lNo desktop control buttons.

My computer was recently attack by Adware or Spyware which made my computer almost useless.   I had ZoneAlarm , but not the Virus Suite; before the attack.    So I bought the Suite and scanned the computer, and it found over 200 Spywares etc, but could not get rid of two.   I kept trying, and then the computer went down.  Safe Mode would not work and all my restore points were gone.   I kept working on it, and finally a strange thing happed; I got the desktop up (the desktop picture), but all the buttons and controls were gone.   The only thing I could do is get the Task Manager up.   By going to File > Run I was able get my Win Word Short cut bar up.  I had a lot of the programs I use on that bar, so I could work from there.   The computer is working great (as far as it can go); there are only 17 items on the Task Manager working, at boot up, which works out well.    But of course I lack most of my controls.   If I could get the DeskTop, start menu, Task Bar and the file explorer to work that would be great.   I have a button for Explorer on my Win Word Short Cut Bar but it will not open.    Thanks, Phil
xdr56tfcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xdr56tfcAuthor Commented:
Title:
lNo desktop control buttons. is wrong
 
The Title is:
No desktop control buttons.

Sorry, xdr56tfc
 
0
IndiGenusCommented:
Hi,
Sounds like quite a bit of OS damage may have been done. If possible it would be great if we could get a HijackThis log to review.

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
Peter HartCommented:
TRY A FIX FROM THIS PLACE:

http://www.kellys-korner-xp.com/xp_tweaks.htm
in particuler line 20 and 72
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

johnb6767Commented:
From the Run command in the task manager...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Whats the values for the following??

Shell
should read
explorer.exe

Userinit
should read...
C:\WINDOWS\system32\userinit.exe,

And to emphasize the suggestion previous, the Hijack This logfile would be great....
0
xdr56tfcAuthor Commented:

I thought I still had Hyjack This but I could not find it, so I downloaded it again to my In Process file but I could not install it from there, so I downloaded it as Open, and it installed it.  
I am sending the log as an attachment.   I'm sorry it is taking so long to respond, but I have been busy, and my computer is not working right, so it takes a lot longer to do things, but I will respond to your suggestions as soon as possible.   Thanks,  I hope the Log helps.   Xdr56tfc

PS.  I hope the file attached; I can not see it.
0
IndiGenusCommented:
No, file did not attach. If that's a problem try it in a Code Snippet window. Check the box and paste the text in there...
0
xdr56tfcAuthor Commented:

It looks like that worked.  Thanks,  xdr56tfc


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:01 PM, on 2/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\taskmgr.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\Documents and Settings\Phil Wirth\Desktop\Filemon\Filemon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\System32\pfimsfnm.dll
O4 - HKLM\..\Run: [012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [runner1] D:\WINDOWS\mrofinu1239.exe 61A847B5BBF72813309831466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\RunServices: [Topic lnternat] lnternat.exe
O4 - HKLM\..\RunOnce: [*Restore] D:\WINDOWS\system32\restore\rstrui.exe -c
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinAble] D:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor]  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Rmns] "D:\WINDOWS\WNSXS~1\nslookup.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor]  (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129663471703
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B26C87F-59B7-4A37-BC34-18541039DCD6}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{63E9F614-CDC7-413F-B010-05F431CB3051}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6189C5B-10E4-47B8-864B-F3E27C884D16}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.203
O20 - AppInit_DLLs: svchost.dll  
O21 - SSODL: msindeo.dll - {7ACB5731-5839-13AB-EABC-124791194525} - D:\WINDOWS\System32\msindeo.dll
O23 - Service: DomainService - Unknown owner - D:\WINDOWS\System32\pluthctb.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - D:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: Sandee Westgate official website!! Welcome to the Ultimate site of Playboy model gone bad, Sandee Westgate! Lesbian Pornstar featured in CLUB, Hustler, CHERI, Playboy and more!!! See sandee with hotties like, Crissy Moran, Lanni Barbie, Mercedez, Tera Pat - http://www.sandeewestgate.com/
O24 - Desktop Component 3: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
O24 - Desktop Component 4: bluestripephoto.com - http://www.bluestripephoto.com/catalog/advanced_search_result.php?osCsid=63f5f5de83a85a571d74cc274bc702c6&keywords=Canon+EX+580+Flash&osCsid=63f5f5de83a85a571d74cc274bc702c6&x=14&y=10
O24 - Desktop Component 5: (no name) - http://store.directauto.com/jegrch196pif.html
 
--
End of file - 7281 bytes

Open in new window

0
IndiGenusCommented:
Oh boy you are still VERY heavily infected. I see backdoor trojans and bots, Vundo/Conhook, Wareout, Purity Scan, and who knows what else is here (as I can also see you have some stuff disabled with msconfig, don't enable it by the way, we can get it with a CFScript).

This is going to be a fun one. Here is what I suggest you start with...

Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download and Run ComboFix (by sUBs) You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
xdr56tfcAuthor Commented:

Just quick, don't forget that I can not see anything on or in my desktop.   I can't bring up the Desktop menu or Properties or anything.   If it were not for the Task Manager and my Win Word Short Cut Bar I would be died in the water.   Thanks,  Xdr56tfc

0
xdr56tfcAuthor Commented:


I should add the File Manager; I can also open Restore now, so I set a Restore Point every two days.   Thanks,  xdr56tfc  
0
IndiGenusCommented:
My hope is SDFix will bring some (or even most/all) of it back. No guarantees but that's why it's first here...

I am not surprised how damaged this machine is. You may even want to consider a format and re-install of the OS. Many experts would agree with this in this case. I usually don't recommend going that way unless the machine is seriously compromised, but this one is! I'll do my best to help though...
0
IndiGenusCommented:
Also, if you can get through SDFix and get to combofix you may want to run CF with the killall switch here.

Making sure you have placed ComboFix.exe on your desktop, go to Start -> Run..., and copy/paste the following. Then click OK or hit your enter key.

"%userprofile%\desktop\ComboFix.exe" /KillAll

This will start ComboFix. Stopping most all processes.
0
xdr56tfcAuthor Commented:

Reponse #4

Pardon me, I mean the File Monitor; I wish I could open the File Manager.   I use it a lot, but I didnt realize how lost I would be with out it.   By the way do you know of a program that works as well?   I down loaded Explorer XP and its near worthless.  xdr56tfc

0
xdr56tfcAuthor Commented:

Response #5

I agree, I do not want to reformat unless it is absolutely necessary.   I could have done that a long time ago.    Luckily I have all of my created, and down loaded material on an external drive.    I will start working on your suggestions as soon as possible; that sure is a mouth full.   Another thing, this is how I learn.      Xdr56tfc
0
xdr56tfcAuthor Commented:

Response #6

OK here they come.   SDFix did not create a log, but ComboFix did.  The attachment of that file looks like it did not load so I will send it as a Snippet.  It is a huge file, I hope it is complete.   I will send the new Hijack This in a new Comments.   I have a lot of Porn pop-ups coming up I hope this stop it.   The Desktop is working again, but not 100% yet; Explorer is working!!  Here I am working on my computer at 2:00 in the morning! When things are starting to happen I can't stop.   Thanks, it looks like were getting there.   xdr56tfc

ComboFix 08-02-11.2 - Phil Wirth 2008-02-11  1:46:30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1676 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
D:\WINDOWS\system32\awvtq.dll
D:\WINDOWS\system32\fccdeee.dll
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
D:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
D:\Documents and Settings\Phil Wirth\Start Menu\Programs\ChristmasPorn
D:\Documents and Settings\Phil Wirth\Start Menu\Programs\ChristmasPorn\Uninstall.lnk
D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Internet Speed Monitor
D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
D:\Program Files\ChristmasPorn
D:\Program Files\ChristmasPorn\Uninstall.exe
D:\Program Files\folder.js
D:\Program Files\ISM
D:\Program Files\ISM\BndDrive.dll
D:\Program Files\ISM\BndDrive2.dll
D:\Program Files\ISM\BndDrive3.dll
D:\Program Files\ISM\BndDrive7.dll
D:\Program Files\ISM\bndloader.exe
D:\Program Files\ISM\dictionary.gz
D:\Program Files\ISM\ism.exe
D:\Program Files\ISM\kazooupd.exe
D:\Program Files\ISM\syncupd.exe
D:\Program Files\ISM\targets.gz
D:\Program Files\ISM\Uninstall.exe
D:\Program Files\Microsoft Security Adviser
D:\Program Files\QdrModule
D:\Program Files\QdrPack
D:\Program Files\Temporary
D:\Program Files\video activex access
D:\Program Files\WinAble
D:\Program Files\WinBudget
D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\abdiuitn.ini
D:\WINDOWS\system32\awtqgazp.dllbox
D:\WINDOWS\System32\awvtq.dll
D:\WINDOWS\system32\bylslnkf.dll
D:\WINDOWS\system32\Cache
D:\WINDOWS\system32\config\system~1\applic~1\install.dat
D:\WINDOWS\system32\faewqsoi.ini
D:\WINDOWS\system32\fccdeee.dll
D:\WINDOWS\system32\fhuusxwu.dll
D:\WINDOWS\system32\gmrhspob.exe
D:\WINDOWS\system32\gtplwcow.ini
D:\WINDOWS\system32\iwctsmcp.exe
D:\WINDOWS\system32\kfqceyvq.exe
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\nqwrugod.dllbox
D:\WINDOWS\system32\nrvspuck.exe
D:\WINDOWS\system32\pfimsfnm.dllbox
D:\WINDOWS\system32\qdshrvax.dll
D:\WINDOWS\system32\qtvwa.ini
D:\WINDOWS\system32\qtvwa.ini2
D:\WINDOWS\system32\reflbynu.exe
D:\WINDOWS\system32\srlbbadg.exe
D:\WINDOWS\system32\twfdqofv.dllbox
D:\WINDOWS\system32\ubxasvvl.dll
D:\WINDOWS\wnsxs~1
D:\WINDOWS\wnsxs~1\W?nSxS\
 
----- BITS: Possible infected sites -----
 
hxxp://80.93.48.74
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
 
 
(((((((((((((((((((((((((   Files Created from 2008-01-11 to 2008-02-11  )))))))))))))))))))))))))))))))
.
 
