Incredibly vexing problem! Help, pppppplease?

LlarionLlarion St. Petersburg FL
edited February 2007 in Spyware & Virus Removal
Good evening!

I've been beating on this problem since 11AM, and I must finally admit to vexation...

Here's the deal...

PROBLEM: Wife's computer stopped connecting to the internet. This happened after she downloaded an embroidery pattern and tried to look at it.

<Back story, her PC is running WIndows Firewall, and we're behind a SonicWALL TZ-150, with it's McAfee-driven gateway level and client level antivirus, antiSpam, intrusion prevention, etc.>

When I looked at her system, something had not only disabled McAfee, but had shut down Windows Firewall. The firewall service restarted with no problem, but McAfee was DOA, the applet would not load to try to restart, and the services claimed to be running in MMC.

Here's what I've tried to date:
- Ran CCleaner to flush all the tempfiles, cookies, and ActiveX weirdness, this is done daily anyway.

- Ran HJT, nothing unusual present. Took no action.

- Ran AdAware with newest datafiles; found nothing excting (tracking cookies), cleaned successfully

- Ran Spybot 1.4 with latest datafiles, found 3 or 4 things, nothing exciting, cleaned successfully.

-Uninstalled McAfee, installed AVG Free and newest datafile. It found nothing.

-Uninstalled AVG, installed Kaspersky trial and newest datafile. It found one minor thing in and email archive, an old worm, nothing serious, and it was just in an archived email attachment, it was not active.

-Uninstalled Kaspersky, installed BitDefender10 trial and newest datafile. It found 5 things, all attributable to an old install of Morpheus, but it successfully quarantined the files, and my research indicated they were actually Morpheus search engine stuff that BD flags as virus-like activity.

-Tried to reboot in Safe Mode, system hung for a second on mup.sys, bluescreened for a very fast second, and auto-rebooted.

- Rebooted normally, system came up. Still no connection.

HARDWARE TROUBLESHOOTING:
- NIC will not pull DCHP from router. If I force an IP addres that is in the router's range, it takes it, but will still not connect to anything. WIll not ping the gateway, any LAN or WAN addresses. Tried R&R of driver, tried R&R of TCP/IP, tried command line flush/reset of TCP stick and Winsock. No good.
- Installed other NIC to eliminate onboard NIC as problem, same result, no DHCP, takes static IP but ignores the network.

- Found this forum, read up and stuff, and went into msconfig for the easier Safe Mode flag than hitting F8, but then system went into loop reboot/hang on mup.sys/bluescreen/reboot.

-Cursed Symantec's website for that idea.

-Did non-destructive reload of OS from HP system partition

- System still will not see the network.

- Currently running a rootkit revealer, no hits so far, but I wouldn;'t know what to do with one if I found it.

- Ran HJT again off the fresh factory load, here is the dump: (Note that the Symantec references are the 60-day timebomb of Norton Internet Security that comes with the machine, it' not yet activated, and had been uninstalled on the previous load.)

Logfile of HijackThis v1.99.1
Scan saved at 6:22:33 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\eHome\ehmsas.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Data\rootkit\RootkitRevealer.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\NSNRJST.exe
C:\WINDOWS\hh.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Data\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NSNRJST - Sysinternals - www.sysinternals.com - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\NSNRJST.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


While I was typing this, the rootkit revealer finished. Here is its dump:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 2/10/2007 5:54 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 2/10/2007 5:54 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft 2/10/2007 6:16 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft\Ad-Aware 2/10/2007 6:16 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft\Ad-Aware\description.ini 2/10/2007 6:16 PM 131.27 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft\Ad-Aware\Logs 2/10/2007 6:22 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2007-02-10 18-22-45.txt 2/10/2007 6:22 PM 29.36 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft\Ad-Aware\settings.awc 2/10/2007 6:16 PM 1009 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\HTML Help 2/10/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\HTML Help\hh.dat 2/10/2007 5:56 PM 8.39 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\AAWTMP 2/10/2007 6:22 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\GLC1.tmp 2/10/2007 5:54 PM 161.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\GLF16.tmp 5/12/2005 4:23 PM 6.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\GLF5.tmp 9/28/2001 4:00 PM 10.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\GLG4.tmp 2/10/2007 5:54 PM 124 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\GLK2.tmp 2/10/2007 5:54 PM 33.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 1 for AdAware020807defs.zip 2/10/2007 6:16 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 1 for AdAware020807defs.zip\defs.ref 2/10/2007 6:16 PM 968.22 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 1 for RootkitRevealer.zip 2/10/2007 5:54 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 1 for RootkitRevealer.zip\README.TXT 2/22/2005 3:15 PM 825 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Temporary Directory 2 for RootkitRevealer.zip 2/10/2007 5:54 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF6D77.tmp 2/10/2007 5:56 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF6D84.tmp 2/10/2007 5:56 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFA075.tmp 2/10/2007 6:22 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OJYH0X8D 2/10/2007 5:56 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OJYH0X8D\CAW96BMZ.HTM 2/10/2007 5:56 PM 1.12 KB Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OJYH0X8D\desktop.ini 2/10/2007 5:56 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\HP_Administrator\Recent\RootkitRevealer.chm.lnk 2/10/2007 5:56 PM 636 bytes Hidden from Windows API.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060425.007\vscanmsx.dat 2/10/2007 6:24 PM 2.02 KB Hidden from Windows API.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\~GLH0004.TMP 5/27/2005 1:22 PM 805.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0468NAV~.TMP 2/10/2007 6:14 PM 0 bytes Hidden from Windows API.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0001331.ini 2/10/2007 7:31 PM 2.67 KB Hidden from Windows API.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP0\A0001332.INI 2/10/2007 7:31 PM 431.28 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 2/10/2007 5:54 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini 2/10/2007 5:57 PM 924 bytes Visible in Windows API, but not in MFT or directory index.
D: 0 bytes Error mounting volume


