Here is the log from Combofix. Say, what do you think about replacing/repairing some XP files? I guess sfc /scannow does something like that, but read it might not work in safe mode because of something about RPC service, etc. Just a thought. -max
"Administrator" - 07-01-12 17:10:23 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))
2007-01-12 13:25 <DIR> d
C:\SDFix
2007-01-11 22:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-11 22:12 <DIR> d
C:\Program Files\Grisoft
2007-01-11 12:37 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Bitdefender
2007-01-11 12:33 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\BitDefender
2007-01-09 20:43 96 --a
C:\avexport.bat
2007-01-09 20:43 60,416 --a
C:\WINDOWS\system32\drivers\qxallmjt.sys
2007-01-09 20:43 336 --a
C:\reboot.bat
2007-01-09 20:43 19,814 --a
C:\reboot.exe
2007-01-09 20:43 126,976 --a
C:\zip.exe
2007-01-09 20:43 1,080 --a
C:\tjtuaxbf.bat
2007-01-09 20:31 9,728 --a
C:\WINDOWS\system32\drivers\pxscinst.dll
2007-01-09 20:31 7,680 --a
C:\WINDOWS\system32\drivers\pxinst.dll
2007-01-09 20:31 7,552 --a
C:\WINDOWS\system32\drivers\pxcom.sys
2007-01-09 20:31 274,688 --a
C:\WINDOWS\system32\drivers\pxfsf.sys
2007-01-09 20:31 18,560 --a
C:\WINDOWS\system32\drivers\pxtdi.sys
2007-01-09 20:31 13,952 --a
C:\WINDOWS\system32\drivers\pxrd.sys
2007-01-09 20:31 11,648 --a
C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-09 20:31 100,864 --a
C:\WINDOWS\system32\drivers\PxEmu.sys
2007-01-09 20:31 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Prevx
2007-01-09 20:30 <DIR> d
C:\Program Files\Prevx1
2007-01-09 20:30 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-01-09 20:16 <DIR> d
C:\Malware Tools
2007-01-09 18:00 11,254 --a
C:\WINDOWS\system32\locate.com
2007-01-09 15:36 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-01-09 11:46 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-01-08 19:34 <DIR> d
C:\Program Files\Sunbelt Software
2007-01-08 18:29 <DIR> d
C:\Program Files\HJT
2007-01-08 18:10 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 17:47 <DIR> d
C:\Program Files\CCleaner
2007-01-08 09:35 <DIR> d
C:\WINDOWS\pss
2007-01-08 00:29 94,480 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 21:51 <DIR> d
C:\quarantine
2007-01-07 19:31 <DIR> d
C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-01-07 15:00 <DIR> d
C:\Program Files\HDInfo
2007-01-06 22:08 <DIR> d
C:\Program Files\Western Digital
2007-01-06 19:32 205,312 -ra
C:\WINDOWS\patchw32.dll
2007-01-06 19:31 205,312 -ra
C:\WINDOWS\pw32a.dll
2007-01-06 19:15 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\WholeSecurity
2007-01-05 19:33 <DIR> d
C:\Program Files\Windows Live Safety Center
2007-01-05 10:55 5,632 --a
C:\WINDOWS\system32\ptpusb.dll
2007-01-05 10:55 159,232 --a
C:\WINDOWS\system32\ptpusd.dll
2007-01-02 21:15 <DIR> d
C:\Program Files\DC++
2006-12-27 13:28 28,672 --a
C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-26 21:26 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2006-12-22 12:17 <DIR> d
C:\Program Files\Common Files\xing shared
2006-12-22 12:16 <DIR> d
C:\Program Files\Real
2006-12-22 12:16 <DIR> d
C:\Program Files\Common Files\Real
2006-12-20 21:00 <DIR> d
C:\Program Files\OverDrive Media Console
2006-12-20 21:00 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\OverDrive
2006-12-18 10:46 <DIR> d
C:\WINDOWS\system32\NtmsData
2006-12-17 22:38 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\McAfee
2006-12-17 22:06 43,136 --a
C:\WINDOWS\system32\drivers\sbp2port.sys
2006-12-17 22:04 61,056 --a
C:\WINDOWS\system32\drivers\ohci1394.sys
2006-12-17 22:04 6,400 --a
C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-17 22:04 53,248 --a
C:\WINDOWS\system32\drivers\1394bus.sys
2006-12-17 20:54 0 --a
C:\naswnlg.exe
2006-12-17 18:33 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2006-12-17 18:32 <DIR> d
C:\Program Files\Common Files\Symantec Shared
2006-12-17 18:31 4,588,454 --a
C:\Program Files\setup.exe
2006-12-17 18:31 <DIR> d
C:\Program Files\Support
2006-12-17 18:31 <DIR> d
C:\Program Files\Driver Validation
2006-12-17 17:09 <DIR> d
C:\Program Files\DiscWizard for Windows
2006-12-17 17:05 <DIR> d
C:\Program Files\Seagate
2006-12-17 10:26 <DIR> d
C:\Program Files\DIY DataRecovery iRecover 2.1
2006-12-16 14:52 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\IsolatedStorage
2006-12-16 14:49 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-16 14:49 <DIR> d
C:\WINDOWS\system32\URTTemp
2006-12-16 14:49 <DIR> d
C:\WINDOWS\Microsoft.NET
2006-12-16 14:40 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2006-12-16 14:36 <DIR> d
C:\Program Files\Symantec
2006-12-15 15:10 <DIR> d
C:\Program Files\Western Digital Technologies
2006-12-14 19:17 <DIR> d
C:\Program Files\ACW
2006-12-12 18:16 60,416
C:\WINDOWS\system32\tzchange.exe
Hi Max! Its almost 1:30am here and I can't think straight - need to rest.
From a quick glance of the ComboFix log, there are some files I need to look into but not right now.
I'm not a Windows expert, like I said . You could try posting in the Windows Forum and I'm sure you'll get some advice there. If you have a Windows CD, that would be convenient.
I understand! :-) I was wondering what time it was there - UK right? Well then, get some sleep and give me a jingle when you're back online and we can try some of the things you had in mind. In the meantime, where is the windows forum you speak of? Perhaps I should post there and see if any ideas come up? Is there someone you know of that I could post to? If not, I will hunt around and see what I can find. But I appreciate your help and look forward to finishing up your thoughts/ideas. Thanks! -max
OOPS - sorry about the wrong forumn posting. Dang it!
