Need help with Virus.

[MikeMW]

Hi - Yes, during the last round of cleaning. When Windows started up, I selected a profile (mine) and it told me that it could not load my personal settings that I had lost my "local profiles" and it opened with a standard profile asking for a tour of XP etc. etc.

Here is the requested file...

Code:

2004-04-22 11:16      54272    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\CSBIINST.DLL.vir
2004-05-19 07:23      256    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_srchrule.dat.vir
2004-05-22 10:58      2544    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_edomains.dat.vir
2004-06-04 09:28      40960    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Common Files\midaddle\Uninstaller.exe.vir
2004-06-04 09:31      61440    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Common Files\midaddle\Updater.exe.vir
2004-06-08 16:47      14888    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_patterns.dat.vir
2004-06-08 16:47      304    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_rules.dat.vir
2004-06-30 07:53      0    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_idomainsd.dat.vir
2004-06-30 22:47      120    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\control.dat.vir
2004-06-30 22:47      54272    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\CSSOINST.DLL.vir
2004-06-30 22:47      54272    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\CSTMINST.DLL.vir
2004-07-02 22:18      2560    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_ss_edomains.dat.vir
2004-08-01 08:31      95790    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Common Files\midaddle\uninst.exe.vir
2004-08-13 10:46      0    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_ss_idomainsd.dat.vir
2004-08-13 10:46      8    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_dictionary.dat.vir
2004-08-13 17:30      20    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_ron_sbday.dat.vir
2004-08-13 17:30      20    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_ron_sbhour.dat.vir
2004-08-13 17:32      118    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_usb_sbday.dat.vir
2004-08-13 17:32      118    --a------    C:\Qoobox\Quarantine\D\Drive C\Program Files\Lycos\IEagent\csie_usb_sbhour.dat.vir
2006-05-13 22:20      0    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\winbl32.dll.vir
2007-09-16 19:22      49411    --a------    C:\Qoobox\Quarantine\C\prx.exe.vir
2007-09-19 21:36      4057    --a------    C:\Qoobox\Quarantine\C\WINDOWS\prx.exe.vir
2007-10-12 11:37      2636    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ut6kum8u6u2rdh.reg.dat
2007-10-12 11:37      868    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_UT6KUM8U6U2RDH.reg.dat
2007-10-12 14:51      224655    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hrr.exe.vir
2007-10-12 20:08      224655    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zqnunj.exe.vir
2007-10-14 16:24      225509    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hx.exe.vir
2007-10-14 16:31      225509    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\juunrlpiqtz.exe.vir
2007-10-14 16:33      225509    --a------    C:\Qoobox\Quarantine\C\WINDOWS\sptawl.exe.vir
2007-10-14 20:11      1144    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_OUHPYEUAOEWEUY9K.reg.dat
2007-10-14 20:11      2748    --a------    C:\Qoobox\Quarantine\Registry_backups\services_ouhpyeuaoeweuy9k.reg.dat


Folder PATH listing
Volume serial number is A0B9-B802
C:\QOOBOX\QUARANTINE
+---C
|   |   prx.exe.vir
|   |   
|   \---WINDOWS
|       |   prx.exe.vir
|       |   sptawl.exe.vir
|       |   
|       \---system32
|               hrr.exe.vir
|               hx.exe.vir
|               juunrlpiqtz.exe.vir
|               winbl32.dll.vir
|               zqnunj.exe.vir
|               
+---D
|   \---Drive C
|       \---Program Files
|           +---Common Files
|           |   \---midaddle
|           |           uninst.exe.vir
|           |           Uninstaller.exe.vir
|           |           Updater.exe.vir
|           |           
|           \---Lycos
|               \---IEagent
|                       control.dat.vir
|                       CSBIINST.DLL.vir
|                       csie_dictionary.dat.vir
|                       csie_edomains.dat.vir
|                       csie_idomainsd.dat.vir
|                       csie_patterns.dat.vir
|                       csie_ron_sbday.dat.vir
|                       csie_ron_sbhour.dat.vir
|                       csie_rules.dat.vir
|                       csie_srchrule.dat.vir
|                       csie_ss_edomains.dat.vir
|                       csie_ss_idomainsd.dat.vir
|                       csie_usb_sbday.dat.vir
|                       csie_usb_sbhour.dat.vir
|                       CSSOINST.DLL.vir
|                       CSTMINST.DLL.vir
|                       
\---Registry_backups
        LEGACY_OUHPYEUAOEWEUY9K.reg.dat
        LEGACY_UT6KUM8U6U2RDH.reg.dat
        services_ouhpyeuaoeweuy9k.reg.dat
        services_ut6kum8u6u2rdh.reg.dat

[Ried]

I see nothing removed by ComboFix that would have caused that.