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-10 12:03	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2005-10-13 22:39	341,953	--sha-w	D:\WINDOWS\system32\xycdd.bak1
2006-02-28 21:30	447,758	--sha-w	D:\WINDOWS\system32\xycdd.bak2
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e82b124-bb1b-4e4a-8173-ab75e3972144}]
			D:\WINDOWS\System32\rqjxarkd.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}]
2008-02-10 15:28	12800	--a------	D:\WINDOWS\System32\msindeo.dll
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-12-02 02:11	145984	--a------	D:\WINDOWS\system32\pfimsfnm.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-27 14:36 171448]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Topic lnternat"="lnternat.exe" []
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
"SpyMarshal"="C:\Program Files\SpyMarshal\SpyMarshal.exe" [2006-12-27 12:31 431616]
"Rmns"="D:\WINDOWS\WNSXS~1\nslookup.exe" [ ]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msindeo.dll"= {7ACB5731-5839-13AB-EABC-124791194525} - D:\WINDOWS\System32\msindeo.dll [2008-02-10 15:28 12800]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pfimsfnm]
pfimsfnm.dll 2007-12-02 02:11 145984 D:\WINDOWS\system32\pfimsfnm.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
D:\WINDOWS\System32\RECOVER32.DLL
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\[u]0[/u]4804b20]
D:\WINDOWS\System32\ntiuidba.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmmnl.exe]
D:\WINDOWS\System32\dmmnl.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic lnternat]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{52562D43-4f4d-5055-5445-5252562D434f}]
D:\WINDOWS\System32\ahuy.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-10 08:00:00 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 17:00:00 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 18:00:00 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-07 19:00:00 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 20:00:00 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 21:00:00 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 22:00:00 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 23:00:00 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 00:00:00 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 01:00:00 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 02:00:00 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 09:00:29 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 03:00:00 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 04:00:00 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 05:00:00 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 06:00:00 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 07:00:00 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 10:00:00 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 11:00:00 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 12:00:00 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 13:00:00 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-08 14:00:00 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 15:00:00 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 16:00:00 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 01:51:37
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\WINDOWS\system32\pfimsfnm.dll
 
PROCESS: D:\WINDOWS\explorer.exe [6.00.2800.1106]
-> D:\WINDOWS\system32\pfimsfnm.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-11  1:53:27 - machine was rebooted [Phil Wirth]
ComboFix-quarantined-files.txt  2008-02-11 09:53:23
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
xdr56tfcAuthor Commented:

Response #7

Here is the Hijack This file.  This file is much bigger than the last Hijack This file.    xdr56tfc



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:14 AM, on 2/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\WINDOWS\msagent\AgentSvr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: {4412793e-57ba-3718-a4e4-b1bb421b28e4} - {4e82b124-bb1b-4e4a-8173-ab75e3972144} - D:\WINDOWS\System32\rqjxarkd.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - D:\WINDOWS\System32\msindeo.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\pfimsfnm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\pfimsfnm.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Topic lnternat] lnternat.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor]  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Rmns] "D:\WINDOWS\WNSXS~1\nslookup.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor]  (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129663471703
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B26C87F-59B7-4A37-BC34-18541039DCD6}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{63E9F614-CDC7-413F-B010-05F431CB3051}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6189C5B-10E4-47B8-864B-F3E27C884D16}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.203
O20 - Winlogon Notify: pfimsfnm - D:\WINDOWS\SYSTEM32\pfimsfnm.dll
O20 - Winlogon Notify: {BC84DF00-BC38-9902-8082-6FCBF2D87A0B} - D:\WINDOWS\System32\RECOVER32.DLL (file missing)
O21 - SSODL: msindeo.dll - {7ACB5731-5839-13AB-EABC-124791194525} - D:\WINDOWS\System32\msindeo.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - D:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: Sandee Westgate official website!! Welcome to the Ultimate site of Playboy model gone bad, Sandee Westgate! Lesbian Pornstar featured in CLUB, Hustler, CHERI, Playboy and more!!! See sandee with hotties like, Crissy Moran, Lanni Barbie, Mercedez, Tera Pat - http://www.sandeewestgate.com/
O24 - Desktop Component 3: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
O24 - Desktop Component 4: bluestripephoto.com - http://www.bluestripephoto.com/catalog/advanced_search_result.php?osCsid=63f5f5de83a85a571d74cc274bc702c6&keywords=Canon+EX+580+Flash&osCsid=63f5f5de83a85a571d74cc274bc702c6&x=14&y=10
O24 - Desktop Component 5: (no name) - http://store.directauto.com/jegrch196pif.html
 
--
End of file - 7159 bytes

Open in new window

0
xdr56tfcAuthor Commented:

Response #8

I have a big porn page on my Desktop that almost fills the screen, and I can not get rid of it.   It's called Polish Big Boobs; I like Boobs, but I like to be able to control them.   I also have a tool bar that keeps coming up on Internet Explorer called "Security Toolbar 7.1"; I can close it but every time I open a new page on IE it's back again.   Maybe you can find them on these logs that I'm sending.   Now its 3:00, and thats it..   xdr56tfc
0
IndiGenusCommented:
I know you are trying to help by giving me detailed descriptions of what you are seeing, but it's not needed. I can tell simply by your logs that you are infected and will be getting all kinds of nasty stuff until we can clean this up.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
D:\WINDOWS\System32\rqjxarkd.dll
D:\WINDOWS\System32\msindeo.dll
D:\WINDOWS\system32\pfimsfnm.dll
D:\WINDOWS\System32\RECOVER32.DLL
C:\WINDOWS\SYSTEM32\ntoskrnl.dll
D:\WINDOWS\System32\ntiuidba.dll
D:\WINDOWS\System32\dmmnl.exe      

Folder::
C:\Program Files\SpyMarshal
D:\WINDOWS\WNSXS~1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e82b124-bb1b-4e4a-8173-ab75e3972144}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}]      
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Topic lnternat"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SpyMarshal"=-
"Rmns"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msindeo.dll"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pfimsfnm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\04804b20]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmmnl.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Topic lnternat]

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
xdr56tfcAuthor Commented:

# 11

When I sent CompoFix Txt my computer came up to the Can Not Open Page; I doubt that you got it, so I'm sending it again.     Every time I run CompoFix a Dialog Box comes up that Says "There is no disk in Device\harddisk/dr7"   I have a hard time closing this box, and I do not have a Disk/dr7.   If I keep hit Close, X or cancel it goes away.   This has happened before.    Hi Jack will follow.   My computer is running about 95% better.  Thanks,   Xdr56tfc


ComboFix 08-02-11.2 - Phil Wirth 2008-02-11 16:17:40.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1615 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((   Files Created from 2008-01-12 to 2008-02-12  )))))))))))))))))))))))))))))))
.
 