HJT log attached. Main problems are:
1) verifying Bit Defender was completely installed. There are still some lines in the MSCONFIG tool that reference BitDefender. ???
2) LSA Shell error have gone away - not sure why. Posts indicate it might have been the Sasser worm - I used WMRT and FxSasser to check and they came back neg. Anythin else I should look for?
3) trying to remove CounterSpy, but keep getting Internal Error 2738. Laptop has the latest jscript.dll file from MS installed, so ruled out that cause.
-max
Logfile of HijackThis v1.99.1
Scan saved at 6:03:36 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Ok - this spyware is a strange world. I uninstalled that Prevx program, and then rebooted. I then sent you the HJT log. Then I went back and just tried to uninstall the CounterSpy, on the chance there was a conflict between it and Prevx. Sure enuf, once Prevx was out of the way, then CounterSpy completed it's uninstall. So the remaining issue is making sure these tools are COMPLETELY removed from everywhere, the HD, the registry, the MSCONFIG tool, the Services tool, etc. This is where I need help. I don't really understand the registry and what can and cannot be done there. BTW - I have turned System Restore back on, so my anxiety has dropped accordingly (unless you tell me SR is not what it's cracked up to be). -max
Thanks for posting here. We will make sure those tools are completely removed, but lets make sure your computer is clean.
System Restore should ALWAYS be on, no matter what. Its very important!
Anyway, there are some files that I would like you to get scanned for analysis
Pretty cool tool - checks a file against all the virus engines?
Here are the results of the first two files. If all the others come back negative, would you prefer just a short reply to that effect?
==========================
Complete scanning result of "tjtuaxbf.bat", received in VirusTotal at 01.14.2007, 03:21:15 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.13.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 no virus found
ClamAV devel-20060426 01.13.2007 no virus found
DrWeb 4.33 01.13.2007 no virus found
eSafe 7.0.14.0 01.10.2007 no virus found
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.13.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 no virus found
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.13.2007 no virus found
NOD32v2 1977 01.13.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.13.2007 no virus found
Prevx1 V2 01.14.2007 no virus found
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.147 01.11.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.12.2007 no virus found
VirusBuster 4.3.19:9 01.13.2007 no virus found
Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
==============================
Complete scanning result of "locate.com", received in VirusTotal at 01.14.2007, 03:25:25 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.13.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 no virus found
ClamAV devel-20060426 01.13.2007 no virus found
DrWeb 4.33 01.13.2007 no virus found
eSafe 7.0.14.0 01.10.2007 no virus found
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.13.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 no virus found
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.13.2007 no virus found
NOD32v2 1977 01.13.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.13.2007 no virus found
Prevx1 V2 01.14.2007 no virus found
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.147 01.11.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.12.2007 no virus found
VirusBuster 4.3.19:9 01.13.2007 no virus found
Locate these files, one by one. Right-click and select Properties. Go to the Version tab (if present) and tell me what info is present, especially the Company.
here is the info:
C:\WINDOWS\system32\locate.com =
no Version tab. looks like some sort of batch file. same props box as a .bat file. I scanned it with Network Associates virus - none found.
C:\WINDOWS\pw32a.dll =
version: 8.0.0.0
description: RTPatch Executable
Co: Pocket Soft, Inc., 2003. ??? Doesn't ring a bell.
C:\naswnlg.exe = could not find this file by browsing. but searched C:\ and it was located at C:\SDFix\backups\backups.zip. Since it is in a compressed folder, it does not have a regular properties box. ?????
C:\Program Files\setup.exe =
version 9.0.333.0
InstallShield Software Corp
I think this belongs to one of the spyware tools I want to uninstall.
C:\WINDOWS\system32\tzchange.exe =
version 5.1.2600.3037
Microsoft Timezone change tool (was in a very recent MS Windows Update)
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
2. Run another scan with ComboFix please so it can create a new log.
Post the contents of the Panda scan report, along with a new HijackThis Log and the ComboFix log.
OK Trogan - will do. It will take some time for the pandascan to complete - so perhaps we can pick up the ball on this tomorrow. Thanks for all your help!! -max
Here are the log reports. No action was taken on the items listed in the Panda ActiveScan report. -max
Active Scan log:
Incident Status Location
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.overture.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\Cache\DD0DBD66d01[C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\Cache\DD0DBD6
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
===============
COMBO FIX LOG
"Administrator" - 07-01-13 23:42:05 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-12-13 to 2007-01-13 ))))))))))))))))))))))))))))))))))
2007-01-13 19:52 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-01-13 19:52 <DIR> d
C:\WINDOWS\LastGood
2007-01-13 19:16 <DIR> d--h
C:\WINDOWS\PIF
2007-01-12 13:25 <DIR> d
C:\SDFix
2007-01-11 22:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-11 22:12 <DIR> d
C:\Program Files\Grisoft
2007-01-09 20:43 96 --a
C:\avexport.bat
2007-01-09 20:43 60,416 --a
C:\WINDOWS\system32\drivers\qxallmjt.sys
2007-01-09 20:43 336 --a
C:\reboot.bat
2007-01-09 20:43 19,814 --a
C:\reboot.exe
2007-01-09 20:43 126,976 --a
C:\zip.exe
2007-01-09 20:43 1,080 --a
C:\tjtuaxbf.bat
2007-01-09 20:31 11,648 --a
C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-09 20:16 <DIR> d
C:\Malware Tools
2007-01-09 18:00 11,254 --a
C:\WINDOWS\system32\locate.com
2007-01-09 11:46 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-01-08 19:34 <DIR> d
C:\Program Files\Sunbelt Software
