PC boots but nothing works

Unknown · August 2008

Ok I got a good one for the pros. I build computers for a living but recently I started to do virus removals, my friend asked me to fix his PC that I built him a year ago and he thinks it’s a virus, so let’s put our thinking cap on for this one.
Here’s what it does and don’t do. It will boot and post goes into windows about 2 minutes then just stops no icons and taskbar only his desktop picture shows, same thing in safe mode. If I let it sit for about 15 or 20 minutes a weird screen saver like picture poops up and says "your approved no credit check". If I hit Cont Alt & Delete a window comes up and says "this has been disabled by your administrator" So I did a windows repair with a HP/Compaq Home disk which is what he has. It completed without any problems but no fix, and I also did the first repair the (chkdsk /repair) command, that didn’t help either. So then I slaved his hard drive on my good pc I know dangerous but I was at the end of my ropes, the program Malwarebytes found 17 problems and Trend found about 7 or so fixed them but still nothing happens. So does anybody have a fix for this one? Once in a while I would like to figure these things out rather than just reloading. Any help would graciously be appreciated, Thanks

rian101 · August 2008

No one knows how to fix it then?

Katana · August 2008

Hi rian101,

Sorry for the delay, but malware seems to be on a high cycle at the moment.
It sounds like the registry is corrupted, have you tried booting to the "Last Known Good Configuration" ?

rian101 · August 2008

Katana wrote:

Hi rian101,

Sorry for the delay, but malware seems to be on a high cycle at the moment.
It sounds like the registry is corrupted, have you tried booting to the "Last Known Good Configuration" ?

Yes I tried that also no luck

Katana · August 2008

I take that you have tried restoring to a point before this trouble as well then ?

It sounds very much like that machine is beyond repair at this point, since you are able to slave it and retrieve any data I think the best option is a reinstall.
It will be far quicker and less effort than trying to revive that machine.

rian101 · August 2008

Katana wrote:

I take that you have tried restoring to a point before this trouble as well then ?

It sounds very much like that machine is beyond repair at this point, since you are able to slave it and retrieve any data I think the best option is a reinstall.
It will be far quicker and less effort than trying to revive that machine.

I cant even get into safe mode to do a restore. Man this guy is going to explode if I tell him it needs to reload, hes got a lot of programs that dont have the disc anymore.

Katana · August 2008

When the desktop picture is showing, what happens if you press the Windows key+E
do you get any access ?

rian101 · August 2008

ok I got it to do a restore some how, I instaled Malwerebytes updated it and it removed over 7,000 bugs I will run it again a few more times and post what it cant remove here later.

Katana · August 2008

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

PS, I would really love to see that MBAM log !!!,

rian101 · August 2008

Ok heres what it does now with Malwerebytes it gets to almost 100% and comes up with an error measage Run-time error '6': Overflow. I click ok and the program stops. I'm going to try to deleate temp files and run it again

Katana · August 2008

Forget MBAM for the moment, and run ComboFix

rian101 · August 2008

I got the Hijack log the other one is still working hard. It stoped 1 time and said Cant read writedir.dat: no such file or directory. It said to do a restart and is now doing its thing.

Logfile of HijackThis v1.99.1
Scan saved at 03:14:33 p.m., on 08/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\PeoplePC\SECURI~1\ADSSER~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d86f29fc] rundll32.exe "C:\WINDOWS\system32\cerkauyf.dll",b
O4 - HKLM\..\Run: [BMdb5c1a60] Rundll32.exe "C:\WINDOWS\system32\vbegnddd.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {624321F1-0581-49D8-99BD-2E952C2DF31B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_ASPIV4_XP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1070_em_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O16 - DPF: {FA605711-8E72-46B2-AE49-BED11B2E729D} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_ASPIV4_XP.cab
O16 - DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1061_XP.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: ADSService - Copyright© Aluria Software, LLC - C:\DOCUME~1\ALLUSE~1\APPLIC~1\PeoplePC\SECURI~1\ADSSER~1.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EarthLink Firewall Process Path Service (ElnkFWPPService) - Aluria Software, LLC. - C:\DOCUME~1\ALLUSE~1\APPLIC~1\PeoplePC\SECURI~1\EFWPPS~1.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

rian101 · August 2008

The list I got for combofix is too long how can I post it here?

Katana · August 2008

Let's see if we can get those logs.

Create a folder on the desktop called Files For Katana,
Now look for the following files

C:\ComboFix.txt
C:\qoobox\combofix2.txt
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

If you find any files with these names, then copy/drag them ALL into the new Files For Katana folder.