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-10 12:03	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-11-15 00:05	1,086,952	----a-w	D:\WINDOWS\system32\zpeng24.dll
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2005-10-13 22:39	341,953	--sha-w	D:\WINDOWS\system32\xycdd.bak1
2006-02-28 21:30	447,758	--sha-w	D:\WINDOWS\system32\xycdd.bak2
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w         3,504,640 2005-03-31 21:16:16  D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe
 
----a-w           180,269 2006-06-21 05:52:50  D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w           185,896 2006-11-09 03:23:09  D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
----a-w           278,528 2006-06-14 23:24:14  D:\Program Files\iTunes\bak\iTunesHelper.exe
 
----a-w           282,624 2006-06-03 19:25:06  D:\Program Files\QuickTime\bak\qttask.exe
----a-w           282,624 2006-09-01 23:57:48  D:\Program Files\QuickTime\qttask.exe
 
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\bak\ctfmon.exe
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\ctfmon.exe
 
----a-w            98,304 2005-01-27 12:00:00  D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE
 
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-27 14:36 171448]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{52562D43-4f4d-5055-5445-5252562D434f}]
D:\WINDOWS\System32\ahuy.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-10 08:00:00 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 17:00:00 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 18:00:00 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-07 19:00:00 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 20:00:00 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 21:00:00 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 22:00:00 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 23:00:00 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-12 00:00:00 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 01:00:00 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 02:00:00 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 09:00:29 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 03:00:00 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 04:00:00 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 05:00:00 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 06:00:00 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 07:00:00 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 10:00:00 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 11:00:00 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 12:00:00 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 13:00:00 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-08 14:00:00 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 15:00:00 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 16:00:00 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 16:18:07
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-11 16:18:38
ComboFix-quarantined-files.txt  2008-02-12 00:18:37
ComboFix2.txt  2008-02-11 23:39:14
ComboFix3.txt  2008-02-11 23:28:44
ComboFix4.txt  2008-02-11 09:53:27
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
IndiGenusCommented:
The script was not run on the last log you gave me. When you started cf did you drag the script file you created on to cf to start it? And now I see an AWF infection too...
0
xdr56tfcAuthor Commented:
Here is the latest Hijack This log.    When that Dialog Box poped up it was right in the middle of the CF scan in fact it stopped it when I was getting rid of the Dialog Box.   So I scanned it again, and CF finished after I got rid of the DB.    I sent that log; I think.    I saved it, so I will send it again.   The computer is getting a lot better.  When this is through I need to get a good Anti-Virus etc.   Thanks,  xdr56tfc
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:23 AM, on 2/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor]  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor]  (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129663471703
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B26C87F-59B7-4A37-BC34-18541039DCD6}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{63E9F614-CDC7-413F-B010-05F431CB3051}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6189C5B-10E4-47B8-864B-F3E27C884D16}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.203
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - D:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: Sandee Westgate official website!! Welcome to the Ultimate site of Playboy model gone bad, Sandee Westgate! Lesbian Pornstar featured in CLUB, Hustler, CHERI, Playboy and more!!! See sandee with hotties like, Crissy Moran, Lanni Barbie, Mercedez, Tera Pat - http://www.sandeewestgate.com/
O24 - Desktop Component 3: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
O24 - Desktop Component 4: bluestripephoto.com - http://www.bluestripephoto.com/catalog/advanced_search_result.php?osCsid=63f5f5de83a85a571d74cc274bc702c6&keywords=Canon+EX+580+Flash&osCsid=63f5f5de83a85a571d74cc274bc702c6&x=14&y=10
O24 - Desktop Component 5: (no name) - http://store.directauto.com/jegrch196pif.html
 
--
End of file - 6188 bytes

Open in new window

0
xdr56tfcAuthor Commented:
Here is the latest CF log. I hope it is correct.  xdr56tfc
ComboFix 08-02-11.2 - Phil Wirth 2008-02-11 16:17:40.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1615 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
 
(((((((((((((((((((((((((   Files Created from 2008-01-12 to 2008-02-12  )))))))))))))))))))))))))))))))
.
 
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-10 12:03	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-11-15 00:05	1,086,952	----a-w	D:\WINDOWS\system32\zpeng24.dll
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2005-10-13 22:39	341,953	--sha-w	D:\WINDOWS\system32\xycdd.bak1
2006-02-28 21:30	447,758	--sha-w	D:\WINDOWS\system32\xycdd.bak2
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w         3,504,640 2005-03-31 21:16:16  D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe
 
----a-w           180,269 2006-06-21 05:52:50  D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w           185,896 2006-11-09 03:23:09  D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
----a-w           278,528 2006-06-14 23:24:14  D:\Program Files\iTunes\bak\iTunesHelper.exe
 
----a-w           282,624 2006-06-03 19:25:06  D:\Program Files\QuickTime\bak\qttask.exe
----a-w           282,624 2006-09-01 23:57:48  D:\Program Files\QuickTime\qttask.exe
 
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\bak\ctfmon.exe
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\ctfmon.exe
 
----a-w            98,304 2005-01-27 12:00:00  D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE
 
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-27 14:36 171448]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{52562D43-4f4d-5055-5445-5252562D434f}]
D:\WINDOWS\System32\ahuy.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-10 08:00:00 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 17:00:00 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 18:00:00 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-07 19:00:00 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 20:00:00 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 21:00:00 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 22:00:00 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 23:00:00 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-12 00:00:00 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 01:00:00 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 02:00:00 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 09:00:29 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 03:00:00 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 04:00:00 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 05:00:00 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 06:00:00 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 07:00:00 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 10:00:00 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 11:00:00 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 12:00:00 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 13:00:00 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-08 14:00:00 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 15:00:00 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 16:00:00 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 16:18:07
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-11 16:18:38
ComboFix-quarantined-files.txt  2008-02-12 00:18:37
ComboFix2.txt  2008-02-11 23:39:14
ComboFix3.txt  2008-02-11 23:28:44
ComboFix4.txt  2008-02-11 09:53:27
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
IndiGenusCommented:
Yes I am glad to hear its' running better and HJT looks better. But that is not the most recent cf log, and it's not the one run with the script. I can tell by the dates and the file path. Can you try finding that log please if you were able to run it?

Also, looks like Wareout infection may still be present. Here is what I suggest next...

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B26C87F-59B7-4A37-BC34-18541039DCD6}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{63E9F614-CDC7-413F-B010-05F431CB3051}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6189C5B-10E4-47B8-864B-F3E27C884D16}: NameServer = 85.255.113.138,85.255.112.203
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.203
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: Sandee Westgate official website!! Welcome to the Ultimate site of Playboy model gone bad, Sandee Westgate! Lesbian Pornstar featured in CLUB, Hustler, CHERI, Playboy and more!!! See sandee with hotties like, Crissy Moran, Lanni Barbie, Mercedez, Tera Pat - http://www.sandeewestgate.com/
O24 - Desktop Component 3: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
O24 - Desktop Component 4: bluestripephoto.com - http://www.bluestripephoto.com/catalog/advanced_search_result.php?osCsid=63f5f5de83a85a571d74cc274bc702c6&keywords=Canon+EX+580+Flash&osCsid=63f5f5de83a85a571d74cc274bc702c6&x=14&y=10
O24 - Desktop Component 5: (no name) - http://store.directauto.com/jegrch196pif.html
 
---------------------------------

Then close all windows except this one and press Fix checked.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new HijackThis log.
0
xdr56tfcAuthor Commented:
 #14

You lost me back there, you said: "The script was not run on the last log you gave me. When you started CF did you drag the script file you created on to CF to start it? And now I see an AWF infection too..."   Do you mean the log file when you say the script file?  I did not save the log file to the desktop, so I could not drag it to CF; that's probably all wrong.  All I did to start CF was to open it; then it did its thing, and it creates the log file and I copied that and sent it to you. On the last CK I sent, I just opened it from the file that I saved them to and pasted that log into my Comments to you.  It sounds like that is not the way to create that log.   Let me know.  Ill see if I can send Hijack the way you say.     Xdr56tfc

0
xdr56tfcAuthor Commented:

  #15  

"Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:"

Do you what me to put a check in all the boxes on the left side of each line?   Then what do you want me to do with it?   xdr56tfc


0
IndiGenusCommented:
xdr56tfc>""Do you what me to put a check in all the boxes on the left side of each line?   Then what do you want me to do with it?""<  

ME>"""Then close all windows except for HijackThis and press Fix checked.""<

OK on combofix...I'll try to explain a bit differently.

1. You copy and paste the text between the lines I gave you back in post ID: 20867833 into a blank Notepad window.
2. Save the file as CFScript.txt and save the file ON YOUR DESKTOP.
3. Drag the CFScript.txt file with your mouse right on to the combofix.exe icon on your desktop. That should automatically start cf. Then post the log that is produced.

0
xdr56tfcAuthor Commented:
You>"""Then close all windows except for HijackThis and press Fix checked.""<

#16

I did this one among many D/Boxes of pending doom, but it worked out fine.  Its getting better all the time.   One of our processes wiped-out all my Restore points; now Im setting a new one at every step.

Xdr56tfc

0
xdr56tfcAuthor Commented:
#17

Here is the CFScript log file.  The log should be right this time.   The same D/Box Popped up.   It said something like this:  No disk in drive.  Please put a disk in \device\harddisk\dr7.  I don't think that it is hurting anything, but it might be.  Sometime this D/Box pops up every time I boot.   I need to hit continue about 6 times to get rid of it.   Xdr56tfc

ComboFix 08-02-11.2 - Phil Wirth 2008-02-12 20:03:20.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1647 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Phil Wirth\Desktop\CFScript 4.txt
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE
C:\WINDOWS\SYSTEM32\ntoskrnl.dll
D:\WINDOWS\System32\dmmnl.exe
D:\WINDOWS\System32\msindeo.dll
D:\WINDOWS\System32\ntiuidba.dll
D:\WINDOWS\system32\pfimsfnm.dll
D:\WINDOWS\System32\RECOVER32.DLL
D:\WINDOWS\System32\rqjxarkd.dll
.
 
(((((((((((((((((((((((((   Files Created from 2008-01-13 to 2008-02-13  )))))))))))))))))))))))))))))))
.
 
