2nd thread, malware: blue screen, bugs & more

[amateur]

Hi,

Well done.

• Open notepad (Start>All programs>accessories>notepad )
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

(It must be notepad, not wordpad, or it won't work):

Code:

KILLALL::

File::
c:\docume~1\genevi~1\locals~1\temp\cportclm.sys

Driver::
cportclm
SymEvent
ccEvtMgr
ccPwdSvc
ccSetMgr


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dl"=-
"ccApp"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682b5742-8eb9-11dc-b027-001422ef8271}]
"C:\\Program Files\\BitLord\\BitLord.exe"=-

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

===========================

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif


Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
====================
Post a fresh HijackThis log along with the Combofix.txt and the Kaspersky report please.

[mrskoz]

Hi,

Okay... I hope I did this right. When I dropped the CFScript onto combo fix, I received a pop-up that said, only, Installation Failed!. I clicked OK and then it went on with its normal operation...

Here are the logs:

ComboFix 08-06-16.5 - Genevieve 2008-06-18 19:31:46.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT -4:00]
Running from: C:\Documents and Settings\Genevieve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Genevieve\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\genevi~1\locals~1\temp\cportclm.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTMGR
-------\Legacy_CCSETMGR
-------\Legacy_CPORTCLM
-------\Legacy_SYMEVENT
-------\Service_ccEvtMgr
-------\Service_ccPwdSvc
-------\Service_ccSetMgr
-------\Service_cportclm
-------\Service_SymEvent


((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 15:40 . 2008-06-17 15:40 <DIR> d-------- C:\Deckard
2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 17:06 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 11:41 . 2008-06-09 11:41 <DIR> d-------- C:\Program Files\Attractel
2008-06-05 22:25 . 2008-06-05 22:25 <DIR> d-------- C:\Program Files\MSBuild
2008-06-05 22:23 . 2008-06-05 22:23 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-05 22:21 . 2008-06-05 22:21 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-05 22:20 . 2008-06-05 22:20 <DIR> d-------- C:\b7d1273ec74308c1bcfdcfe654dc5bde
2008-06-05 22:20 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-05 22:12 . 2006-11-13 02:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-06-05 22:12 . 2006-11-13 02:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2008-06-05 22:12 . 2006-11-13 02:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-05 21:55 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-05 21:55 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-05 21:55 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-05 21:55 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-05 21:55 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-05 21:55 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-05 21:55 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-05 21:55 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-05 21:55 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-05 21:40 . 2008-06-14 21:47 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-05 21:39 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-05 21:26 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-06-05 21:25 . 2008-06-06 00:11 48,271 --a------ C:\MGlogs.zip
2008-06-05 18:21 . 2008-06-05 18:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-05 17:27 . 2008-06-05 17:27 1,240,104 --a------ C:\MGtools.exe
2008-06-05 17:10 . 2008-06-05 17:10 <DIR> d-------- C:\Documents and Settings\Lauryn\Application Data\ESET
2008-06-05 17:08 . 2008-06-05 17:08 <DIR> d-------- C:\Documents and Settings\Christopher\Application Data\ESET
2008-06-05 17:05 . 2008-06-05 17:05 <DIR> d-------- C:\Documents and Settings\Brittney\Application Data\ESET
2008-06-05 16:57 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-05 16:55 . 2008-06-05 16:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 17:23 . 2008-06-04 17:23 <DIR> d-------- C:\Documents and Settings\Genevieve\Application Data\ESET
2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Program Files\ESET
2008-06-04 17:22 . 2008-06-04 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-04 12:19 . 2008-06-04 12:19 <DIR> d-------- C:\ie-spyad_zo
2008-06-04 12:18 . 2008-06-17 16:25 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-03 09:31 . 2008-06-03 09:31 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 21:44 . 2008-06-05 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 23:30 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\.purple
2008-06-17 20:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-17 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 15:49 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\Lavasoft
2008-06-17 15:36 --------- d-----w C:\Program Files\PhotoRescue Pro
2008-06-16 23:38 --------- d-----w C:\Documents and Settings\Brittney\Application Data\.purple
2008-06-16 02:11 --------- d-----w C:\Program Files\Java
2008-06-16 02:10 --------- d-----w C:\Program Files\Common Files\Knowledge Adventure
2008-06-12 11:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro
2008-06-10 16:26 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\OpenOffice.org2
2008-06-06 02:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-04 11:40 --------- d-----w C:\Program Files\CleanUp!
2008-05-26 02:16 --------- d-----w C:\Documents and Settings\Genevieve\Application Data\gtk-2.0
2008-05-11 05:00 --------- d-----w C:\Program Files\Common Files\Real
2008-05-11 04:53 --------- d-----w C:\Program Files\1st Page 2000
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-25 16:18 --------- d-----w C:\Program Files\Apple Software Update
2008-04-25 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-20 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-05 18:41 69,992 ----a-w C:\Documents and Settings\Genevieve\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 00:09 47,360 ----a-w C:\Documents and Settings\Genevieve\Application Data\pcouffin.sys
2007-12-22 22:02 87,608 ----a-w C:\Documents and Settings\Genevieve\Application Data\ezpinst.exe
2007-11-05 01:32 69,976 ----a-w C:\Documents and Settings\Brittney\Application Data\GDIPFONTCACHEV1.DAT
2006-06-25 23:38 152 --sh--r C:\WINDOWS\system32\10C1754A1D.sys
2006-06-25 23:38 7,518 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_13.49.35.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-06-18 23:35:22 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-19 05:41 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-19 05:38 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-19 05:42 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 13:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 04:41 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 23:35 397312 C:\WINDOWS\stsystra.exe]
"NWEReboot"="" []
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 19:15 366400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Pidgin\\pidgin.exe"=
"C:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe [2006-12-12 04:22]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 19:55]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 17:39]
S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys []
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 07:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{682b5742-8eb9-11dc-b027-001422ef8271}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 01:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 19:45:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-18 19:50:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 23:50:36
ComboFix2.txt 2008-06-18 19:43:42
ComboFix3.txt 2008-06-18 17:49:49
ComboFix4.txt 2008-06-06 01:08:38
ComboFix5.txt 2007-12-26 20:51:58