2007-01-08 18:29 <DIR> d
C:\Program Files\HJT
2007-01-08 18:10 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 17:47 <DIR> d
C:\Program Files\CCleaner
2007-01-08 09:35 <DIR> d
C:\WINDOWS\pss
2007-01-08 00:29 76,560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 21:51 <DIR> d
C:\quarantine
2007-01-07 19:31 <DIR> d
C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-01-07 15:00 <DIR> d
C:\Program Files\HDInfo
2007-01-06 22:08 <DIR> d
C:\Program Files\Western Digital
2007-01-06 19:32 205,312 -ra
C:\WINDOWS\patchw32.dll
2007-01-06 19:31 205,312 -ra
C:\WINDOWS\pw32a.dll
2007-01-06 19:15 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\WholeSecurity
2007-01-05 19:33 <DIR> d
C:\Program Files\Windows Live Safety Center
2007-01-05 10:55 5,632 --a
C:\WINDOWS\system32\ptpusb.dll
2007-01-05 10:55 159,232 --a
C:\WINDOWS\system32\ptpusd.dll
2007-01-02 21:15 <DIR> d
C:\Program Files\DC++
2006-12-27 13:28 28,672 --a
C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-26 21:26 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2006-12-22 12:17 <DIR> d
C:\Program Files\Common Files\xing shared
2006-12-22 12:16 <DIR> d
C:\Program Files\Real
2006-12-22 12:16 <DIR> d
C:\Program Files\Common Files\Real
2006-12-20 21:00 <DIR> d
C:\Program Files\OverDrive Media Console
2006-12-20 21:00 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\OverDrive
2006-12-18 10:46 <DIR> d
C:\WINDOWS\system32\NtmsData
2006-12-17 22:38 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\McAfee
2006-12-17 22:06 43,136 --a
C:\WINDOWS\system32\drivers\sbp2port.sys
2006-12-17 22:04 61,056 --a
C:\WINDOWS\system32\drivers\ohci1394.sys
2006-12-17 22:04 6,400 --a
C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-17 22:04 53,248 --a
C:\WINDOWS\system32\drivers\1394bus.sys
2006-12-17 18:33 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2006-12-17 18:32 <DIR> d
C:\Program Files\Common Files\Symantec Shared
2006-12-17 18:31 <DIR> d
C:\Program Files\Support
2006-12-17 18:31 <DIR> d
C:\Program Files\Driver Validation
2006-12-17 17:09 <DIR> d
C:\Program Files\DiscWizard for Windows
2006-12-17 17:05 <DIR> d
C:\Program Files\Seagate
2006-12-17 10:26 <DIR> d
C:\Program Files\DIY DataRecovery iRecover 2.1
2006-12-16 14:52 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\IsolatedStorage
2006-12-16 14:49 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-16 14:49 <DIR> d
C:\WINDOWS\system32\URTTemp
2006-12-16 14:49 <DIR> d
C:\WINDOWS\Microsoft.NET
2006-12-16 14:40 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2006-12-16 14:36 <DIR> d
C:\Program Files\Symantec
2006-12-15 15:10 <DIR> d
C:\Program Files\Western Digital Technologies
2006-12-14 19:17 <DIR> d
C:\Program Files\ACW
===================
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 11:52:21 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Hi Trogan - OK registry and file steps completed. The HJT log is attached.
1) I will be deleting a couple of those strange files we spoke of earlier.
2) Curious - the PandaScan said it found 4 spyware and 2 potentially unwanted tools. nothing to do about them?
3) Seeing what have seen, do you think this laptop was compromised in a meaningful way?
4) Do you recommend the Remote Registry service remain disabled as a preventative measure against unwanted intrusions?
5) Under MSCONFIG, there are still two lines that are referring to BitDefender??? They are:
bdagent "C:\program files\softwin\Bitdefender10\bdagent.exe"
bdmcom "C:\program files\softwin\Bitdefender10\bdmcom.exe" /reg
But neither of those two files exist, in fact the "softwin" folder doesnt appear within program files. ??? The only thing that comes up in a search for "bdagent" anywhere on C:\ is:
BDAGENT.EXE-12F3E49A.pf which is located in C:\WINDOWS\prefetch
Can this be cleaned up? Regedit shows under HKCU\SOFTWARE there still is a entry for SOFTWIN with several things inside it. Why do programs leave this crap behind? I found a tool by BitDefender called BDUninstallTool - give that a go?
6) Are registry cleanup tools that you think are good? what about NTREGOPT?
7) Do you think the Windows built in firewall is sufficient, or do you strongly recommend something like Zone Alarm?
I think I figured out how some malware got in. Within Network Associates VirusScan tool is an "on access scanner" function which provides realtime protection. Somehow, it was disabled for about a week. I think it was my mistake. Prior to that point, this laptop had nearly never had virus or serious malware, other than advertising tracking stuff (this stuff seems relatively harmless, no?). But coinciding with this function being disabled it seems the problems began, peaking with the failed installs of BD and the windows update. So now, I have only NA VirusScan and AVG installed, and only NA VirusScan running real time. Does this sound sufficient to you? I am amazed at how many MW and AV tools are out there, and it seems (as show by TotalVirus) that none of them catch all the viruses. So which couple do you like the best and why?
-max
Logfile of HijackThis v1.99.1
Scan saved at 1:18:32 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
1) I will be deleting a couple of those strange files we spoke of earlier.
OK! Just read my last post about each one.
2) Curious - the PandaScan said it found 4 spyware and 2 potentially unwanted tools. nothing to do about them?
Nothing harmful there. Just cookies and SDFix being flagged. No real cause for concern.
3) Seeing what have seen, do you think this laptop was compromised in a meaningful way?
No!
4) Do you recommend the Remote Registry service remain disabled as a preventative measure against unwanted intrusions?
Leave things as they are.
5) Under MSCONFIG, there are still two lines that are referring to BitDefender??? They are:
bdagent "C:\program files\softwin\Bitdefender10\bdagent.exe"
bdmcom "C:\program files\softwin\Bitdefender10\bdmcom.exe" /reg
But neither of those two files exist, in fact the "softwin" folder doesnt appear within program files. ??? The only thing that comes up in a search for "bdagent" anywhere on C:\ is:
BDAGENT.EXE-12F3E49A.pf which is located in C:\WINDOWS\prefetch
Can this be cleaned up? Regedit shows under HKCU\SOFTWARE there still is a entry for SOFTWIN with several things inside it. Why do programs leave this crap behind? I found a tool by BitDefender called BDUninstallTool - give that a go?
First, you can delete BDAGENT.EXE-12F3E49A.pf in C:\WINDOWS\prefetch.