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-10 12:03	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-11-15 00:05	1,086,952	----a-w	D:\WINDOWS\system32\zpeng24.dll
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2005-10-13 22:39	341,953	--sha-w	D:\WINDOWS\system32\xycdd.bak1
2006-02-28 21:30	447,758	--sha-w	D:\WINDOWS\system32\xycdd.bak2
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w         3,504,640 2005-03-31 21:16:16  D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe
 
----a-w           180,269 2006-06-21 05:52:50  D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w           185,896 2006-11-09 03:23:09  D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
----a-w           278,528 2006-06-14 23:24:14  D:\Program Files\iTunes\bak\iTunesHelper.exe
 
----a-w           282,624 2006-06-03 19:25:06  D:\Program Files\QuickTime\bak\qttask.exe
----a-w           282,624 2006-09-01 23:57:48  D:\Program Files\QuickTime\qttask.exe
 
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\bak\ctfmon.exe
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\ctfmon.exe
 
----a-w            98,304 2005-01-27 12:00:00  D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE
 
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{52562D43-4f4d-5055-5445-5252562D434f}]
D:\WINDOWS\System32\ahuy.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-10 08:00:00 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 17:00:00 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 18:00:00 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-07 19:00:00 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 20:00:00 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 21:00:00 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 22:00:00 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-12 23:00:00 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-13 00:00:00 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-13 01:00:00 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-13 02:00:00 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-12 09:00:00 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-13 03:00:00 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-13 04:00:00 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 05:00:00 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 06:00:00 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 07:00:00 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 10:00:00 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-11 11:00:00 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 12:00:00 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-10 13:00:00 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-02-08 14:00:00 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 15:00:00 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
"2008-01-24 16:00:00 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\System32\2QxDlnoD.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 20:05:02
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-12 20:09:59
ComboFix-quarantined-files.txt  2008-02-13 04:09:57
ComboFix2.txt  2008-02-12 00:18:39
ComboFix3.txt  2008-02-11 23:39:14
ComboFix4.txt  2008-02-11 23:28:44
ComboFix5.txt  2008-02-11 09:53:27
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
IndiGenusCommented:
Xdr56tfc>""One of our processes wiped-out all my Restore points; now Im setting a new one at every step.""<
combofix>"" * Created a new restore point""

That's Normal. I would not really worry about setting new restore points until we are done. And, restore points many times are infected too so if you use them then....   I recommend resetting at the end. There is a routine that I will have you run with CF at the end that will clean up everything nicely.

You got the Script right this time, nice. There is still much more work to do here, and part of that may be causing those errors you're getting. Before we do anything else I need you to check something.

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

D:\WINDOWS\System32\2QxDlnoD.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html


0
xdr56tfcAuthor Commented:
#18

I do not have D:\WINDOWS\System32\2QxDlnoD.exe" in my computer. I looked and I searched Windows and Drive D.   xdr56tfc

0
IndiGenusCommented:
Forgot to mention. Did you enable hidden files and folders?

Windows XP

    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.
0
xdr56tfcAuthor Commented:
#19  

That's done, but that's the way I keep.   Xdr56tfc
0
IndiGenusCommented:
OK good enough. Time for another script here...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\System32\2QxDlnoD.exe
D:\WINDOWS\Tasks\At9.job
D:\WINDOWS\System32\ahuy.exe
D:\WINDOWS\system32\xycdd.bak1
D:\WINDOWS\system32\xycdd.bak2

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{52562D43-4f4d-5055-5445-5252562D434f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
xdr56tfcAuthor Commented:
#20

OK here comes CFScript 6 scan results log.  I should add here that when i tried to send this log to you the first time I got the can not open page ....  And I could not get on line until I reset the computer.   CF did not ask to be reset.    Xdr56tfc


ComboFix 08-02-11.2 - Phil Wirth 2008-02-13 14:13:07.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1613 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Phil Wirth\Desktop\CFScript 6.txt
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE
D:\WINDOWS\System32\2QxDlnoD.exe
D:\WINDOWS\System32\ahuy.exe
D:\WINDOWS\system32\xycdd.bak1
D:\WINDOWS\system32\xycdd.bak2
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
D:\WINDOWS\system32\xycdd.bak1
D:\WINDOWS\system32\xycdd.bak2
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-13 to 2008-02-13  )))))))))))))))))))))))))))))))
.
 
2008-02-12 22:26 . 2007-07-30 19:19	203,096	--a------	D:\WINDOWS\system32\wuweb.dll
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-12 22:44	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-11-15 00:05	1,086,952	----a-w	D:\WINDOWS\system32\zpeng24.dll
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w         3,504,640 2005-03-31 21:16:16  D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe
 
----a-w           180,269 2006-06-21 05:52:50  D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w           185,896 2006-11-09 03:23:09  D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
----a-w           278,528 2006-06-14 23:24:14  D:\Program Files\iTunes\bak\iTunesHelper.exe
 
----a-w           282,624 2006-06-03 19:25:06  D:\Program Files\QuickTime\bak\qttask.exe
----a-w           282,624 2006-09-01 23:57:48  D:\Program Files\QuickTime\qttask.exe
 
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\bak\ctfmon.exe
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\ctfmon.exe
 
----a-w            98,304 2005-01-27 12:00:00  D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE
 
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 14:13:54
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-13 14:19:06
ComboFix-quarantined-files.txt  2008-02-13 22:19:05
ComboFix2.txt  2008-02-13 04:09:59
ComboFix3.txt  2008-02-12 00:18:39
ComboFix4.txt  2008-02-11 23:39:14
ComboFix5.txt  2008-02-11 23:28:44
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
xdr56tfcAuthor Commented:
#21

Here comes HiJack 6.

 
ComboFix 08-02-11.2 - Phil Wirth 2008-02-13 14:13:07.6 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.1613 [GMT -8:00]
Running from: D:\Documents and Settings\Phil Wirth\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Phil Wirth\Desktop\CFScript 6.txt
 * Created a new restore point
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
 
FILE
D:\WINDOWS\System32\2QxDlnoD.exe
D:\WINDOWS\System32\ahuy.exe
D:\WINDOWS\system32\xycdd.bak1
D:\WINDOWS\system32\xycdd.bak2
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
D:\WINDOWS\system32\xycdd.bak1
D:\WINDOWS\system32\xycdd.bak2
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
 
.
(((((((((((((((((((((((((   Files Created from 2008-01-13 to 2008-02-13  )))))))))))))))))))))))))))))))
.
 
2008-02-12 22:26 . 2007-07-30 19:19	203,096	--a------	D:\WINDOWS\system32\wuweb.dll
2008-02-11 01:31 . 2001-08-23 04:00	375,808	--a------	D:\kmd.exe
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--------	D:\WINDOWS\system32\bits
2008-02-11 00:52 . 2008-02-11 00:52	<DIR>	d--h-----	D:\WINDOWS\$hf_mig$
2008-02-11 00:52 . 2005-02-24 19:35	22,752	--a------	D:\WINDOWS\system32\spupdsvc.exe
2008-02-11 00:10 . 2008-02-11 00:10	<DIR>	d--------	D:\WINDOWS\ERUNT
2008-02-10 23:30 . 2008-02-11 00:15	<DIR>	d--------	D:\SDFix
2008-02-10 15:33 . 2008-02-10 15:33	<DIR>	d--------	D:\Program Files\Trend Micro
2008-02-10 05:32 . 2008-02-12 22:44	54,156	--ah-----	D:\WINDOWS\QTFont.qfn
2008-02-10 05:32 . 2008-02-10 05:32	1,409	--a------	D:\WINDOWS\QTFont.for
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 09:30	---------	d-----w	D:\Program Files\Thumbs6
2008-01-15 18:58	---------	d-----w	D:\Program Files\ExplorerXP
2008-01-15 18:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\ThumbsPlus
2008-01-15 18:13	---------	d-----w	D:\Program Files\File-Saver
2008-01-06 11:17	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\Canon
2008-01-03 03:52	---------	d-----w	D:\Documents and Settings\Phil Wirth\Application Data\MailFrontier
2007-12-22 00:27	70,600	----a-w	D:\Documents and Settings\Phil Wirth\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 08:51	9,778,976	--sha-w	D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-18 08:37	2,182,306	----a-w	D:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-18 08:37	19,232	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-17 21:24	---------	d-----w	D:\Program Files\PC Tools AntiVirus
2007-12-17 10:33	5,888	--sha-w	D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 10:33	2,816	--sha-w	D:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-17 06:03	3,138,048	----a-w	D:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-17 06:03	1,967,104	----a-w	D:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-17 04:04	---------	d-----w	D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-23 11:07	9,665	----a-w	D:\Documents and Settings\Phil Wirth\xrt_log.dat
2007-11-15 00:05	75,248	----a-w	D:\WINDOWS\zllsputility.exe
2007-11-15 00:05	1,086,952	----a-w	D:\WINDOWS\system32\zpeng24.dll
2007-10-29 22:47	6,987	----a-w	D:\Documents and Settings\Phil Wirth\xrt_collect.zip
2005-05-14 00:12	217,073	--sha-r	D:\WINDOWS\meta4.exe
2005-10-24 18:13	66,560	--sha-r	D:\WINDOWS\MOTA113.exe
2005-10-14 04:27	422,400	--sha-r	D:\WINDOWS\x2.64.exe
2005-10-08 02:14	308,224	--sha-r	D:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31	27,648	--sha-r	D:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32	616,448	--sha-r	D:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37	45,568	--sha-r	D:\WINDOWS\system32\cygz.dll
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24	2,945,024	--sha-r	D:\WINDOWS\system32\Smab.dll
2005-02-28 20:16	240,128	--sha-r	D:\WINDOWS\system32\x.264.exe
2004-01-25 07:00	70,656	--sha-r	D:\WINDOWS\system32\yv12vfw.dll
.
 