I'm hoping someone will have more wisdom than I on this, my next step is DVD backup and a hard repartition/reformat, which I'd really like to avoid if at all possible. I don't even knwo if that would work, since the non-destructive one didn't.

Thanks very much in advance!

Cheers,
Phil

Comments

  • TroganTrogan London, UK
    edited February 2007
    Hi Phil

    The RootkitReavler log looks fine to me. I'm not sure how much of a malware issue this is since you've done a lot of good work yourself in trying to eliminate the problem. However, lets run a scan or two to see what they reveal.

    Please do the following...

    1. You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

    Reboot your computer in Safe Mode. (if you can boot in Safe Mode, please do. Otherwise, if you still have the looping problem then run the scan in Normal Mode)
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Once in Safe Mode:

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scanavgjk2.jpg
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes
    . Reboot back into Normal Mode

    2. Download this file to your Desktop - combofix.exe
    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    3. Please post the AVG anti-spyware log, along with the ComboFix log.
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    I just got the ewido; but the combofix link bombs; got a mirror? Also, since the machine would not boot into Safe Mode before; I'm dubious that it will now; are you certain I can run these on a normal boot?
  • TroganTrogan London, UK
    edited February 2007
    Llarion wrote: »
    I just got the ewido; but the combofix link bombs; got a mirror? Also, since the machine would not boot into Safe Mode before; I'm dubious that it will now; are you certain I can run these on a normal boot?
    Just for clarification, ewido is now known as AVG anti-spyware. Ewido was the former name, but the link is still Ewido for some reason.

    What do you mean by "but the combofix link bombs"? The link works for me fine.

    Yes, the scans can be run from Normal Mode.
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    When I hit that link to download the file, if throws a 404 error...

    AVG is running now, I've been looking about to find another place that is hosting that file, to no avail. If it's small, can you email it to me?
  • TroganTrogan London, UK
    edited February 2007
    I've emailed ComboFix. Its attached as a .ZIP file.

    Its almost 3am and I need to get to bed. I'll check this thread soon.
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    Thanks, I'll be watching for it. Sleep well!!
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    Well, I figured out why I couldn't hit that file; my gateway AV was blocking it and not telling me, I had to disable the AV to let it through. It's running now, I'll post it when it's done. EMail never got here; probably for the same reason... It was clamping what it called a "UPX Packed Executable"...
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    OK, here is the AVG report:
    AVG Anti-Spyware - Scan Report

    + Created at: 11:20:51 PM 2/10/2007

    + Scan result:



    C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.


    ::Report end


    ============

    And the Combofix report:

    "HP_Administrator" - 07-02-10 23:27:19 Service Pack 2
    ComboFix 07-02-11 - Running from: "C:\Documents and Settings\HP_Administrator\Desktop"