Secondly, this reg fix will remove BitDefender from MSCONFIG:
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer and check they have been removed from MSCONFIG.
6) Are registry cleanup tools that you think are good? what about NTREGOPT?
I don't use Registry cleanup tools and have not used one in years, so I'd be hesitant to recommend one.
7) Do you think the Windows built in firewall is sufficient, or do you strongly recommend something like Zone Alarm?
Zone Alarm would be better as Windows Firewall only monitors incoming Traffic.
I think I figured out how some malware got in. Within Network Associates VirusScan tool is an "on access scanner" function which provides realtime protection. Somehow, it was disabled for about a week. I think it was my mistake. Prior to that point, this laptop had nearly never had virus or serious malware, other than advertising tracking stuff (this stuff seems relatively harmless, no?). But coinciding with this function being disabled it seems the problems began, peaking with the failed installs of BD and the windows update. So now, I have only NA VirusScan and AVG installed, and only NA VirusScan running real time. Does this sound sufficient to you? I am amazed at how many MW and AV tools are out there, and it seems (as show by TotalVirus) that none of them catch all the viruses. So which couple do you like the best and why?
It just goes to show that without real-time protection enabled, anything can slip ino the computer. Its good that you have AVG anti-virus (with real-time disabled) as backup. I would advise against installing any more AV's even for backup...it may not be a wise idea.
Your log is clean now. Do you have any further questions or problems?
...Are registry cleanup tools that you think are good? what about NTREGOPT?...
I'm not familiar with that one, but I've had great success with RegCleaner (free). It is handy for removing the leftover remnants of uninstalled programs, and their Tools>>Registry Cleanup>>Do Them All has done a good job for general cleanup.
Cool! Looks like this turned out to be a nice success story - thanks to your help and profdlp. Thanks!
I did have a couple questions about some mysterious files located in C:\
They have the same recent date/time stamp which makes me think they are related, but I don't remember them being there before all this started. And I just want to clean things up, if possible. They are...
tjtuaxbf.bat
reboot.bat
reboot.exe
There isnt anything meaningful in the propertie box, so don't have much to go on, execpt hunch they might be from some malware tool we used. ???
Also in C:\ is a file names "-453555759" that has no extension and is 0 bytes. It is dated a few days before I think my laptop actually might have become infected.
And the final question is...!!! what is Avenger.exe? It seems to come with Rustbfix but I'm not sure. Can I delete it?
Trogan - the laptop is running well, thanks to your help. Made the final little cleanups and have realtime virus protection on. BTW - how do you feel about McAfee virusscan? Does it protect against Malware and trojans and rootkits too, or just viruses?
PS - I have a desktop PC with a windows XP boot up problem (something about system registry files missing or corrupt). I was thinking about trying to tackle that one as well - do you suggest posting that on the Windows forum? -max
Trogan - the laptop is running well, thanks to your help. Made the final little cleanups and have realtime virus protection on. BTW - how do you feel about McAfee virusscan? Does it protect against Malware and trojans and rootkits too, or just viruses?
I don't think it will protect against Rootkits. It will protect against malware. However, I would not use McAfee. If your thinking about paying for another product, get Kaspersky.
PS - I have a desktop PC with a windows XP boot up problem (something about system registry files missing or corrupt). I was thinking about trying to tackle that one as well - do you suggest posting that on the Windows forum?
Let me know what the error says. You might want to post a HijackThis log from that computer.
Torgan - I have begun to look into my desktop PC with win xp boot problems. It is giving an error STOP: 0x0000007B which the MS KB says is likely a boot sector virus.
Can you suggest a good bot sector virus tool that can boot from a floppy or CD?
Do you know if it can faciliate loading a 3rd party Controller driver so my drive can be seen?
PC is not able to boot into safe mode either. It gets to the windows XP screen and then blue screens with an error talking about missing or corrupt registry file.
Comments
"Administrator" - 07-01-12 17:10:23 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))
2007-01-12 13:25 <DIR> d
C:\SDFix
2007-01-11 22:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-11 22:12 <DIR> d
C:\Program Files\Grisoft
2007-01-11 12:37 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Bitdefender
2007-01-11 12:33 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\BitDefender
2007-01-09 20:43 96 --a
C:\avexport.bat
2007-01-09 20:43 60,416 --a
C:\WINDOWS\system32\drivers\qxallmjt.sys
2007-01-09 20:43 336 --a
C:\reboot.bat
2007-01-09 20:43 19,814 --a
C:\reboot.exe
2007-01-09 20:43 126,976 --a
C:\zip.exe
2007-01-09 20:43 1,080 --a
C:\tjtuaxbf.bat
2007-01-09 20:31 9,728 --a
C:\WINDOWS\system32\drivers\pxscinst.dll
2007-01-09 20:31 7,680 --a
C:\WINDOWS\system32\drivers\pxinst.dll
2007-01-09 20:31 7,552 --a
C:\WINDOWS\system32\drivers\pxcom.sys
2007-01-09 20:31 274,688 --a
C:\WINDOWS\system32\drivers\pxfsf.sys
2007-01-09 20:31 18,560 --a
C:\WINDOWS\system32\drivers\pxtdi.sys
2007-01-09 20:31 13,952 --a
C:\WINDOWS\system32\drivers\pxrd.sys
2007-01-09 20:31 11,648 --a
C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-09 20:31 100,864 --a
C:\WINDOWS\system32\drivers\PxEmu.sys
2007-01-09 20:31 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Prevx
2007-01-09 20:30 <DIR> d
C:\Program Files\Prevx1
2007-01-09 20:30 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Prevx
2007-01-09 20:16 <DIR> d
C:\Malware Tools
2007-01-09 18:00 11,254 --a
C:\WINDOWS\system32\locate.com
2007-01-09 15:36 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-01-09 11:46 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-01-08 19:34 <DIR> d
C:\Program Files\Sunbelt Software
2007-01-08 18:29 <DIR> d
C:\Program Files\HJT
2007-01-08 18:10 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 17:47 <DIR> d
C:\Program Files\CCleaner
2007-01-08 09:35 <DIR> d
C:\WINDOWS\pss
2007-01-08 00:29 94,480 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 21:51 <DIR> d
C:\quarantine
2007-01-07 19:31 <DIR> d
C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-01-07 15:00 <DIR> d
C:\Program Files\HDInfo
2007-01-06 22:08 <DIR> d
C:\Program Files\Western Digital
2007-01-06 19:32 205,312 -ra
C:\WINDOWS\patchw32.dll
2007-01-06 19:31 205,312 -ra
C:\WINDOWS\pw32a.dll
2007-01-06 19:15 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\WholeSecurity
2007-01-05 19:33 <DIR> d
C:\Program Files\Windows Live Safety Center
2007-01-05 10:55 5,632 --a
C:\WINDOWS\system32\ptpusb.dll
2007-01-05 10:55 159,232 --a
C:\WINDOWS\system32\ptpusd.dll
2007-01-02 21:15 <DIR> d
C:\Program Files\DC++
2006-12-27 13:28 28,672 --a
C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-26 21:26 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2006-12-22 12:17 <DIR> d
C:\Program Files\Common Files\xing shared
2006-12-22 12:16 <DIR> d
C:\Program Files\Real
2006-12-22 12:16 <DIR> d
C:\Program Files\Common Files\Real
2006-12-20 21:00 <DIR> d
C:\Program Files\OverDrive Media Console
2006-12-20 21:00 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\OverDrive
2006-12-18 10:46 <DIR> d
C:\WINDOWS\system32\NtmsData