Right click the folder and select Send To >> Commpressed (Zip) Folder

Go to spykiller

Please start a new thread Titled Logs for Katana and give the following information

Name:-- rian101
E-mail:-- Your E-mail (this is confidential and will not be displayed)

In the main text window please put the following link

[B][URL]http://icrontic.com/forum/showthread.php?p=633969#post633969[/URL][/B]

you may also add any comments you wish
then press attach and upload the Files For Katana.zip that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

Katana · August 2008

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

http://icrontic.com/forum/showthread.php?t=73043

Collect::[4]
C:\WINDOWS\system32\xcxtjnwg.exe
C:\Documents and Settings\Compaq_Owner\xl10172.exe
C:\Documents and Settings\Compaq_Owner\wn548.exe

DirLook::
C:\Program Files\yumracia

File::
C:\WINDOWS\wininit.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ISP.$$$
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\infos.exe

Driver::
restore
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ISP.$$$]
[-HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Otzonaof]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
Click OK and follow the instructions to submit the file.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [d86f29fc] rundll32.exe "C:\WINDOWS\system32\cerkauyf.dll",b
O4 - HKLM\..\Run: [BMdb5c1a60] Rundll32.exe "C:\WINDOWS\system32\vbegnddd.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egaccess4/egaccess4_1071_em_XP.cab
O16 - DPF: {624321F1-0581-49D8-99BD-2E952C2DF31B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_ASPIV4_XP.cab
O16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1070_em_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O16 - DPF: {FA605711-8E72-46B2-AE49-BED11B2E729D} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_ASPIV4_XP.cab
O16 - DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1061_XP.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

How are things running now ?

rian101 · August 2008

Katana wrote:
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
http://icrontic.com/forum/showthread.php?t=73043
 
Collect::[4]
C:\WINDOWS\system32\xcxtjnwg.exe
C:\Documents and Settings\Compaq_Owner\xl10172.exe
C:\Documents and Settings\Compaq_Owner\wn548.exe
 
DirLook::
C:\Program Files\yumracia
 
File::
C:\WINDOWS\wininit.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ISP.$$$
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\infos.exe
 
Driver::
restore
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ISP.$$$]
[-HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Otzonaof]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\i34yuc387]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
 
Save this as CFScript.txt and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.

Click OK and follow the instructions to submit the file.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

How are things running now ?

rian101 · August 2008

ComboFix 08-08-08.05 - Compaq_Owner 2008-08-11 14:20:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -7:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ISP.$$$
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\infos.exe
C:\WINDOWS\wininit.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\wininit.ini
I:\AUTORUN.INF
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Service_restore

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.
2008-08-11 13:31 . 2008-08-11 13:46 <DIR> d

C:\Program Files\Spyware Doctor
2008-08-11 13:31 . 2008-08-11 13:31 <DIR> d

C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2008-08-11 13:31 . 2007-12-10 14:53 81,288 --a

C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-11 13:31 . 2007-12-10 14:53 66,952 --a

C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-11 13:31 . 2008-08-11 13:33 42,376 --a

C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-11 13:31 . 2007-12-10 14:53 29,576 --a

C:\WINDOWS\system32\drivers\kcom.sys
2008-08-11 12:49 . 2008-08-11 12:49 <DIR> d

C:\Program Files\SUPERAntiSpyware
2008-08-11 12:49 . 2008-08-11 12:49 <DIR> d

C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-08-11 12:49 . 2008-08-11 12:49 <DIR> d

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-11 11:37 . 2008-08-11 11:44 <DIR> d

C:\WINDOWS\system32\drivers\Avg
2008-08-11 11:37 . 2008-08-11 11:37 <DIR> d

C:\Program Files\AVG
2008-08-11 11:37 . 2008-08-11 11:37 <DIR> d

C:\Documents and Settings\All Users\Application Data\avg8
2008-08-11 11:37 . 2008-08-11 11:37 96,520 --a

C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-11 11:37 . 2008-08-11 11:37 76,040 --a

C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-11 11:37 . 2008-08-11 11:37 10,520 --a

C:\WINDOWS\system32\avgrsstx.dll
2008-08-11 10:40 . 2008-08-11 10:40 <DIR> d

C:\Documents and Settings\Compaq_Owner\Application Data\URSoft
2008-08-11 09:53 . 2001-08-17 13:48 12,160 --a

C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-11 09:53 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-11 09:53 . 2001-08-17 14:02 9,600 --a

C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-11 09:53 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-08 13:37 . 2008-06-13 06:10 272,128

C:\WINDOWS\system32\drivers\bthport.sys
2008-08-08 13:37 . 2008-06-13 06:10 272,128

c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-08 13:35 . 2008-08-08 13:35 <DIR> d

C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-08-08 13:34 . 2008-08-08 13:39 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 13:34 . 2008-08-08 13:34 <DIR> d

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-08 13:34 . 2008-07-30 20:07 38,472 --a

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 13:34 . 2008-07-30 20:07 17,144 --a

C:\WINDOWS\system32\drivers\mbam.sys
2008-07-16 17:16 . 2008-08-08 13:40 <DIR> d

C:\Program Files\Spybot - Search & Destroy
2008-07-16 17:16 . 2008-07-16 17:18 <DIR> d