    ((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


    2007-02-10 21:29 3,968 --a
    C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-02-10 19:38 <DIR> d
    C:\DOCUME~1\HP_ADM~1\Application Data\Ahead
    2007-02-10 19:33 786,432 --ah
    C:\DOCUME~1\BONNIE~1.A16\NTUSER.DAT
    2007-02-10 19:33 <DIR> d
    C:\WINDOWS\LastGood.Tmp
    2007-02-10 19:33 <DIR> d
    C:\DOCUME~1\BONNIE~1.A16\WINDOWS
    2007-02-10 19:33 <DIR> d
    C:\DOCUME~1\BONNIE~1.A16\Application Data\Symantec
    2007-02-10 19:33 <DIR> d
    C:\DOCUME~1\BONNIE~1.A16\Application Data\Real
    2007-02-10 19:33 <DIR> d
    C:\DOCUME~1\BONNIE~1.A16\Application Data\Intuit
    2007-02-10 19:30 <DIR> dr-hs---- C:\cmdcons
    2007-02-10 19:26 1,310,720 --ah
    C:\DOCUME~1\HP_ADM~1\NTUSER.DAT
    2007-02-10 19:26 <DIR> d
    C:\DOCUME~1\HP_ADM~1\WINDOWS
    2007-02-10 19:26 <DIR> d
    C:\DOCUME~1\HP_ADM~1\Application Data\Symantec
    2007-02-10 19:26 <DIR> d
    C:\DOCUME~1\HP_ADM~1\Application Data\Real
    2007-02-10 19:26 <DIR> d
    C:\DOCUME~1\HP_ADM~1\Application Data\Intuit
    2007-02-10 19:23 <DIR> d
    C:\DOCUME~1\DEFAUL~1\Application Data\Symantec
    2007-02-10 19:14 9,600 --a
    C:\WINDOWS\system32\drivers\hidusb.sys
    2007-02-10 19:14 53,760 --a
    C:\WINDOWS\system32\vfwwdm32.dll
    2007-02-10 19:14 48,000 --a
    C:\WINDOWS\system32\drivers\OVCam2.sys
    2007-02-10 19:14 44,544 --a
    C:\WINDOWS\system32\OVUI2.dll
    2007-02-10 19:14 41,984 --a
    C:\WINDOWS\system32\OVUI2RC.dll
    2007-02-10 19:14 39,424 --a
    C:\WINDOWS\system32\OVComS.exe
    2007-02-10 19:14 351,616 --a
    C:\WINDOWS\system32\drivers\OVCodek2.sys
    2007-02-10 19:14 31,872 --a
    C:\WINDOWS\system32\drivers\OVCE.sys
    2007-02-10 19:14 31,616 --a
    C:\WINDOWS\system32\drivers\usbccgp.sys
    2007-02-10 19:14 25,216 --a
    C:\WINDOWS\system32\drivers\OVSound2.sys
    2007-02-10 19:14 21,504 --a
    C:\WINDOWS\system32\hidserv.dll
    2007-02-10 19:14 20,480 --a
    C:\WINDOWS\system32\OVComC.dll
    2007-02-10 19:14 14,848 --a
    C:\WINDOWS\system32\drivers\kbdhid.sys
    2007-02-10 19:14 12,160 --a
    C:\WINDOWS\system32\drivers\mouhid.sys
    2007-02-10 19:14 116,736 --a
    C:\WINDOWS\system32\OVCodec2.dll
    2007-02-10 19:13 128,000 --a
    C:\WINDOWS\system32\drivers\n100325.sys
    2007-02-10 18:39 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
    2007-02-10 18:16 <DIR> d
    C:\DOCUME~1\HP_ADM~1\Application Data\Lavasoft
    2007-02-10 15:49 <DIR> d
    C:\CPQSYSTEM
    2007-02-10 14:55 <DIR> d
    C:\DOCUME~1\Bonnie\Application Data\Bitdefender
    2007-02-10 14:54 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\BitDefender
    2007-02-10 14:01 <DIR> d
    C:\Program Files\Grisoft
    2007-02-10 13:36 <DIR> d
    C:\WINDOWS\pss
    2007-02-10 11:48 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
    2007-02-10 11:41 <DIR> d
    C:\DOCUME~1\Bonnie\Application Data\Lavasoft
    2007-02-10 11:40 <DIR> d
    C:\Program Files\Lavasoft
    2007-02-10 11:23 <DIR> d
    C:\Program Files\Kaspersky Lab
    2007-02-10 11:23 <DIR> d
    C:\kav
    2007-02-09 20:13 186 --a
    C:\WINDOWS\myClean.bat
    2007-02-09 11:25 <DIR> d
    C:\WINDOWS\BDOSCAN8
    2007-02-08 22:40 <DIR> d
    C:\Program Files\Embreoidery_Effect
    2007-02-08 22:39 <DIR> d
    C:\Program Files\DRAWings(R) Embroidery Effect Setup Files
    2007-02-08 21:13 <DIR> d
    C:\DOCUME~1\ALLUSE~1\Application Data\QuickTime
    2007-02-08 21:03 <DIR> d
    C:\DOCUME~1\Bonnie\Application Data\Ahead
    2007-02-08 21:01 <DIR> d
    C:\Program Files\Nero
    2007-02-08 21:01 <DIR> d
    C:\Program Files\Common Files\Ahead
    2007-02-08 20:38 <DIR> d
    C:\DOCUME~1\Bonnie\Application Data\Corel
    2007-02-08 20:25 <DIR> d
    C:\Program Files\DRAWings
    2007-02-08 20:14 <DIR> d
    C:\Program Files\Corel
    2007-02-08 20:14 <DIR> d
    C:\Program Files\Common Files\Corel
    2007-02-07 23:41 <DIR> d--h
    C:\DOCUME~1\Bonnie\Application Data\hidires
    2007-02-07 23:40 <DIR> d
    C:\WINDOWS\exefld
    2007-02-07 23:10 <DIR> d
    C:\Program Files\eDonkey
    2007-02-07 23:05 <DIR> d
    C:\Program Files\Morpheus Software
    2007-02-05 18:44 <DIR> d
    C:\DOCUME~1\Bonnie\workspace
    2007-01-13 14:43 <DIR> d
    C:\Program Files\Google
    2007-01-13 14:38 <DIR> d
    C:\Program Files\Windows Media Connect 2
    2007-01-12 22:34 <DIR> d
    C:\Program Files\GalleryPlayer
    2007-01-12 22:33 <DIR> d
    C:\WINDOWS\Downloaded Installations
    2007-01-10 23:15 <DIR> d
    C:\Program Files\PopCap Games