(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w         3,504,640 2005-03-31 21:16:16  D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe
 
----a-w           180,269 2006-06-21 05:52:50  D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w           185,896 2006-11-09 03:23:09  D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
----a-w           278,528 2006-06-14 23:24:14  D:\Program Files\iTunes\bak\iTunesHelper.exe
 
----a-w           282,624 2006-06-03 19:25:06  D:\Program Files\QuickTime\bak\qttask.exe
----a-w           282,624 2006-09-01 23:57:48  D:\Program Files\QuickTime\qttask.exe
 
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\bak\ctfmon.exe
----a-w            13,312 2002-08-28 23:41:22  D:\WINDOWS\system32\ctfmon.exe
 
----a-w            98,304 2005-01-27 12:00:00  D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE
 
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\System32\ctfmon.exe" [2002-08-28 15:41 13312]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"="" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
 
[HKLM\~\startupfolder\D:^Documents and Settings^Phil Wirth^Start Menu^Programs^Startup^Epson printer Registration.lnk]
path=D:\Documents and Settings\Phil Wirth\Start Menu\Programs\Startup\Epson printer Registration.lnk
backup=D:\WINDOWS\pss\Epson printer Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-28 15:41 13312 D:\WINDOWS\System32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C88 Series]
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
D:\Program Files\ASUS\Ai Booster\OverClk.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
--a------ 2007-12-17 22:44 290816 D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-11-08 19:23 185896 D:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"SDhelper"=2 (0x2)
 
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\System32\inetsrv\inetinfo.exe [2001-08-23 04:00]
 
.
Contents of the 'Scheduled Tasks' folder
"2008-01-08 03:30:00 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
 
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 14:13:54
Windows 5.1.2600 Service Pack 1 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2008-02-13 14:19:06
ComboFix-quarantined-files.txt  2008-02-13 22:19:05
ComboFix2.txt  2008-02-13 04:09:59
ComboFix3.txt  2008-02-12 00:18:39
ComboFix4.txt  2008-02-11 23:39:14
ComboFix5.txt  2008-02-11 23:28:44
.
2008-02-11 08:53:01	--- E O F ---  

Open in new window

0
xdr56tfcAuthor Commented:

#22

I have another Trend Micro Hijack This Box with about 9 squares to check.   Should I do anything?  xdr56tfc

0
IndiGenusCommented:
The second log you sent was combofix again. Can you please send a HijackThis log.

Also,
Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please upload it in your reply.
0
IndiGenusCommented:
Just post the HJT log. Also, I had asked you to run Fixwareout earlier. Did you run it? If so please post that log too. If not please run.
0
xdr56tfcAuthor Commented:
#23

This should be it.    xdr56tfc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:04 PM, on 2/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Microsoft Office\Office10\WINWORD.EXE
D:\WINDOWS\msagent\AgentSvr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
 
--
End of file - 1918 bytes

Open in new window

0
IndiGenusCommented:
I think you still want to fix these with HJT:

O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm

You need to get an Antivirus installed, updated, and a full system scan run ASAP too. Some free for home use ones are available....
AVG and Avast are both good. Google them for download.
0
xdr56tfcAuthor Commented:
#23

Here is the FixWareOut log fresh of the press.   I do not know what this means. "I think you still want to fix these with HJT:  I have downloaded Avast is it OK.  The other one is about $12 a year for three years.   That's OK if it's worth it.      xdr56tfc

Username "Phil Wirth" - 02/13/2008 15:46:44 [Fixwareout edited 9/01/2007]
 
~~~~~ Prerun check
 
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{45CEA7A3-171A-489F-ADAA-08B5E6A47FD2}
"DhcpNameServer"="85.255.113.138,85.255.112.203" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{5B26C87F-59B7-4A37-BC34-18541039DCD6}
"DhcpNameServer"="85.255.113.138,85.255.112.203" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{63E9F614-CDC7-413F-B010-05F431CB3051}
"DhcpNameServer"="85.255.113.138,85.255.112.203" <Value cleared.
 
Successfully flushed the DNS Resolver Cache.
 
 
System was rebooted successfully. 
 
~~~~~ Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "System"="" 
....
HKCR\CLSID\{296D3C04-2481-4250-8BE2-88D2EFEF03EB}\_h\4 Deleted.
....
~~~~~ Misc files. 
....
~~~~~ Checking for older varients.
....
 
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x"=hex(0):
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"MCAgentExe"="d:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="D:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"Motive SmartBridge"="D:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\SMARTB~1\\MotiveSB.exe"
"MSKDetectorExe"="D:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"PRONoMgrWired"="D:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"SIE2004"="\"D:\\Program Files\\Winferno\\Secure IE\\SIEPulse.exe\""
"SoundMan"="SOUNDMAN.EXE"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"VerizonServicepoint.exe"="D:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"dla"="D:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ATIPTA"="D:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"A Verizon App"="D:\\PROGRA~1\\VERIZO~1\\HELPSU~1\\VERIZO~1.EXE"
"StorageGuard"="\"D:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MSKAGENTEXE"="D:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKAgent.exe"
"ctfmon.exe"="D:\\WINDOWS\\System32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Open in new window

0
IndiGenusCommented:
Avast is good yes. Good choice.

OK Fixwareout log looks good. On to post ID: 2088940 to try and deal with AWF infection.
0
xdr56tfcAuthor Commented:

I do not know what this means?  "On to post ID: 2088940 to try and deal with AWF infection"

xdr56tfc
0
IndiGenusCommented:
Sorry, each post has an ID number in the top right hand corner. This post said this....

IndiGenus:
The second log you sent was combofix again. Can you please send a HijackThis log.

Also,
Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please upload it in your reply.
0
xdr56tfcAuthor Commented:

Here is the report.   What are AWF files? xdr56tfc



  Find AWF report by noahdfear ©2006
               Version 1.40
 
The current date is: Thu 02/14/2008 
The current time is:  5:34:37.35
 
 
  bak folders found
  ~~~~~~~~~~~
 
 
 Directory of D:\PROGRA~1\ITUNES\BAK
 
06/14/2006  03:24 PM           278,528 iTunesHelper.exe
               1 File(s)        278,528 bytes
 
 Directory of D:\PROGRA~1\QUICKT~2\BAK
 
06/03/2006  11:25 AM           282,624 qttask.exe
               1 File(s)        282,624 bytes
 
 Directory of D:\PROGRA~1\STARDO~1\BAK
 
               0 File(s)              0 bytes
 
 Directory of D:\WINDOWS\SYSTEM32\BAK
 
08/28/2002  03:41 PM            13,312 ctfmon.exe
               1 File(s)         13,312 bytes
 
 Directory of D:\PROGRA~1\ASUS\AIBOOS~1\BAK
 
03/31/2005  01:16 PM         3,504,640 OverClk.exe
               1 File(s)      3,504,640 bytes
 
 Directory of D:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
 
06/20/2006  09:52 PM           180,269 realsched.exe
               1 File(s)        180,269 bytes
 
 Directory of D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
 
01/27/2005  04:00 AM            98,304 E_FATIABA.EXE
               1 File(s)         98,304 bytes
 
 
  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~
 
  37518744 Jul 23 2006 "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BV1IBUFC\iTunesSetup[1].exe"
    278528 Jun 14 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
    282624 Sep  1 2006 "D:\Program Files\QuickTime\qttask.exe"
    282624 Jun  3 2006 "D:\Program Files\QuickTime\bak\qttask.exe"
     20992 Mar 25 2005 "C:\WINDOWS\system32\ctfmon.exe"
     15360 Mar 25 2005 "C:\WINDOWS\SysWOW64\ctfmon.exe"
     13312 Aug 28 2002 "D:\WINDOWS\system32\ctfmon.exe"
     13312 Aug 28 2002 "D:\WINDOWS\system32\bak\ctfmon.exe"
   3504640 Mar 31 2005 "D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe"
    185896 Nov  8 2006 "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    180269 Jun 20 2006 "D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
     98304 Jan 27 2005 "D:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c885e4d\E_FATIABA.EXE"
     98304 Jan 27 2005 "D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE"
 
 
  end of report

Open in new window

0
IndiGenusCommented:
An AWF infection basically replaces legit. exe files with infected ones and places the legit. ones in a bak folder. This tool identifies those, and using the tool we can remove the bad ones and put the good ones back where they belong.

Please double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders.

A text file opens called: files.txt
Copy and paste the following list of files from between the lines to be restored:

---------------------------------------------------

"D:\Program Files\iTunes\bak\iTunesHelper.exe"
"D:\Program Files\QuickTime\bak\qttask.exe"
"D:\WINDOWS\system32\bak\ctfmon.exe"
"D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe"
"D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE"

---------------------------------------------------

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Upload that new log.
0
xdr56tfcAuthor Commented:
I hope this is it, this is the only log I could find after FindAWF finished.

  Find AWF report by noahdfear ©2006
               Version 1.40
Option 2 run successfully
 
The current date is: Thu 02/14/2008 
The current time is: 11:19:07.95
 
 
  bak folders found
  ~~~~~~~~~~~
 