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 17:08 . 2008-07-16 17:08 <DIR> d

C:\WINDOWS\system32\LogFiles
2008-07-16 16:00 . 2008-08-11 13:14 <DIR> d--h

C:\$AVG8.VAULT$
2008-07-16 15:28 . 2008-08-11 10:40 <DIR> d

C:\Program Files\Your Uninstaller 2008
2008-07-16 15:28 . 2008-08-11 14:13 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 15:28 . 2008-07-16 15:28 <DIR> d

C:\Documents and Settings\Administrator\Application Data\URSoft
2008-07-16 15:26 . 2008-07-16 15:26 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2008-07-16 15:24 . 2004-08-09 01:55 <DIR> d

C:\Documents and Settings\Administrator\WINDOWS
2008-07-16 15:24 . 2004-08-10 16:45 <DIR> d

C:\Documents and Settings\Administrator\Application Data\Symantec
2008-07-16 15:24 . 2004-08-09 01:57 <DIR> d

C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-16 15:24 . 2008-08-11 11:38 <DIR> d

C:\Documents and Settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 17:51

d

w C:\Program Files\Broderbund
2008-08-11 17:49

d

w C:\Program Files\MySpace
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\Program Files\yumracia ----
C:\Program Files\yumracia\

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-11 11:37 1232152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 12:00 53760 C:\WINDOWS\system32\narrator.exe]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=C:\WINDOWS\pss\autos.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Internet Answering Machine.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Internet Answering Machine.lnk
backup=C:\WINDOWS\pss\Internet Answering Machine.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a

2004-08-04 12:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a

1998-05-07 16:04 52736 c:\WINDOWS\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2004-04-21 18:28 286720 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a--c--- 2003-02-11 20:02 61440 C:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

2007-11-14 23:43 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a--c--- 2005-03-06 01:39 26112 C:\Program Files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a--c--- 2004-04-14 20:43 233472 C:\WINDOWS\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a

2004-10-22 11:53 53248 C:\WINDOWS\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-11 11:37]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-11 11:37]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-11 11:37]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-11 11:37]
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-07-30 20:07]
S3 SQTECH913D;913D Camera;C:\WINDOWS\system32\Drivers\Capt913D.sys [2006-12-21 10:52]
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys [2000-03-17 14:11]
.
Contents of the 'Scheduled Tasks' folder
2007-12-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Bart Station - C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe
MSConfigStartUp-MySpaceIM - C:\Program Files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-PeoplePC Internet Security Pack - C:\Documents and Settings\All Users\Application Data\PeoplePC\SecurityPack\ppc_isp.exe
MSConfigStartUp-Registry Cleaner - C:\Program Files\Registry Cleaner Trial\Regclean.exe

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 14:25:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.

Other Running Processes

.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-11 14:33:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-11 21:32:36
ComboFix2.txt 2008-08-08 22:52:54
Pre-Run: 111,035,379,712 bytes free
Post-Run: 111,008,497,664 bytes free
181 --- E O F --- 2008-08-11 16:55:22

rian101 · August 2008

Wow all the stuff u told me to delete in HJT was not there and its alot cleaner now. it runs alot faster now, I will do windows update now and see how it goes, but I think its going to be ok ill keep you updated. Thanks

Katana · August 2008

Let's make sure nothing is left

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

rian101 · August 2008

Here is what kaspersky found, I did the critical area scan. Can I delete thoes files?\

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 12, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 12, 2008 17:10:29
Records in database: 1086451

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics:
Files scanned: 32839
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:50:50

File name / Threat name / Threats count
C:\WINDOWS\xlracrx.exe Infected: Trojan-Dropper.Win32.Agent.cpt 1
C:\WINDOWS\xlravcrx.exe Infected: Trojan-Dropper.Win32.Agent.cpt 1
The selected area was scanned.

Katana · August 2008

OTMoveIt
Please download OTMoveIt2 by OldTimer and save it to your desktop

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

C:\WINDOWS\xlracrx.exe
C:\WINDOWS\xlravcrx.exe

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.

rian101 · August 2008

Here is the result it gave me.

C:\WINDOWS\xlracrx.exe moved successfully.
C:\WINDOWS\xlravcrx.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08122008_160304

Katana · August 2008

OTMoveIt

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\*.*
C:\WINDOWS\ddubbv.exe
C:\WINDOWS\system32\levro.exe
c:\windows\system32\unppc.exe

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

That's looking good now, any problems left ?

rian101 · August 2008

Wow this PC runs 100% better big thanks Katana you know your bug stuff. I may have other problems like this from time to time, so ill keep coming back here.

Katana · August 2008

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced, and empty your Recycle bin.

Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

rian101 · August 2008

Yes It cleaned it all out, Thanks pal. Pc is running at 100% now even SP3 wnt in with no problems.

Katana · August 2008

Glad we could be of assistance! This topic is now closed.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

PC boots but nothing works

Comments