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-02-10 19:33
    d
    C:\Program Files\pc-doctor 5 for windows
    2007-02-10 19:25
    d---s---- C:\DOCUME~1\HP_ADM~1\Application Data\microsoft
    2007-02-10 18:52
    d
    C:\Program Files\Common Files\symantec shared
    2007-02-08 20:22
    d
    C:\Program Files\mozilla firefox
    2007-02-04 12:16 30 --a
    C:\WINDOWS\popcinfo.dat
    2007-01-13 14:43
    d
    C:\Program Files\picasa2
    2006-11-03 16:15 774144 --a
    C:\Program Files\rnginterstitial.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
    "ftutil2"="rundll32.exe ftutil2.dll,SetWriteCacheMode"
    "RTHDCPL"="RTHDCPL.EXE"
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE"
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "DMAScheduler"="\"c:\\Program Files\\HP DigitalMedia Archive\\DMAScheduler.exe\""
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    @=&quot;"
    "PCDrProfiler"=""
    "ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE \"REBOOT\""
    "SSC_UserPrompt"="\"c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
    "HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
    48,50,5c,48,50,20,53,6f,66,74,77,61,72,65,20,55,70,64,61,74,65,5c,48,50,77,\
    75,53,63,68,64,32,2e,65,78,65,00
    "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
    "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
    63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
    6d,73,73,74,79,6c,65,73,00
    "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
    73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN
    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST
    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MDMXSDK
    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_NBF



    ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    backup-20070210-120858-999
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    backup-20070210-120757-592
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-464
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-828
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-930
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-598
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-731
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-120757-951
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    backup-20070210-114649-552
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    backup-20070210-114649-772
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    backup-20070210-114610-211
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\Easy Internet Sign-up.job
    C:\WINDOWS\tasks\Symantec NetDetect.job
    C:\WINDOWS\tasks\Warranty Reminder 11 month.job


    ********************************************************************

    catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-02-10 23:30:37

    =================

    Nothing obvious is jumping out at me; but then I'm not the expert; you are... So there ye be... :) Any thoughts?


    I have bacvked up all the critical data on the machine, so if a full splat is warranted; please let me know as soon as you can so I can get underway...

    Thanks!!!
  • TroganTrogan London, UK
    edited February 2007
    Hi Phil

    Yes, your right. There's nothing obvious showing in either log. You could post in the Networking and Security forum and link back to this thread, since this issue seems to be unrelated to malware.

    Maybe one of the Networking guru's can get your wife's computer back on the internet.

    Good luck! :)
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    I have done so, and thank very much for the kind assistance! Hope you got a good night's sleep!

    Cheers,
    Phil
  • TroganTrogan London, UK
    edited February 2007
    Yep, I did! :D
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    See the networking thread; it's back up and running... :)
  • TroganTrogan London, UK
    edited February 2007
    Awesome! I hope you will stick around the forum. :)
  • LlarionLlarion St. Petersburg FL
    edited February 2007
    I will; judging from the shenaningans in the pub; seems like a fun bunch. Where does one go to donate? I really appreciate the assistance and the sense of community!
  • TroganTrogan London, UK
    edited February 2007
    As a community, we don't accept donations. Instead, we rather have you folding. ;)

    Yep, there is a good, fun bunch of people here. A good community, that's for sure. :)
  • TroganTrogan London, UK
    edited February 2007
    Thread closed!
This discussion has been closed.