 
 Directory of D:\PROGRA~1\ITUNES\BAK
 
06/14/2006  03:24 PM           278,528 iTunesHelper.exe
               1 File(s)        278,528 bytes
 
 Directory of D:\PROGRA~1\QUICKT~2\BAK
 
06/03/2006  11:25 AM           282,624 qttask.exe
               1 File(s)        282,624 bytes
 
 Directory of D:\PROGRA~1\STARDO~1\BAK
 
               0 File(s)              0 bytes
 
 Directory of D:\WINDOWS\SYSTEM32\BAK
 
08/28/2002  03:41 PM            13,312 ctfmon.exe
               1 File(s)         13,312 bytes
 
 Directory of D:\PROGRA~1\ASUS\AIBOOS~1\BAK
 
03/31/2005  01:16 PM         3,504,640 OverClk.exe
               1 File(s)      3,504,640 bytes
 
 Directory of D:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
 
06/20/2006  09:52 PM           180,269 realsched.exe
               1 File(s)        180,269 bytes
 
 Directory of D:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
 
01/27/2005  04:00 AM            98,304 E_FATIABA.EXE
               1 File(s)         98,304 bytes
 
 
  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~
 
  37518744 Jul 23 2006 "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BV1IBUFC\iTunesSetup[1].exe"
    278528 Jun 14 2006 "D:\Program Files\iTunes\iTunesHelper.exe"
    278528 Jun 14 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
    282624 Jun  3 2006 "D:\Program Files\QuickTime\qttask.exe"
    282624 Jun  3 2006 "D:\Program Files\QuickTime\bak\qttask.exe"
     20992 Mar 25 2005 "C:\WINDOWS\system32\ctfmon.exe"
     15360 Mar 25 2005 "C:\WINDOWS\SysWOW64\ctfmon.exe"
     13312 Aug 28 2002 "D:\WINDOWS\system32\ctfmon.exe"
     13312 Aug 28 2002 "D:\WINDOWS\system32\bak\ctfmon.exe"
   3504640 Mar 31 2005 "D:\Program Files\ASUS\Ai Booster\OverClk.exe"
   3504640 Mar 31 2005 "D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe"
    180269 Jun 20 2006 "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    180269 Jun 20 2006 "D:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
     98304 Jan 27 2005 "D:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIABA.EXE"
     98304 Jan 27 2005 "D:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_c885e4d\E_FATIABA.EXE"
     98304 Jan 27 2005 "D:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIABA.EXE"
 
 
  end of report

Open in new window

0
xdr56tfcAuthor Commented:
#24

I just scanned my computer with Avast, and it found 100s of file that it says have infections, but I can't do any thing with them. By the way it took all night.   It gives the options to: Delete, Repair, Move, Chest or Scan, but they are all grayed out so I can not do anything with them.   Do you know what the deal is?   I imagine that Chest means quarantine.  Xdr56tfc
0
IndiGenusCommented:
That is the correct report from AWF. On to step 3 next. As far as what Avast found, that is no surprise. Much of it may be in restore points so a clear out at the end will help that, but I have to stress to you again how infected this PC was. I have worked on hundreds of Malware infected PC's and this was one of the worst I've ever seen, period. A format and re-install honestly probably would have been the best way to go here. I'm not sure if you'll ever get rid of EVERYTHING here. Most hopefully yes....let's continue.

Double-click the FindAWF icon once again.
This time we are going to remove the bak folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders between the line to be removed:

------------------------------------------------

D:\Program Files\iTunes\bak
D:\Program Files\QuickTime\bak
D:\WINDOWS\system32\bak
D:\Program Files\Common Files\Real\Update_OB\bak
D:\WINDOWS\system32\spool\drivers\w32x86\3\bak

------------------------------------------------

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Upload that please.
0
xdr56tfcAuthor Commented:
#25

I get about a dozen spams a day in my e-mail.    It seems that what the spammers are doing is miss-spelling all the words in the message, but misspelling them so the words can be understood; like loove or kisss or viiagraa.   This makes it almost imposable to screen out the spammers.  And it seems that there are thousands of spammers, because I block all the spammers that I receive, and they still keep coming, and mostly in the same format.  Do you have any ideas??   You are spending a lot skill and time on this is there some way that I can pay you.    Xdr56tfc

0
xdr56tfcAuthor Commented:
#26

Here is the file.   My mother board Asus Over clocking Program stopped working a long time ago.   I never used it much anyway.   Some of these files that were found by Avast were on drive C which I have been trying to reformat for a long time; in fact I just tried it again yesterday.   It seems that I can't reformat it because I have a Windows XP 64 on it that I did not like, because some of my programs would to work on it.   Do you know how I can reformat a drive that has an OS on it?   And when I boot up it keeps gives me the option to boot to it.   Youre talking about how hard its been straightening up my computer; well youve got it about a hundred time better than it was.    Xdr56tfc


  Find AWF report by noahdfear ©2006
               Version 1.40
Option 3 run successfully
 
The current date is: Fri 02/15/2008 
The current time is: 19:01:00.00
 
 
  bak folders found
  ~~~~~~~~~~~
 
 
 Directory of D:\PROGRA~1\STARDO~1\BAK
 
               0 File(s)              0 bytes
 
 Directory of D:\PROGRA~1\ASUS\AIBOOS~1\BAK
 
03/31/2005  01:16 PM         3,504,640 OverClk.exe
               1 File(s)      3,504,640 bytes
 
 
  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~
 
   3504640 Mar 31 2005 "D:\Program Files\ASUS\Ai Booster\OverClk.exe"
   3504640 Mar 31 2005 "D:\Program Files\ASUS\Ai Booster\bak\OverClk.exe"
 
 
  end of report

Open in new window

0
IndiGenusCommented:
OK to finish off with the AWF infection.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

~~~~~~~~~~~~~~~~~~~~~~

To clean up from Combofix and set a fresh restore point...

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It sounds like you have a dual boot situation here right? I believe you can clean that partition off but that question would probably be better suited to another area in here. You should first make sure that the D drive is at least clean first though and it sounds like we're close. Post a fresh HJT log and let me know how it's running. I would suggest another virus scan, but just scan the D drive, letting it fix or quarantine (virus chest) anything it finds.
0
xdr56tfcAuthor Commented:
#27

Hello,   I'm back.  I did the clean up with Combofix, and I did a HJT or Hijack This and have put it in the Snippet box.   I hope its right, I hadn't done a HJT in a while so I had to go back and see how to do it.   I even had to figure out what HJT meant.   That's what happens when you get old; I'm 76; fell like 40 though.     Xdr56tfc

.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:32 PM, on 2/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
 
--
End of file - 2559 bytes

Open in new window

0
xdr56tfcAuthor Commented:

#28

I ran an Avast scan and all a got was a lot of Unable to scan: Archive is password protected: I dont have any password protected files that I know of.  Avast did not find any viruses.  Yes I do have a dual boot, but Id rather not.  It seem that we are coming along real good.   Xdr56tfc  



0
IndiGenusCommented:
Hi,

Have you tried fixing these with HijackThis? They still need to go...

O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on those entries.

Then close all windows except HijackThis and press Fix checked.

Reboot and post a new HijackThis log.
0
xdr56tfcAuthor Commented:
#29

Good Morning,

I ran HJT and fixed them, but when I ran HJT again they were still there.   Maybe there fixed.  Anyway I'm sending the log.   xdr56tfc

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:26 AM, on 2/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
 
--
End of file - 2559 bytes

Open in new window

0
IndiGenusCommented:
Well I'm not sure if those Active Desktop Components are "malicious" or not. I assume that is someplace that you "visit" online. ;) I guess we don't really need to worry a whole lot if they are not causing issues here...

You really need to update to service pack 2, it includes many security updates that Windows has implemented over the past several years. This will increase your overall security greatly.

Link to Windows Update: http://v5.windowsupdate.microsoft.com

Let me know how you make out. If SP2 has problems installing you may still be infected. Also, you may want to find out if you need to re-install your OS if you are removing the dual boot. That would definitely make sure you're clean, as I don't know with all the infections you had that we could ever assure you're clean without a reformat.