2006-12-17 22:38 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\McAfee
2006-12-17 22:06 43,136 --a
C:\WINDOWS\system32\drivers\sbp2port.sys
2006-12-17 22:04 61,056 --a
C:\WINDOWS\system32\drivers\ohci1394.sys
2006-12-17 22:04 6,400 --a
C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-17 22:04 53,248 --a
C:\WINDOWS\system32\drivers\1394bus.sys
2006-12-17 20:54 0 --a
C:\naswnlg.exe
2006-12-17 18:33 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2006-12-17 18:32 <DIR> d
C:\Program Files\Common Files\Symantec Shared
2006-12-17 18:31 4,588,454 --a
C:\Program Files\setup.exe
2006-12-17 18:31 <DIR> d
C:\Program Files\Support
2006-12-17 18:31 <DIR> d
C:\Program Files\Driver Validation
2006-12-17 17:09 <DIR> d
C:\Program Files\DiscWizard for Windows
2006-12-17 17:05 <DIR> d
C:\Program Files\Seagate
2006-12-17 10:26 <DIR> d
C:\Program Files\DIY DataRecovery iRecover 2.1
2006-12-16 14:52 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\IsolatedStorage
2006-12-16 14:49 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-16 14:49 <DIR> d
C:\WINDOWS\system32\URTTemp
2006-12-16 14:49 <DIR> d
C:\WINDOWS\Microsoft.NET
2006-12-16 14:40 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2006-12-16 14:36 <DIR> d
C:\Program Files\Symantec
2006-12-15 15:10 <DIR> d
C:\Program Files\Western Digital Technologies
2006-12-14 19:17 <DIR> d
C:\Program Files\ACW
2006-12-12 18:16 60,416
C:\WINDOWS\system32\tzchange.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-12 17:07
d
C:\Program Files\mozilla firefox
2007-01-11 12:50
d
C:\DOCUME~1\ADMINI~1\Application Data\skype
2007-01-11 12:00
d
C:\DOCUME~1\ADMINI~1\Application Data\adobeum
2007-01-09 11:24
d
C:\Program Files\java
2007-01-06 22:08
d--h
C:\Program Files\installshield installation information
2007-01-03 08:54
d
C:\DOCUME~1\ADMINI~1\Application Data\roxio
2006-12-22 12:54
d
C:\DOCUME~1\ADMINI~1\Application Data\real
2006-12-18 13:28
d
C:\Program Files\msn messenger
2006-12-16 14:57
d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2006-12-12 18:25
d
C:\Program Files\Common Files\adobe
2006-12-11 23:56
d
C:\Program Files\synaptics
2006-12-10 21:18
d
C:\Program Files\diy datarecovery diskpatch 3.0
2006-12-06 19:02
d
C:\Program Files\photo story 3 for windows
2006-12-06 14:42
d
C:\Program Files\windows media connect 2
2006-11-30 22:24
d
C:\Program Files\google
2006-11-21 19:41
d
C:\DOCUME~1\ADMINI~1\Application Data\apple computer
2006-11-17 22:29
d
C:\DOCUME~1\ADMINI~1\Application Data\hewlett-packard
2006-11-16 16:15
d
C:\Program Files\Common Files\hewlett-packard
2006-11-16 16:14
d
C:\Program Files\hewlett-packard
2006-11-07 21:06 679424 --a
C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696
C:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a
C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704
C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704
C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a
C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a
C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a
C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a
C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488
C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 757248 --a
C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a
C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896
C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 63488
C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760
C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376
C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a
C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47 542720 --a
C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040
C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056
C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a
C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 38400
C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a
C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840
C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352
C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672
C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a
C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a
C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440
C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 314880 --a
C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936
C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160
C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 276992
C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a
C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008
C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072
C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072
C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 2450944 --a
C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a
C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a
C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a
C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a
C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992
C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 211456 --a
C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288
C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168
C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 179712 --a
C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a
C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912
C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1661440
C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912
C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 157184 --a
C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624
C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680
C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912
C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632
C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 1329152 --a
C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47 132096
C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048
C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a
C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47 1117696 --a
C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47 101888
C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03 100864 --a
C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856
C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408
C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-13 04:35 65536 --a
C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a
C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a
C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"SDFix"="C:\\SDFix\\RunThis.bat /second"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Desktop Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Desktop Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RESEAR~1\\BLACKB~1\\DESKTO~1.EXE "
"item"="Desktop Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bdagent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bdmcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TBMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sunserver"
"hkey"="HKLM"
"command"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toggler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="toggler"
"hkey"="HKCU"
"command"="C:\\Program Files\\Toggler\\toggler.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoSMMyDocs"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1163831275.job
Completion time: 07-01-12 17:12:05
From a quick glance of the ComboFix log, there are some files I need to look into but not right now.
I'm not a Windows expert, like I said
I'll check this thread in a couple of hours.
http://short-media.com/forum/forumdisplay.php?f=32
See you soon!