Pre-Run: 18,337,771,520 bytes free
Post-Run: 18,347,884,544 bytes free

183 --- E O F --- 2008-06-17 11:53:05
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 18, 2008 15:36:21
Records in database: 878919
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 95952
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:53:50


File name / Threat name / Threats count
C:\WINDOWS\system32\drivers\setup\downloader\files\pwtemp2.exe Infected: not-a-virus:PSWTool.Win32.NetPass.e 1

The selected area was scanned.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:22, on 2008-06-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=21871
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 5320 bytes

[amateur]

Hi,

It looks good. Just one item flagged by Kaspersky.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\WINDOWS\system32\drivers\setup\downloader\files\pwtemp2.exe"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose "All files" for the "Save type as"
It should look like this:

Double click on fix.bat & allow it to run. It should tell you that the file is deleted successfully.

How is the computer running now?

[mrskoz]

Hi,

Thanks, it's running much better now! No problems that I have seen looking around each account. Is everything about done on your end? Thank you for spending as much time assisting me as you have, it is very much appreciated, ... can I earmark the snail mail donations for you? haha

Now I will set this computer up with what I have on the other as far as security!

Final question as far as the logs I've been running for you... how do I remove entries for old program remnants & other things I am not sure about? ex: zone alarm, bit defender, themes: royale, etc... is that through HijackThis? I thought I had tried that before earlier this month when I was trying the self-help steps & didn't realize I had the keylogger you told me about on this computer.

Thank you again!

[amateur]

Hi,

Quote:

Thanks, it's running much better now! No problems that I have seen looking around each account.

That's very good.

Quote:

Is everything about done on your end? Thank you for spending as much time assisting me as you have, it is very much appreciated, ... can I earmark the snail mail donations for you? haha

Just about. You're welcome. Thank you for your intention to donate. I donate my time, and my service is free, but I'm sure your donation to TSF will be appreciated to help running this site. The link to donation page is in my signature.

Quote:

Final question as far as the logs I've been running for you... how do I remove entries for old program remnants & other things I am not sure about? ex: zone alarm, bit defender, themes: royale, etc... is that through HijackThis?

As I couldn't see these programs in your Programs folder, you must have removed them via Add or Remove Programs in Control Panel. Only some leftovers in the registry.

