Solved

Explorer.exe keeps on reloading around 32% my task bar & icons disappear and come back every 5 seconds & I can not use IE

Posted on 2008-10-23
13
1,576 Views
Last Modified: 2013-12-08
I have a computer running XP Pro sp 2 with IE7.  I can not log onto the internet but i do get an 192 ip address from my dhcp & i can ping the router but can not display the routers web page. system was running very slow and noticed Explorer.exe was running around 95% I end task and new task explorer to find the same. after some research I went into safe mode and ran Vundofix.exe and it found items that I used it to remove then the system would log into my account and after 5 seconds go blank and reload like a fresh log on every 5 seconds so I went back into safe mode and ran "CleanUp40.exe" "ATF Cleaner""Spybot 1.6"  "Malwarebytes.exe""ComboFix.exe" "Advanced windows Care.exe" "Ace Cleaner.exe" and HiJack This. I ran all and allowed them to clean anything they found in safe mode. now I can log in fine but no internet but I can ping the router but page can not be displayed & system is still running very slow but explorer.exe  runs around 11% attached is the Hijack this log after I ran everything listed above.

After a reboot I am having the same problem with the task bar and icons disappearing every 5 seconds Explorer.exe runs up to 49 or higher %
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:04:03 PM, on 10/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

c:\windows\microsoft.net\framework\v1.1.4322\csc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.simpleperfection.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.simpleperfection.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.simpleperfection.com

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www8.wirelesssync.vzw.com/en/SyncInstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O17 - HKLM\Software\..\Telephony: DomainName = PillariandVellaLLP.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O20 - AppInit_DLLs: C:\WINDOWS\System32\dskquoui32.dll,C:\WINDOWS\System32\dmdskres32.dll,C:\WINDOWS\System32\clbcatq32.dll,C:\WINDOWS\System32\dmime32.dll,C:\WINDOWS\System32\clusapi32.dll,C:\WINDOWS\System32\dmintf32.dll,C:\WINDOWS\System32\cmutil32.dll,C:\WINDOWS\System32\dmstyle32.dll,C:\WINDOWS\System32\cnetcfg32.dll,C:\WINDOWS\System32\dmsynth32.dll,C:\WINDOWS\System32\colbact32.dll,C:\WINDOWS\System32\dmusic32.dll

O20 - Winlogon Notify: d4fc2abd448 - C:\WINDOWS\System32\dmdskres32.dll

O20 - Winlogon Notify: d4fc2abd486 - C:\WINDOWS\System32\dskquoui32.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

--

End of file - 9077 bytes

Open in new window

0
Comment
Question by:RG119
  • 7
  • 6
13 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 22793601
Scan with Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22793618
Oops, SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) or maybe rpggamergirl or IndiGenus will recommend SDFix, ComboFix, VundoFix. These are suspicious to me:

O20 - AppInit_DLLs: C:\WINDOWS\System32\dskquoui32.dll,C:\WINDOWS\System32\dmdskres32.dll,C:\WINDOWS\System32\clbcatq32.dll,C:\WINDOWS\System32\dmime32.dll,C:\WINDOWS\System32\clusapi32.dll,C:\WINDOWS\System32\dmintf32.dll,C:\WINDOWS\System32\cmutil32.dll,C:\WINDOWS\System32\dmstyle32.dll,C:\WINDOWS\System32\cnetcfg32.dll,C:\WINDOWS\System32\dmsynth32.dll,C:\WINDOWS\System32\colbact32.dll,C:\WINDOWS\System32\dmusic32.dll
O20 - Winlogon Notify: d4fc2abd448 - C:\WINDOWS\System32\dmdskres32.dll
O20 - Winlogon Notify: d4fc2abd486 - C:\WINDOWS\System32\dskquoui32.dll
0
 

Author Comment

by:RG119
ID: 22798224
I did forget to mention that this computer normally connectes to a 2003 server but i did disconnect the cat5e and logged on as administrator on local computer. I am now using a cat5e directly to the router for internet bypassing the server for testing reasons & safety of the server files. I did already run & cleaned with ComboFix, VundoFix & Malwarebytes as mention in the 1st post.  

Now even in safe mode the Explorer.exe can go to 85% and then disappear along with all the icons and the taskbar and I get the begining warning message of you are in safe mode choose yes or no.