Also, what are the main problems?
HJT log attached. Main problems are:
1) verifying Bit Defender was completely installed. There are still some lines in the MSCONFIG tool that reference BitDefender. ???
2) LSA Shell error have gone away - not sure why. Posts indicate it might have been the Sasser worm - I used WMRT and FxSasser to check and they came back neg. Anythin else I should look for?
3) trying to remove CounterSpy, but keep getting Internal Error 2738. Laptop has the latest jscript.dll file from MS installed, so ruled out that cause.
-max
Logfile of HijackThis v1.99.1
Scan saved at 6:03:36 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpf...qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
System Restore should ALWAYS be on, no matter what. Its very important!
Anyway, there are some files that I would like you to get scanned for analysis
- Go to VirusTotal
- Copy and paste the following file path into the Search Box at the top of the page:
- C:\tjtuaxbf.bat
- Click on the Send button
- Save a copy of the results and post them in your next reply.
Do the same for the following...C:\WINDOWS\system32\locate.com
C:\WINDOWS\pw32a.dll
C:\naswnlg.exe
C:\Program Files\setup.exe
C:\WINDOWS\system32\tzchange.exe
Here are the results of the first two files. If all the others come back negative, would you prefer just a short reply to that effect?
==========================
Complete scanning result of "tjtuaxbf.bat", received in VirusTotal at 01.14.2007, 03:21:15 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.13.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 no virus found
ClamAV devel-20060426 01.13.2007 no virus found
DrWeb 4.33 01.13.2007 no virus found
eSafe 7.0.14.0 01.10.2007 no virus found
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.13.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 no virus found
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.13.2007 no virus found
NOD32v2 1977 01.13.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.13.2007 no virus found
Prevx1 V2 01.14.2007 no virus found
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.147 01.11.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.12.2007 no virus found
VirusBuster 4.3.19:9 01.13.2007 no virus found
Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
==============================
Complete scanning result of "locate.com", received in VirusTotal at 01.14.2007, 03:25:25 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 no virus found
Avast 4.7.936.0 01.13.2007 no virus found
AVG 386 01.13.2007 no virus found
BitDefender 7.2 01.14.2007 no virus found
CAT-QuickHeal 9.00 01.12.2007 no virus found
ClamAV devel-20060426 01.13.2007 no virus found
DrWeb 4.33 01.13.2007 no virus found
eSafe 7.0.14.0 01.10.2007 no virus found
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3324 01.12.2007 no virus found
Ewido 4.0 01.13.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 no virus found
F-Prot 3.16f 01.12.2007 no virus found
F-Prot4 4.2.1.29 01.12.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.14.2007 no virus found
McAfee 4938 01.12.2007 no virus found
Microsoft 1.1904 01.13.2007 no virus found
NOD32v2 1977 01.13.2007 no virus found
Norman 5.80.02 01.12.2007 no virus found
Panda 9.0.0.4 01.13.2007 no virus found
Prevx1 V2 01.14.2007 no virus found
Sophos 4.13.0 01.13.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 no virus found
TheHacker 6.0.3.147 01.11.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.12.2007 no virus found
VirusBuster 4.3.19:9 01.13.2007 no virus found
Aditional Information
File size: 11254 bytes
MD5: 321e0b208545a9c4610a2146417e7e2c
SHA1: 73e0208c4b2f9bd4d0015fe78c631e24c8792024
packers: UPX
===========================
how did you select those files in particular?
what do you want to do as the next cleanup steps?
-max
C:\WINDOWS\system32\locate.com
C:\WINDOWS\pw32a.dll
C:\naswnlg.exe
C:\Program Files\setup.exe
C:\WINDOWS\system32\tzchange.exe
C:\WINDOWS\system32\locate.com =
no Version tab. looks like some sort of batch file. same props box as a .bat file. I scanned it with Network Associates virus - none found.
C:\WINDOWS\pw32a.dll =
version: 8.0.0.0
description: RTPatch Executable
Co: Pocket Soft, Inc., 2003. ??? Doesn't ring a bell.
C:\naswnlg.exe = could not find this file by browsing. but searched C:\ and it was located at C:\SDFix\backups\backups.zip. Since it is in a compressed folder, it does not have a regular properties box. ?????
C:\Program Files\setup.exe =
version 9.0.333.0
InstallShield Software Corp
I think this belongs to one of the spyware tools I want to uninstall.
C:\WINDOWS\system32\tzchange.exe =
version 5.1.2600.3037
Microsoft Timezone change tool (was in a very recent MS Windows Update)
-max
C:\WINDOWS\system32\locate.com
Leave this for now.
C:\WINDOWS\pw32a.dll
Doesn't ring a bell either. I would delete it and see if you have any problems.
C:\naswnlg.exe
You can delete the whole SDFix folder, if you want. SDFix has done its job.
C:\Program Files\setup.exe
Delete if you want. Its not needed.
C:\WINDOWS\system32\tzchange.exe
Legit
Now to run another scan...
1. Please do an online scan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
2. Run another scan with ComboFix please so it can create a new log.
Post the contents of the Panda scan report, along with a new HijackThis Log and the ComboFix log.