• Open notepad (Start>All programs>accessories>notepad )
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

(It must be notepad, not wordpad, or it won't work):

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=-

"InstallTheme"=-

Driver::
S2 FILESpy

Folder::
C:\Program Files\Softwin\BitDefender9

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================

Please delete the backup folder of HijackThis

C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\backups

====================

Quote:

Now I will set this computer up with what I have on the other as far as security!

The logs are clean. The same 'all clean' routine for this one too:

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /
  
  
  
  This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site http://office.microsoft.com/officeup....aspx?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here: http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found here:
http://forum.malwareremoval.com/viewtopic.php?p=56#56
http://www.bleepingcomputer.com/forums/tutorial60.html

Test your firewall here to make sure that it's working properly

ATF Cleaner by Atribune is a useful utility to clean the temporary files and cookies on a regular basis.

But above all, keep all your software UP-TO-DATE at all time!!

A colleague of ours has excellent information and tips on the prevention of malware here

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing!

[mrskoz]

Thank you, thank you so much for all your help cleaning both the computers up. Sorry for the delayed response. Both computers are running well, with one minor problem I've been unable to correct: unable to print anything, from anywhere.

Can you direct me to the proper forum? Windows or other?

A final question... the malware/viruses whichever that were on the main computer (the original one) first originally stiopped printing (it was directly connected to the printer) but the laptop could still print over the network.

Since everything is cleaned now, printing has ceased to function completely. I removed the printer from the computer, reinstalled it, and even installed another new one.

Browser or program, doesn't seem to matter, nothing will print. I've tried updating the drivers direct from HP, reinstalling again, etc.

Can you point me in the right direction?

Thanks again!! I recommend this forum to anyone when they have problems; you are all the best.

Genevieve

[amateur]

Hi,

Before I point you in the right direction, a couple of questions:

Quote:

I removed the printer from the computer, reinstalled it, and even installed another new one.

So, you bought a new printer? Your old one was a Dell printer I assume, because I've seen some related services. Is the new printer an HP?

[mrskoz]

Hi,

Wow, you're fast! Actually, I have an HP Laserjet, one of the great big toner beasts on the desktop/main computer. And the Dell printer is 'connected' to the laptop. We could always print on the HP laserjet from both computers, but not the dell, that wireless connection never worked out for some bizarre reason. We have ever only been able to print on that one directly over USB or using the memory card. Some things I just gave up on, because they became an endless hassle I could never quite figure out. :(

The 'new' HP printer I installed on the desktop was a Deskjet that we'd been using for my youngest's school computer (not on the network), that I moved over to our main computer just so we could print.

So I had uninstalled the HP Laserjet and reinstalled it. Then I installed the other HP, the Deskjet, thinking I just needed to try a new printer to get it all working.

I did find a note on Mozilla's forums about refreshing the printer options in the browser settings when you can't print, but it isn't just the browser, it's all programs, so I was thinking I might need to fix some windows settings that may have been changed in some way.

Sorry if I rambled, trying to be as clear as possible, so you know where to send me ;).

Thanks!

[amateur]

Hi,

I am sure our Printer Support will be happy to help you figure out the printer issue.

I also found this link on how to Use Windows XP to Share a Printer with Others on Your Network, and thought it might be useful info for future.

http://technet.microsoft.com/en-us/l...chNet.10).aspx

[mrskoz]

Hi,

Thank you again, for your extensive & valuable help & patience!!! I appreciate the guidance; I didn't want to hit the wrong forum and waste anyone's time.

I'll head over there now.

[amateur]

You're welcome. I'm sure it will be resolved soon. Good luck!

[mrskoz]

Hi again... sorry to bother you again but it appears I missed something somewhere on the main computer.. on my teen's XP acct Brittney, where the virus seems to have originated, her task manager is missing all the tabs up top so when you open it, there is only the box itself with the list of processes. Also, when anyone types, including on this acct (mine, Gen), the cursor flashes and delays badly.

Is this just a matter of dropping another fix on combofix or did I mess something up somewhere when following your instructions?

Thank you,

[amateur]

Hello,

No bother at all.

Quote:

Is this just a matter of dropping another fix on combofix or did I mess something up somewhere?

Neither.

To change to default view and get the menu options back, double-click the border of the Task Manager, and see if that fixes the issue with the task manager.
http://www.winxptutor.com/taskmgr.htm

Cursor issue is related to the mouse. Check your mouse settings. Start>Control Panel>Mouse.