Good luck,
Dave
0
xdr56tfcAuthor Commented:
When I use your Link it takes me to a page that says what I'm putting in Snippet, and all that page does is talk about automatic updates; the page does not look very Windowish!   When I go through Windows support and hit there Link to SP 2 it goes to the same page.  That page does not link to any other page it is just instructions on how to set-up for automatic updates.    I have Windows XP Professional Version 2002 with Service Pack 1; that may be the problem.   I could reformat drives C:\ and D:\ but there is some soft wear that I dont have, which I could get.   I would need to know how to get my mail box, and addresses, and network setup etc.   I reinstalled Windows like they said, and I just took all my problems with me.   Let me know what you think.  
Thank you for your interest in obtaining updates from our site. 
 
To use this site, you must be running Microsoft Internet Explorer 5 or later. 
 
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website. 
 
If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates:
 
 
Click Start, and then click Control Panel. 
Depending on which Control Panel view you use, Classic or Category, do one of the following: 
Click System, and then click the Automatic Updates tab. 
Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
Click the option that you want. Make sure Automatic Updates is not turned off. 

Open in new window

0
IndiGenusCommented:
What browser did you use to go to the Windows Update page? You need to make sure you are using IE. Firefox or others will not work. I believe that is the message that you get in that case.
0
xdr56tfcAuthor Commented:
Hello,

I have Microsoft Internet Explorer Version 6.0.2800.1106 it is the only thing I use.  Do I need something better?   I did another scan, it just found 2 Bugs, and they were not in the root directory they were in drive L thats an external drive where I keep everything that I create and down load.

xdrtfc
0
IndiGenusCommented:
OK try this. Click Start->Help and Support
Then under Tasks click on the update windows link
0
xdr56tfcAuthor Commented:

#35

Hello IndiGenus.

This last comments box has not been here so I could not reply to you.  I think it is because solving this problem has taken so much space.   I think we have created over 60 comment boxes, and some very long Snippets    I also had a very hard time bringing up the text in your last comments.   Any way I did what you said and it went right to the same Dialog box.   Then it seemed like when dealing with Windows Help and support that it was not recognizing my IE as IE 6, so I tried to download IE 7 and it would go round and round between trying to download IE 7, and updating to SP 2 and that dialog box, and it always came to a died end.   On my Windows XP Pro Installation disc it says it has SP 2, but it does not.   I was attacked again by two Spywaers, and they kept popping up from the quick launch bar, and tried to sell me some software to stop what they were doing; Popping up every minute; so I restored back a day it went away.   I must need a better firewall, which I thing SP 2 has, but I may need a third party program.  What do you think?

The important thing is to get you your points, which I will not be able to do if what happened before happens again.   I think there is a way to split a problem; would that help?   If I said the problem was solved you would get your points, but the string on this problem would end; is that correct?  If I did that and I wrote another problem on getting SP 2 and a better Firewall would you be able to pick it up?   I would like you to finish these problems with me, because you know my computer, and you have done a great job, and have been very patient.     Let me know what to do.    Xdr56tfc  

0
IndiGenusCommented:
Hi,
Don't worry about the points, that's not why I'm here. I'm here to help and to learn myself.

I don't know how much better the firewall in SP2 is...but the main thing is it's turned on by default, which it's not in SP1. So yours may not even be on unless you turned it on. I would recommend installing a third party firewall though, and there are many to choose from, with a couple even being free for home use. I would wait on that until you are clear here. Just make sure to turn on yours if you haven't.

On the problems with the update to SP2, that could be related to still present Malware, or it could be a separate issue. Have you tried installing SP2 in Safe Mode, I have had a couple cases recently where this worked. Just another thing to try.

Also, I'm not having any problems with the amount or size of posts or posts getting cut off...so not sure what's going on your end...
Dave
0
IndiGenusCommented:
Also, post a new updated Hijackthis log. It's been several days since the last one I saw.
0
xdr56tfcAuthor Commented:
#36


Hi, Good to hear that you could still make contact.   On this last comment that you sent, there was no text in the box, but I could bring it up by putting my curser in the text box and dragging it across the box.  The one before this came out fine.  Is there another way I can reach you if this sting fails?    I have attached another Highjack This.   I have no need for those last two lines; they can go if they may be causing trouble.   I will try to download SP 2 in safe mode and see what happens.    Xdr56tfc  Phil


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:11 PM, on 2/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
 
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Documents and Settings\Phil Wirth\Desktop\MSOFFICE.EXE
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
 
--
End of file - 2592 bytes

Open in new window

0
IndiGenusCommented:
So you've tried fixing these with HijackThis? If so and that did not work then try running HJT in Safe Mode and fixing those 3 lines. Post a new log after.

O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: www.BUSTY.pl - Slim & Big Busted - http://www.busty.pl/
O24 - Desktop Component 2: bOObs.pl - 100% Exclusive boobs from Poland - http://www.big.boobs.pl/tour01.htm
 
 
0
IndiGenusCommented:
Thanks for the input on that b0lsc0tt. I have seen and worked some pretty long ones too. Sounds like a problem on xdr56tfc's end, as I'm fine.

Dave
0
xdr56tfcAuthor Commented:

#37

Hello,

I finally have downloaded SP2; it put 57 updates in Windows.   That also led me to upgrading Microsoft Office to SP3.  The whole thing took me about 3 hours plus. It sounds like it is going to add a lot of security to my computer.    That also allowed me to download IE7, but I did not like it at all.  Luckily there was a Restore point created just before I downloaded IE 7, so I was able to remove it with no problems.    Have you heard of Comodo's Firewall?  It's a Free Program that they say is good.  Xdr56tfc

0
IndiGenusCommented:
Hi,
Questions....what finally made it work? What was the problem with IE7?

Yes, Comodo  is pretty good.

Post a new HijackThis log to make sure we're all clean.
0
xdr56tfcAuthor Commented:

#38

Hi,    It was a crazy process; I'll explain it later My Daughters are celebrating my birthday today, so I do not have any time.   I don't see why or how anyone would like IE7 bitter than IE6; Ill explain later.    I need something to stop Spam if its possible.    The problem probably was at my end; it still does crazy things now and then. When I stated working on this box; the text in the box that you just sent disappears.   Xdr56tfc   Phil

0
xdr56tfcAuthor Commented:

#39

OK here is how I got SP 2 for Windows XP Pro; it may be different for others.  Go to Start > Help and Support > Internet Explorer Downloads > Internet download center > Scroll down to Windows XP Service Pack 2 for IT Professionals and Developers > Download > In the Popup Dialog Box hit Save or Run.  That was it for me, but it took a long time for me to find it.   The file is very big for an update; its 266 Meg.  The process put 57 update files in Windows, and it updates every day; in the background.   The process also updated Microsoft Office to SP 2.   I did not like the interface in IE 7.   For me the menus lacked a lot of the things that I had in IE 6.  In IE 6 in the customize menu box I had a stop button, and a folder button etc.   I never did find out how to save a file, but I didnt try very hard, because I knew that I did not like it.   Xdr56tfc  

0
IndiGenusCommented:
Hi,
Glad you got it sorted. Yes, SP2 is very big. And yes, you will need many updates on top of SP2 once it's on, that's normal, but it's worth it. A lot of people don't like IE7, although it does offer many benefits to IE6. Personally I like Firefox any way.

Good luck,
Dave
0
xdr56tfcAuthor Commented:

#40

Hi.   I have just one more issue and then I thing I will close this string.   After I got rid of IE7 I was left with a Pop-up by Microsoft!   Its hard to believe that Microsoft is using Pop-Ups.    Every time I boot it comes up on the right side of the task bar, and then it comes up on the desktop.  It says You may be a victim of a software counterfeiter   The only way I can close it is to hit the do later button.   Then both Dialog boxes go away, but then they come back when I boot up.  Do you think you can do anything about this?    xdr56tfc

0
IndiGenusCommented:
If that message is from MS then it is reporting that your copy of Windows is not legit. That doesn't really make any sense because you were able to do the updates. Were you getting this message before? Do you have your product key, ect...?

Let's run a diagnostic and go from there.
Download and Run a Diagnostic Tool (MGADiag.exe) from the link and save it to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
    * Double-click on MGADiag.exe
    * When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
    * Copy the results in your next reply.
0
xdr56tfcAuthor Commented:

#41

Hi,  No, I didn't have the message before, and I have the product key somewhere I will just have to find it.   Is running a diagnostic; one of the things we did before?   Xdr56tfc


0
IndiGenusCommented:
---------------------------------------------------------------------------
>""Is running a diagnostic; one of the things we did before?""<
---------------------------------------------------------------------------

Nope
0
xdr56tfcAuthor Commented:

# 42

IndiGenus: Nope

xdr56tfc:  What do I do, or can I do it?  Do I need the Product Key?   I really need to find it anyway.   I have just moved, so I still have things in boxes. Do I need to do another High Jack?   How long will I be able to get back to this string, or can I save it to my computer; there is a lot of good stuff where.    xdr56tfc   Phil

0
IndiGenusCommented:
Hi Phil,
Run the diagnostic from this post I made,  ID: 21009226, then post the results.

As you appear to be a premium service member you should be able to add this thread to your knowledge base.