I was able to load the super AntiSpyware via the task manager "file" "new Task" even though explorer.exe is still disappearing every 5 seconds or so the program stays up & running, it evens states it connected and downloaded updates. (I needed to be in normal mode to load program it would not work in safe mode)
Superspyware found 1 Memory item & 1 file (Listed them as Trojan unkown orgin) then i rebooted in safe mode & ran Super Antispware again and I got this boot up warning before logging on
"Isass.exe - Bad Image" & "Services.exe - Bad Image"   the application or DLL c:\windows\system32\dmdskres32.dll is not a valid windows image. please check this against your installation diskette.
In Safe mode still have the same Explorer.exe problem and reran Super Antispyware via task manager and found 31 errors I let it fix them boot fine once then back to same problems.
Went back to safe mode and turned off system restore did a another run of all Malwarebytes & Spybot & vundofix attached is the newest hijack log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:49:49 AM, on 10/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Safe mode
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.simpleperfection.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.simpleperfection.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.simpleperfection.com

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www8.wirelesssync.vzw.com/en/SyncInstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O17 - HKLM\Software\..\Telephony: DomainName = PillariandVellaLLP.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O20 - AppInit_DLLs: C:\WINDOWS\System32\dskquoui32.dll,C:\WINDOWS\System32\dmdskres32.dll,C:\WINDOWS\System32\clbcatq32.dll,C:\WINDOWS\System32\dmime32.dll,C:\WINDOWS\System32\clusapi32.dll,C:\WINDOWS\System32\dmintf32.dll,C:\WINDOWS\System32\cmutil32.dll,C:\WINDOWS\System32\dmstyle32.dll,C:\WINDOWS\System32\cnetcfg32.dll,C:\WINDOWS\System32\dmsynth32.dll,C:\WINDOWS\System32\colbact32.dll,C:\WINDOWS\System32\dmusic32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: d4fc2abd486 - C:\WINDOWS\System32\dskquoui32.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

--

End of file - 7781 bytes

Open in new window

0
 
LVL 22

Expert Comment

by:orangutang
ID: 22798916
See if you can upload any of these files at http://virusscan.jotti.org/:
C:\WINDOWS\System32\dskquoui32.dll
C:\WINDOWS\System32\dmdskres32.dll
C:\WINDOWS\System32\clbcatq32.dll
C:\WINDOWS\System32\dmime32.dll
C:\WINDOWS\System32\clusapi32.dll
C:\WINDOWS\System32\dmintf32.dll
C:\WINDOWS\System32\cmutil32.dll
C:\WINDOWS\System32\dmstyle32.dll
C:\WINDOWS\System32\cnetcfg32.dll
C:\WINDOWS\System32\dmsynth32.dll
C:\WINDOWS\System32\colbact32.dll
C:\WINDOWS\System32\dmusic32.dll
C:\WINDOWS\System32\dskquoui32.dll




 Also, try these modified instructions from rpggamergirl:

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\System32\dskquoui32.dll
C:\WINDOWS\System32\dmdskres32.dll
C:\WINDOWS\System32\clbcatq32.dll
C:\WINDOWS\System32\dmime32.dll
C:\WINDOWS\System32\clusapi32.dll
C:\WINDOWS\System32\dmintf32.dll
C:\WINDOWS\System32\cmutil32.dll
C:\WINDOWS\System32\dmstyle32.dll
C:\WINDOWS\System32\cnetcfg32.dll
C:\WINDOWS\System32\dmsynth32.dll
C:\WINDOWS\System32\colbact32.dll
C:\WINDOWS\System32\dmusic32.dll
C:\WINDOWS\System32\dskquoui32.dll

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\d4fc2abd486

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.

And a hijackthis log please.
0
 

Author Comment

by:RG119
ID: 22799041
Well I did all the scans again first in Safe mode then in normal mode I can log on and get the internet but still some problems. I tried loading AVG antivirus and recieved the following error report:

//==<AVG-7.5>===================================================
Exception code: 80000003 BREAKPOINT
Fault address:  004DDFD9 01:000DCFD9 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zS9.tmp\avgsetup.exe
Module Date:    08/05/2008 12:00:54
File Version of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zS9.tmp\avgsetup.exe: 8.0.0.159
Exception Date: 10/24/2008 13:34:55

MiniDump Information Saved to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avg8inst.dmp