To summarize:

1. You ran dss.exe (the original scanning tool) from Mike's acct.

2. You had difficulty running ComboFix then said you finally got it to run. I see that ComboFix is being run from Lauren's acct--is that how you finally got it to run, by moving it to her account?

3. Is it the Mike account, or Lauren account that has now lost it's profile?

4. Where is dss.exe located now?

[MikeMW]

I ran DSS.exe from Mike's account. I guess that is where I installed it to begin with. I had originally installed ComboFix on Lauren's account and never moved it over to Mike's account. I did not think it would matter, but if it does, I will transfer them all to one account.

Both accounts lost their profiles and DSS.exe is still on Mike's account.

[Ried]

I'm not quite understanding--can you bring up Mike account and use dss.exe?

[MikeMW]

Yes, no problems running DSS.exe or ComboFix. They both are running the scans and providing the reports.

[Ried]

Ok, from Mike's account

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

Under the Main Log heading--Uncheck everything
Under the Extra Log heading-- 'Check' DOS Environment and User Profiles
Click Scan!

The extra.txt will open up in Notepad. Copy/paste the contents of that report in your next reply.

[MikeMW]

I tried running the commanf line listed above and windows could not find "C:\documents and settings\ mike whitby\desktop\dss.exe"/config'.

I opened lauren's profile again and it appears to be correct now but it still does not list a doc. & settings folder for either name under eaitehr profile.

[Ried]

Try running dss.exe by double clicking the icon, then please post the main.txt it produces

[MikeMW]

Here is the main.txt file.

Deckard's System Scanner v20070905.67
Run by Mike Whitby on 2007-10-15 12:52:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Mike Whitby.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:28 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\twc\medicsp2\bin\sprtcmd.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Mike Whitby\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MIKEWH~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [medicsp2] C:\Program Files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe /scan /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [] (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User 'Lauren Whitby')
O4 - HKUS\S-1-5-21-2000478354-562591055-839522115-1004\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Lauren Whitby')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.62/code/iPIX-ImageWell-ipix.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10820 bytes

-- Files created between 2007-09-15 and 2007-10-15 -----------------------------

2007-10-14 16:35:49 0 d-------- C:\WINDOWS\ERUNT
2007-10-12 15:01:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-12 15:01:08 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-12 14:58:18 0 d---s---- C:\Documents and Settings\Mike Whitby\UserData
2007-10-10 12:01:56 0 d-------- C:\Program Files\SpywareBlaster
2007-10-10 12:01:03 0 d-------- C:\Documents and Settings\Mike Whitby\Application Data\Adobe
2007-10-09 16:56:24 0 d-------- C:\Program Files\Trend Micro
2007-10-09 14:26:19 0 --a------ C:\Documents and Settings\Mike Whitby\core
2007-10-09 14:26:18 0 --a------ C:\Documents and Settings\Lauren Whitby\core
2007-10-09 10:43:01 0 d-------- C:\WINDOWS\ShellNew
2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files\L&H
2007-10-09 10:42:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-04 12:23:35 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-10-04 12:23:35 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-10-04 12:23:35 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-10-04 12:23:35 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-04 12:23:35 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-04 12:23:34 786432 --ah----- C:\Documents and Settings\Administrator\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2007-10-15 12:30:46 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-10-09 10:42:52 0 d-------- C:\Program Files\Common Files
2007-10-06 14:08:48 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-06 14:07:56 0 d-------- C:\Program Files\Sony
2007-10-05 17:42:50 0 d-------- C:\Program Files\pspvideo9
2007-10-05 17:41:48 0 d--h----- C:\Program Files\Zero G Registry
2007-08-20 15:37:53 0 d-------- C:\Program Files\AIM Toolbar
2007-08-18 21:55:17 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [04/10/2002 03:00 AM]
"RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [10/21/2003 12:20 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [10/29/2004 05:50 PM]
"nwiz"="nwiz.exe" [10/29/2004 05:50 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [10/29/2004 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 11:29 AM]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [07/12/2005 03:35 PM]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [02/01/2005 10:00 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/2005 12:46 AM]
"QuickTime Task"="C:\qttask.exe" [12/23/2006 06:41 PM]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [06/12/2007 12:32 PM]
"medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [03/07/2007 11:53 AM]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [09/18/2007 05:25 PM]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [09/18/2007 05:25 PM]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [09/18/2007 05:25 PM]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [09/18/2007 05:25 PM]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [09/18/2007 05:25 PM]
"CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [09/18/2007 05:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/16/2007 08:28 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [07/08/2003 09:53 AM 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 05/18/2007 02:30 PM 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-10-15 12:57:38 ------------

[Ried]

dss.exe is showing as running from C:\Documents and Settings\Mike Whitby\Desktop\dss.exe

I'd really like to see User Profiles report from dss.exe. Try once again to use this command. Copy/paste it--spacing is important.