Active Scan log:
Incident Status Location
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.overture.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\cookies.txt[.go.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\Cache\DD0DBD66d01[C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7570flkp.default\Cache\DD0DBD6
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
===============
COMBO FIX LOG
"Administrator" - 07-01-13 23:42:05 Service Pack 2
ComboFix 07-01-12 - Running from: "C:\Documents and Settings\Administrator\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-12-13 to 2007-01-13 ))))))))))))))))))))))))))))))))))
2007-01-13 19:52 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-01-13 19:52 <DIR> d
C:\WINDOWS\LastGood
2007-01-13 19:16 <DIR> d--h
C:\WINDOWS\PIF
2007-01-12 13:25 <DIR> d
C:\SDFix
2007-01-11 22:12 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-11 22:12 <DIR> d
C:\Program Files\Grisoft
2007-01-09 20:43 96 --a
C:\avexport.bat
2007-01-09 20:43 60,416 --a
C:\WINDOWS\system32\drivers\qxallmjt.sys
2007-01-09 20:43 336 --a
C:\reboot.bat
2007-01-09 20:43 19,814 --a
C:\reboot.exe
2007-01-09 20:43 126,976 --a
C:\zip.exe
2007-01-09 20:43 1,080 --a
C:\tjtuaxbf.bat
2007-01-09 20:31 11,648 --a
C:\WINDOWS\system32\drivers\pxscrmbl.sys
2007-01-09 20:16 <DIR> d
C:\Malware Tools
2007-01-09 18:00 11,254 --a
C:\WINDOWS\system32\locate.com
2007-01-09 11:46 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-01-08 19:34 <DIR> d
C:\Program Files\Sunbelt Software
2007-01-08 18:29 <DIR> d
C:\Program Files\HJT
2007-01-08 18:10 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-08 17:47 <DIR> d
C:\Program Files\CCleaner
2007-01-08 09:35 <DIR> d
C:\WINDOWS\pss
2007-01-08 00:29 76,560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-07 21:51 <DIR> d
C:\quarantine
2007-01-07 19:31 <DIR> d
C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-01-07 15:00 <DIR> d
C:\Program Files\HDInfo
2007-01-06 22:08 <DIR> d
C:\Program Files\Western Digital
2007-01-06 19:32 205,312 -ra
C:\WINDOWS\patchw32.dll
2007-01-06 19:31 205,312 -ra
C:\WINDOWS\pw32a.dll
2007-01-06 19:15 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\WholeSecurity
2007-01-05 19:33 <DIR> d
C:\Program Files\Windows Live Safety Center
2007-01-05 10:55 5,632 --a
C:\WINDOWS\system32\ptpusb.dll
2007-01-05 10:55 159,232 --a
C:\WINDOWS\system32\ptpusd.dll
2007-01-02 21:15 <DIR> d
C:\Program Files\DC++
2006-12-27 13:28 28,672 --a
C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-26 21:26 <DIR> d--h
C:\WINDOWS\system32\GroupPolicy
2006-12-22 12:17 <DIR> d
C:\Program Files\Common Files\xing shared
2006-12-22 12:16 <DIR> d
C:\Program Files\Real
2006-12-22 12:16 <DIR> d
C:\Program Files\Common Files\Real
2006-12-20 21:00 <DIR> d
C:\Program Files\OverDrive Media Console
2006-12-20 21:00 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\OverDrive
2006-12-18 10:46 <DIR> d
C:\WINDOWS\system32\NtmsData
2006-12-17 22:38 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\McAfee
2006-12-17 22:06 43,136 --a
C:\WINDOWS\system32\drivers\sbp2port.sys
2006-12-17 22:04 61,056 --a
C:\WINDOWS\system32\drivers\ohci1394.sys
2006-12-17 22:04 6,400 --a
C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-17 22:04 53,248 --a
C:\WINDOWS\system32\drivers\1394bus.sys
2006-12-17 18:33 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2006-12-17 18:32 <DIR> d
C:\Program Files\Common Files\Symantec Shared
2006-12-17 18:31 <DIR> d
C:\Program Files\Support
2006-12-17 18:31 <DIR> d
C:\Program Files\Driver Validation
2006-12-17 17:09 <DIR> d
C:\Program Files\DiscWizard for Windows
2006-12-17 17:05 <DIR> d
C:\Program Files\Seagate
2006-12-17 10:26 <DIR> d
C:\Program Files\DIY DataRecovery iRecover 2.1
2006-12-16 14:52 <DIR> d
C:\DOCUME~1\ADMINI~1\Application Data\IsolatedStorage
2006-12-16 14:49 <DIR> dr--s---- C:\WINDOWS\assembly
2006-12-16 14:49 <DIR> d
C:\WINDOWS\system32\URTTemp
2006-12-16 14:49 <DIR> d
C:\WINDOWS\Microsoft.NET
2006-12-16 14:40 <DIR> d
C:\DOCUME~1\ALLUSE~1\Application Data\Symantec
2006-12-16 14:36 <DIR> d
C:\Program Files\Symantec
2006-12-15 15:10 <DIR> d
C:\Program Files\Western Digital Technologies
2006-12-14 19:17 <DIR> d
C:\Program Files\ACW
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-13 20:48
d
C:\Program Files\mozilla firefox
2007-01-11 12:50
d
C:\DOCUME~1\ADMINI~1\Application Data\skype
2007-01-11 12:00
d
C:\DOCUME~1\ADMINI~1\Application Data\adobeum
2007-01-09 11:24
d
C:\Program Files\java
2007-01-06 22:08
d--h
C:\Program Files\installshield installation information
2007-01-03 08:54
d
C:\DOCUME~1\ADMINI~1\Application Data\roxio
2006-12-22 12:54
d
C:\DOCUME~1\ADMINI~1\Application Data\real
2006-12-18 13:28
d
C:\Program Files\msn messenger
2006-12-16 14:57
d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2006-12-12 18:25
d
C:\Program Files\Common Files\adobe
2006-12-11 23:56
d
C:\Program Files\synaptics
2006-12-10 21:18
d
C:\Program Files\diy datarecovery diskpatch 3.0
2006-12-06 19:02
d
C:\Program Files\photo story 3 for windows
2006-12-06 14:42
d
C:\Program Files\windows media connect 2
2006-11-30 22:24
d
C:\Program Files\google
2006-11-21 19:41
d
C:\DOCUME~1\ADMINI~1\Application Data\apple computer
2006-11-18 03:44 60416
C:\WINDOWS\system32\tzchange.exe
2006-11-17 22:29
d
C:\DOCUME~1\ADMINI~1\Application Data\hewlett-packard
2006-11-16 16:15
d
C:\Program Files\Common Files\hewlett-packard
2006-11-16 16:14
d
C:\Program Files\hewlett-packard
2006-11-07 21:06 679424 --a
C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696
C:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a
C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704
C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704
C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a
C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a
C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a
C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a
C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488
C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 757248 --a
C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a
C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896
C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 63488
C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760
C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376
C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a
C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47 542720 --a
C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040
C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056
C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a
C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47 4096 --a
C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47 4096
C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 38400
C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a
C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840
C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352
C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672
C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a
C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a
C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440
C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 314880 --a
C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936
C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160
C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 276992
C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a
C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008
C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072
C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072
C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 2450944 --a
C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a
C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a
C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a
C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a
C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992
C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 211456 --a
C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288
C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168
C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 179712 --a
C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a
C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912
C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1661440
C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912
C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 157184 --a
C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624
C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680
C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912
C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632
C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 1329152 --a
C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47 132096
C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048
C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a
C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47 1117696 --a
C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47 101888
C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03 100864 --a
C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856
C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408
C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-13 04:35 65536 --a
C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a
C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a
C:\WINDOWS\system32\nwprovau.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PCTVOICE"="pctspk.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Desktop Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Desktop Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RESEAR~1\\BLACKB~1\\DESKTO~1.EXE "
"item"="Desktop Manager"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bdagent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bdmcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxOne]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PXConsole"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sunserver"
"hkey"="HKLM"
"command"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toggler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="toggler"
"hkey"="HKCU"
"command"="C:\\Program Files\\Toggler\\toggler.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WMPNSCFG"
"hkey"="HKCU"
"command"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoSMMyDocs"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1163831275.job
Completion time: 07-01-13 23:44:45
C:\ComboFix2.txt ... 07-01-12 17:12
===================
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 11:52:21 PM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\Analyse.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
We're going to remove leftovers of Prevx1 and Counterspy from the Registry.