//==<AVG-7.5>===================================================
Exception code: 80000003 BREAKPOINT
Fault address:  004DDFD9 01:000DCFD9 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSA.tmp\avgsetup.exe
Module Date:    08/05/2008 12:00:54
File Version of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSA.tmp\avgsetup.exe: 8.0.0.159
Exception Date: 10/24/2008 13:36:22

MiniDump Information Saved to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avg8inst.dmp

So I ran HiJack this again after all other scans and cleaners were ran and System restore is still turned off:


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:39:01 PM, on 10/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.simpleperfection.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.simpleperfection.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-21-2605154349-4145060850-2006879218-1112\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe" (User '?')

O4 - HKUS\S-1-5-21-2605154349-4145060850-2006879218-1112\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')

O4 - HKUS\S-1-5-21-2605154349-4145060850-2006879218-1112\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-2605154349-4145060850-2006879218-1112\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User '?')

O4 - HKUS\S-1-5-21-2605154349-4145060850-2006879218-500\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User '?')

O4 - HKUS\S-1-5-21-3517727018-3224627433-2229183760-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Robert')

O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')

O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.simpleperfection.com

O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www8.wirelesssync.vzw.com/en/SyncInstall.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O17 - HKLM\Software\..\Telephony: DomainName = PillariandVellaLLP.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PillariandVellaLLP.local

O20 - AppInit_DLLs: C:\WINDOWS\System32\dskquoui32.dll,C:\WINDOWS\System32\dmdskres32.dll,C:\WINDOWS\System32\clbcatq32.dll,C:\WINDOWS\System32\dmime32.dll,C:\WINDOWS\System32\clusapi32.dll,C:\WINDOWS\System32\dmintf32.dll,C:\WINDOWS\System32\cmutil32.dll,C:\WINDOWS\System32\dmstyle32.dll,C:\WINDOWS\System32\cnetcfg32.dll,C:\WINDOWS\System32\dmsynth32.dll,C:\WINDOWS\System32\colbact32.dll,C:\WINDOWS\System32\dmusic32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: d4fc2abd486 - C:\WINDOWS\System32\dskquoui32.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

--

End of file - 9835 bytes

Open in new window

0
 
LVL 22

Expert Comment

by:orangutang
ID: 22799114
Did you try uploading those files to http://virusscan.jotti.org/ ? Also, make sure to send your logs by using the "Attach File" option at the bottom of the comment box.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:RG119
ID: 22799168
I ran Avenger as you instructored and here is the log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System32\dskquoui32.dll" deleted successfully.

Error:  file "C:\WINDOWS\System32\dmdskres32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmdskres32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\clbcatq32.dll" not found!
Deletion of file "C:\WINDOWS\System32\clbcatq32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dmime32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmime32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\clusapi32.dll" not found!
Deletion of file "C:\WINDOWS\System32\clusapi32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dmintf32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmintf32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\cmutil32.dll" not found!
Deletion of file "C:\WINDOWS\System32\cmutil32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dmstyle32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmstyle32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\cnetcfg32.dll" not found!
Deletion of file "C:\WINDOWS\System32\cnetcfg32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dmsynth32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmsynth32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\colbact32.dll" not found!
Deletion of file "C:\WINDOWS\System32\colbact32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dmusic32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dmusic32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\System32\dskquoui32.dll" not found!
Deletion of file "C:\WINDOWS\System32\dskquoui32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\d4fc2abd486" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.

Completed script processing.

*******************

Finished!  Terminate.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22799244
You should've double-checked to see if those were actually viruses first at http://virusscan.jotti.org/ just in case. Send one more HijackThis log. Use the "Attach File" option.
0
 

Author Comment

by:RG119
ID: 22799299
I attached the Hijack this log
hijackthis4.txt
0
 
LVL 22

Accepted Solution

by:
orangutang earned 500 total points
ID: 22800237
Your log seems clean now. Do you still have the problem?
0
 

Author Comment

by:RG119
ID: 22800289
not really just ran Trend Micro house calls and it found Cryp_bits and adware-memwatcher. trying some simple task now to determine if it is clean do you think it would be safe to add service pack 3 now?
0
 

Author Closing Comment

by:RG119
ID: 31509530
Thank you for your help.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22801097
It should be at least after scanning with so many virus scanners, you should be clean and it should be safe.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now