Regards,
Dave
0
xdr56tfcAuthor Commented:

Hello,   Here it is.   As I recall I bought my Windows XP Pro from eBay; it cost me about $125.00.   They said it was a valid Windows XP with a product key; which it had.   Xdr56tfc

Diagnostic Report (1.7.0069.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-6MWFX-W2Y7V-C7M9D
Windows Product Key Hash: iRjqAcE2WhKCxcn35V2xMB1iOrw=
Windows Product ID: 55274-640-9771731-23218
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {02AF0391-E6AE-4A2C-B25C-84F6EBDEB3FB}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.18.7
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

Notifications Data-->
Cached Result: 8
File Exists: Yes
Version: 1.7.18.7
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Data-->
Office Status: 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: FCEE394C-2920-80070002_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: D:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{02AF0391-E6AE-4A2C-B25C-84F6EBDEB3FB}</UGUID><Version>1.7.0069.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-C7M9D</PKey><PID>55274-640-9771731-23218</PID><PIDType>1</PIDType><SID>S-1-5-21-1220945662-2139871995-725345543</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>ASUS P5ND2-SLI ACPI BIOS Revision 0605</Version><SMBIOSVersion major="2" minor="3"/><Date>20050506000000.000000+000</Date></BIOS><HWID>DD3534870184207C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData>        <Software><Office><Result>114</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17153</Pid><PidType>14</PidType></Product></Products></Office></Software></GenuineResults>  



0
IndiGenusCommented:
Well unfortunately it is not a valid license. Here is a link with a desciption of the issue. Not much else I can help you with on this here. You will need to either buy a new license or contact MS, but I don't believe you'll have much luck with them.

http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=2606685&SiteID=25

I wish you luck my friend. Take care and good luck,
Dave

0
xdr56tfcAuthor Commented:

#44

It looks like I may be stuck with that Microsoft Pop-up.   Did we ever figure out how to reformat my drive C with Windows 64 on it?   I wonder if I can do it in Safe Mode?  If I bought Vista would I have the same problem with the Windows XP that I am using now?  Do you advise getting Vista?   Do most programs that work with XP work with Vista?  Thats why I gave up on 64; too many of my programs would not work with it.   Are these Quad CPUs any good?   Thats a lot of questions.  Xdr56tfc


0
IndiGenusCommented:
""Did we ever figure out how to reformat my drive C with Windows 64 on it?  
I wonder if I can do it in Safe Mode?""

Question for another thread.  

""If I bought Vista would I have the same problem with the Windows XP that I am using now? ""

No, that would solve all your problems. Just wipe out both OS's and start over...

""Do you advise getting Vista?   Do most programs that work with XP work with Vista?  Thats why I gave up on 64; too many of my programs would not work with it. ""

I like it, but many do not. You have to look into your hardware, drivers, software, ect.... and make sure all is compatible.  

""Are these Quad CPUs any good?""

Yes, if you have the money for it.
0
xdr56tfcAuthor Commented:

Hi.

I can get an Intel Core 2 Quad-Core Processor Q6600 and a XFX nForce 630/7150 MotherBoard for $339.  With a NVIDIA nForce 630/7150 Chip Set.  I have an Intel D 3.2 MH Processor and Board now, so I think the rest of my stuff should work with the new Processor and Board.  Do you think this would make a good system?  I can also get Windows Vista home Premium Full Version for $107.77 all new in the box from Frys Electronics.   Do you recall what the people that did not like Vista were unhappy with?   I just need to make sure that it has Recall.  I would like to get my system set-up so I can easily reformat my Root Directory, and reinstall my software and settings.  I think that is the only way to deal with these hackers.   Like you say if I install Vista from scratch; all my problems would be gone!!   Over the last year, or so, little things have gone wrong with my computer, and I just live with it, because it is such a hassle to reformat my Root Directory.   For example; my Sleep and Hibernate has not worked for a long time, and I would like to have them working, but I just live with it.   I keep all my work on external drives anyway.

If I close this string out; can I make something like this a new question and get back to you.   Mostly because you know my computer and problems so well, and because you are a good man.
 Xdr56tfc,  Phil

0
IndiGenusCommented:
That sounds like a good system to me. Like I said, I'm happy with Vista for the most part. There are many out there who are not, particularly gamers. Vista uses a lot of resources all by itself, especially RAM. I recommend 2 Gb of RAM.

>""I just need to make sure that it has Recall. ""<
Not quite sure what you mean by that, you mean system restore?

>""I would like to get my system set-up so I can easily reformat my Root Directory, and reinstall my software and settings.""<
Best way to do that is go with a 3rd party program and make a full backup of your system. A program like acronis is pretty good for this.
http://www.acronis.com/

Good luck with the new PC.
Dave
0
xdr56tfcAuthor Commented:

Hi Dave,

Well I have had that same problem with EE site that I had before: the text in your last comment box will not stay visible, and I have not had a comment reply box; until today.    My computer is working pretty good, but not as it should.   What I think I will do is close out this question string so you will get your will deserved credit, and start with a new question.  It will be: What I did to know is; what information do I need to have to reinstall Windows XP from scratch; like being able to reset my internet and e-mail connections; my address book; my mail boxes, In Box, Sent  boxes etc; my Favorites, and what ever else I did to do to get windows working properly without taking all my old problems with me, which will happen if I reinstall Windows in the normal why.    I will reinstall my programs from scratch along with all my Docs, and Images; I have them all on external drives.   If I have this information handy I can reformat my root Windows drive when ever I am attacked.   I will install my programs on my root drive also, because I will need to reinstall them anyway.    I also have a Dual OS situation with another Windows on another drive, and my system will not let me reformat the drive that its on; I want to get rid of it.

Dave, I have also installed Comodos firewall, and I think its helping.   I also need to know which Vista has System Restore; with XP it only came on XP Pro.   I am also getting Spam galore.   I try to pick words out of them and put the in Outlooks blocker file which helps, but it takes time, because a few of my good e-mails go to the spam folder also.    From what I have read in PC Mag. Review that happens to the best of the spam blockers anyway; maybe Ill need to stay the way I am.  I think I will wait for your next comment before I close this string; hopefully I can get back to you again.

Much progress has definitely been made.

Phil   xdr56tfc


0
IndiGenusCommented:
Hi Phil,

Regarding the re-install of Windows, here is a great tutorial on doing that.

http://spyware-free.us/tutorials/reformat/

On the second paragraph...
>""I also need to know which Vista has System Restore; with XP it only came on XP Pro.""<
All versions of Vista have System Restore. And it is also included on both XP HOME and PRO.

>""I am also getting Spam galore.""<
If you are already on the spammers lists then even if you re-install Windows you will still get spam. You may want to consider changing email addresses if possible. Sometimes that's the best way to deal with it other than using filters, but I can understand sometimes it's not possible.

Good luck,
Dave
0
xdr56tfcAuthor Commented:

Hi Dave,

Two days ago my computer would not boot.   A hacker got into my computer and changed the Configuration sentings so nothing would work.   When I tryed to do a windows repair or reinstall with my Windows Disk it would go so far and then quit.   I finaly installed Windows on another drive, and that is working fine, but I have lost everything that was on the Boot drive.  I can't even get into the boot drive D, but I can reformat it.  It's a good thing that I had all of my created files on another drive, but I lost everything in Express and Explorer, which is bad.    This is exactle what I whated to prepair for,but I was not ready for it.    However it is forceing me to do it now.   I already have some problem; if I can't fix them I'll get back to you.

xdr56tfc     Phil



0
IndiGenusCommented:
Hi Phil,

>""A hacker got into my computer and changed the Configuration sentings so nothing would work.""<

What makes you believe this? Sometimes Windows simply becomes corrupted. In your case here you were also VERY infected, and Malware can do serious system damage that requires a complete re-install. There is also the possibility that you were "hacked", but I am just curious to know how you know that.

Regards,
Dave
0
IndiGenusCommented:
Hi again Phil,

I think at this point if you have any questions on the new installation you will need to start a new question thread and finish this one off. That way you will be able to get experts help with specific experience in that area, as my area of expertise in malware removal and prevention will not apply.

Good luck,
Dave
0
xdr56tfcAuthor Commented:

Hi Dave,

I agree, it's a real mess, but I'm gaining on it.    I what to thank you for all your help.  One more thing, is there a way that I can save  this string?

Thanks again, Phil

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IndiGenusCommented:
To save this for reference click on the "Add to Knowledgebase button and then you can go back to your profile and review it from there. You could also copy and paste it all into notepad or something, but since you are a member here the Add way is probably the best.
0
xdr56tfcAuthor Commented:

Dave your comment worked, and bOlscOtt your's worked also.    If you can believe it I have Popups in my new windows instalation already, but I don't care because I can Just reinstall Windows, now that I have everything I need to setup Windows again.   I will be accepting your anwser soon.  I figured out what was causing the problem I was having; it was caused by me getting into my string without signing in.   When I signed in all the problems went away.   Today I got in with out signing in again, but everything worked OK; crazy!! xdr567tfc,  Phil
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.