1. Backup Your Registry with ERUNT
http://aumha.org/freeware/freeware.php
Use the setup program to install ERUNT on your computer
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
2. Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK
Next, find and delete the following Folders in RED
C:\Program Files\Sunbelt Software
C:\Program Files\Prevx1
Reboot the computer and post a new HijackThis log.
Have you removed BitDefender? There is some leftovers in the Registry which we may need to remove.
1) I will be deleting a couple of those strange files we spoke of earlier.
2) Curious - the PandaScan said it found 4 spyware and 2 potentially unwanted tools. nothing to do about them?
3) Seeing what have seen, do you think this laptop was compromised in a meaningful way?
4) Do you recommend the Remote Registry service remain disabled as a preventative measure against unwanted intrusions?
5) Under MSCONFIG, there are still two lines that are referring to BitDefender??? They are:
bdagent "C:\program files\softwin\Bitdefender10\bdagent.exe"
bdmcom "C:\program files\softwin\Bitdefender10\bdmcom.exe" /reg
But neither of those two files exist, in fact the "softwin" folder doesnt appear within program files. ??? The only thing that comes up in a search for "bdagent" anywhere on C:\ is:
BDAGENT.EXE-12F3E49A.pf which is located in C:\WINDOWS\prefetch
Can this be cleaned up? Regedit shows under HKCU\SOFTWARE there still is a entry for SOFTWIN with several things inside it. Why do programs leave this crap behind? I found a tool by BitDefender called BDUninstallTool - give that a go?
6) Are registry cleanup tools that you think are good? what about NTREGOPT?
7) Do you think the Windows built in firewall is sufficient, or do you strongly recommend something like Zone Alarm?
I think I figured out how some malware got in. Within Network Associates VirusScan tool is an "on access scanner" function which provides realtime protection. Somehow, it was disabled for about a week. I think it was my mistake. Prior to that point, this laptop had nearly never had virus or serious malware, other than advertising tracking stuff (this stuff seems relatively harmless, no?). But coinciding with this function being disabled it seems the problems began, peaking with the failed installs of BD and the windows update. So now, I have only NA VirusScan and AVG installed, and only NA VirusScan running real time. Does this sound sufficient to you? I am amazed at how many MW and AV tools are out there, and it seems (as show by TotalVirus) that none of them catch all the viruses. So which couple do you like the best and why?
-max
Logfile of HijackThis v1.99.1
Scan saved at 1:18:32 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\Analyse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156438812346
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
OK! Just read my last post about each one.
Nothing harmful there. Just cookies and SDFix being flagged. No real cause for concern.
No!
Leave things as they are.
First, you can delete BDAGENT.EXE-12F3E49A.pf in C:\WINDOWS\prefetch.
Secondly, this reg fix will remove BitDefender from MSCONFIG:
Open Notepad!
Copy and Paste everything from the Quote box into Notepad:
Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.
Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK. Reboot the computer and check they have been removed from MSCONFIG.
I don't use Registry cleanup tools and have not used one in years, so I'd be hesitant to recommend one.
Zone Alarm would be better as Windows Firewall only monitors incoming Traffic.
It just goes to show that without real-time protection enabled, anything can slip ino the computer. Its good that you have AVG anti-virus (with real-time disabled) as backup. I would advise against installing any more AV's even for backup...it may not be a wise idea.
Your log is clean now. Do you have any further questions or problems?
I did have a couple questions about some mysterious files located in C:\
They have the same recent date/time stamp which makes me think they are related, but I don't remember them being there before all this started. And I just want to clean things up, if possible. They are...
tjtuaxbf.bat
reboot.bat
reboot.exe
There isnt anything meaningful in the propertie box, so don't have much to go on, execpt hunch they might be from some malware tool we used. ???
Also in C:\ is a file names "-453555759" that has no extension and is 0 bytes. It is dated a few days before I think my laptop actually might have become infected.
And the final question is...!!! what is Avenger.exe? It seems to come with Rustbfix but I'm not sure. Can I delete it?
-max
tjtuaxbf.bat
reboot.bat
reboot.exe
-453555759 <-- not sure what this is, but looks to be unneeded.
Avenger is a very powerful tool. You can safely delete it.
How is the computer?
PS - I have a desktop PC with a windows XP boot up problem (something about system registry files missing or corrupt). I was thinking about trying to tackle that one as well - do you suggest posting that on the Windows forum? -max
Let me know what the error says. You might want to post a HijackThis log from that computer.
Can you suggest a good bot sector virus tool that can boot from a floppy or CD?
Do you know if it can faciliate loading a 3rd party Controller driver so my drive can be seen?
-max
I believe you found this Microsoft Artice: Here
According to the article, a boot-sector virus is one of four possibilities for the error.
We can run some tools, but we won't any floppies or CD's. Can you post a HijackThis log from this computer?
I don't think so. You may not even have a boot-sector virus.
Not sure how to do the HJT log since it won't boot into windows. Is there a way to run HJT from a DOS boot?