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

Under the Main Log heading--Uncheck everything
Under the Extra Log heading-- 'Check' DOS Environment and User Profiles
Click Scan!

The extra.txt will open up in Notepad. Copy/paste the contents of that report in your next reply.

--------------------------------------------

If you still get an error message, then navigate to C:\Deckard and delete that folder. Run dss.exe again by double clicking on it and it will produce the main.txt and an extra.txt. I only want to see the extra.txt

[MikeMW]

Well...It ran that time - Must be a Monday :)

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike Whitby\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THE-WHITBYS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike Whitby
LOGONSERVER=\\THE-WHITBYS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MIKEWH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MIKEWH~1\LOCALS~1\Temp
USERDOMAIN=THE-WHITBYS
USERNAME=Mike Whitby
USERPROFILE=C:\Documents and Settings\Mike Whitby
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mike Whitby (admin)
Lauren Whitby (admin)
Dixie Whitby (admin)
Administrator (admin)


-- End of Deckard's System Scanner: finished at 2007-10-15 13:45:20 ------------

[Ried]

The logs are coming up clean. Kaspersky for the most part reported items already in quarantine, in backups from tools we've used, or in your System Restore which we will be clearing in a little while.

We only have this issue of user profiles left, correct?

Can you access these folders by navigating to them via My Computer?

C:\Documents and Settings\Mike Whitby
C:\Documents and Settings\Lauren Whitby

[Ried]

Additional instruction, Mike.

Once you've navigated to those folders, check if this file exists in each profile - ntuser.dat

If it exists, reboot your system and logon as one user ONLY

Open Notepad and copy/paste the contents in the quote box below, into Notepad.

Quote:

@echo off
swreg query HKU >log.txt
start notepad log.txt

Save this as query.bat Choose to "Save type as - All Files"
It should look like this:
Double click on query.bat & allow it to run.

Please post the log and await further instructions.

**Note--do not do any further fixing, nor run any onboard tools until we've sorted this out.

[MikeMW]

I could not find them through My Computer. I did a file search and they are showing in the DSS.exe files.

I only have one other issue that I might have caused in the beginning. I deleted some old programs and I am noe getting a Windows installer screen when I launch Exployer or other programs. They work but the installer screen comes up first and it takes a few seconds then the programs begin.

Thanks.

[MikeMW]

Disregard last post. I was able to find them and I am running the query.bat now. Will update in a few minutes.
Thanks.

[sUBs]

Please run query.bat as Ried instructed

[MikeMW]

Here is the copy of the report.

Thanks.


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 (C)

HKEY_USERS

HKEY_USERS\.DEFAULT

HKEY_USERS\S-1-5-19

HKEY_USERS\S-1-5-19_Classes

HKEY_USERS\S-1-5-20

HKEY_USERS\S-1-5-20_Classes

HKEY_USERS\S-1-5-21-2000478354-562591055-839522115-1003

HKEY_USERS\S-1-5-21-2000478354-562591055-839522115-1003_Classes

HKEY_USERS\S-1-5-18

[sUBs]

How many times have you rebooted the machine since the last combofix run?

[MikeMW]

Maybe twice. I have been shutting down the computer just in case it was not clean and would send out more e-mails. Road Runner told me one more time and they would require a receipt to show that I had it cleaned and a complete system restore was done to get rid of the virus.

[sUBs]

Quote:

they would require a receipt to show that I had it cleaned and a complete system restore was done to get rid of the virus.

The correct term should be "complete system restore using the manufacturer's recovery disks". Windows System Restore is a bit different. That's what we would be relying on to fix this

Your user profiles are corrupt. That's why Windows won't load them. I need to search & find if there's any backups made.

Open notepad & copy these into it

Code:

@echo off
swxcacls "%systemdrive%\System Volume Information" /e /ge:f /q
vfind -ltf "%systemdrive%\System Volume Information\*" | findstr /i "_registry_" > Log.txt
swxcacls "%systemdrive%\system volume information" /p /gs:f /i remove /q
if exist log.txt start notepad log.txt

Save it as find.bat. Click on it to produce a log