85-42BE-9B70-EA5005AB5BAA}
12/4/2008 9:24:37 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/4/2008 9:25:35 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
12/4/2008 9:25:35 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/4/2008 9:25:35 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgssie.dll. Reference error message: The operation completed successfully. .
12/4/2008 9:25:35 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgpp.dll. Reference error message: The operation completed successfully. .
12/4/2008 10:43:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
==== End Of File ===========================
-
I'm stumped.
You might try a System Restore and see if it gets it back to normal mode.
Do you have an XP CD?
-
I don't have one here, but I can get one tomorrow.
-
Place it in your CD ROM drive and follow the instructions below:- Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
-
OK. Thanks for all your help tonight. I'll get the cd and run that procedure tomorrow. I'll let you know how it works out.
-
No problem...
-
<Removed>
http://www.computerhope.com/forum/index.php/topic,57605.0.html