heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's - Page 2

Roc 65 · 08-19-2008, 04:59 AM

I'm getting there.....

will do

**amateur** · 08-19-2008, 05:19 AM

OK.. good.

Roc 65 · 08-19-2008, 07:03 PM

I noticed at the bottom of the directions for Panda Activescan that antivirus programs should be disabled. I have completed the scan with AVG on, so I am going to re-run the scan tonight with AVG disabled. Next I will do the kaspersky scan.

Also, I noticed that during cfscript/combofix there was a warning - WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED. I recall you instructed me to install the console but, when I dragged and dropped the Microsoft Recovery Console download onto ComboFix, an error - c\windows\system32 attrib.exe is not a valid Win32 application - was reported. Just a reminder, so in my next post when you see the cfscript.txt/combofix report, you will see the warning above.

**amateur** · 08-20-2008, 06:04 AM

Hi,

Quote:

Also, I noticed that during cfscript/combofix there was a warning - WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED. I recall you instructed me to install the console but, when I dragged and dropped the Microsoft Recovery Console download onto ComboFix, an error - c\windows\system32 attrib.exe is not a valid Win32 application - was reported. Just a reminder, so in my next post when you see the cfscript.txt/combofix report, you will see the warning above.

Attrib.exe was present in your system. I'm not sure what's causing that error and I am trying to find out.

Quote:

I searched for the file above (searched c: drive for attrib) and found the follwoing instances:

c:\327882R2FWJFW - Attribcf.exe
c:\combofix - Attribcf.exe
c:\windows\I386 - attrib.ex_
c:\windows\system32 - attrib.exe
c:\windows\system32\dllcache - attrib.exe

If you haven't run Combofix yet, make sure that your teatimer and AVG are still disabled when you're running Combofix. Please try placing Combofix.exe, the Microsoft Recovery Console package, and the CFScript.txt at the root of the drive (C:\) and do the drag and drop there. Install the recovery package first. When you receive the The Recovery Console was successfully installed message, please continue as follows:

Click No to exit. Go to the root of the Drive (C:\) again and drag CFScript.txt into ComboFix.exe. Follow the prompts and post the log please.

Roc 65 · 08-20-2008, 06:07 AM

Panda worked, kaspersky would not - something about Java 1.5 or higher. I verified Java and it's up to date?

1. CMD PATH results:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>path
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Prog
ram Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe
\AGL;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Pinnacle\Shared Files;
C:\Program Files\Pinnacle\Shared Files\Filter

C:\Documents and Settings\Owner>
_________________________________________________________

2. ComboFix / CFScript results below. Errors occurred - <.....attrib.exe not a valid Win32 application....>, then <...cannot find attrib.cfexe...>:

ComboFix 08-08-15.04 - Owner 2008-08-19 21:46:37.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1652 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-19 21:44 . 2008-08-19 21:45 <DIR> d-------- C:\327882R2FWJFW
2008-08-15 19:05 . 2008-08-15 19:10 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-15 17:57 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-03 12:09 . 2008-08-03 12:09 <DIR> d-------- C:\Program Files\Western Digital
2008-08-03 03:09 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET326.tmp
2008-08-03 03:08 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET196.tmp
2008-08-03 03:03 . 2004-08-04 03:56 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-03 03:02 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-02 20:24 . 2008-08-02 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 20:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-02 18:52 . 2008-08-02 18:52 <DIR> d-------- C:\WINDOWS\system32\dll
2008-08-02 17:59 . 2008-04-14 05:41 1,082,368 --a------ C:\WINDOWS\system32\SET38F.tmp
2008-08-02 17:58 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2E5.tmp
2008-08-02 17:57 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET1D5.tmp
2008-08-02 17:51 . 2004-08-04 02:00 71,040 --------- C:\WINDOWS\system32\drivers\_003977_.tmp.dll
2008-08-02 16:22 . 2008-08-03 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34 . 2008-08-02 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05 . 2008-08-02 14:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37 . 2008-07-27 19:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 19:37 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25 . 2008-08-16 08:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22 . 2008-08-15 17:02 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:22 . 2008-07-27 12:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 12:22 . 2008-07-27 12:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 12:22 . 2008-07-27 12:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Program Files\AVG
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 23:04 . 2008-07-24 23:04 <DIR> d-------- C:\Deckard
2008-07-24 22:14 . 2004-02-12 20:59 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 20:22 . 2008-07-24 20:23 <DIR> d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38 . 2008-07-23 23:38 <DIR> d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31 . 2008-07-23 22:31 <DIR> d-------- C:\Program Files\WinImage
2008-07-21 23:06 . 2008-07-22 00:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-20 21:39 . 2008-07-20 21:39 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-07-20 21:08 . 2008-07-20 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 21:05 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-20 21:05 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-20 21:05 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-20 21:05 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-20 21:05 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-20 21:05 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-20 21:05 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-20 20:58 . 2008-07-20 20:58 <DIR> d-------- C:\WINDOWS\Logs
2008-07-20 17:31 . 2008-07-20 17:31 331 --a------ C:\WINDOWS\doom3.ini
2008-07-20 14:04 . 2008-07-20 14:04 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:47 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-05 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 17:19 --------- d-----w C:\Program Files\Java
2008-08-03 17:15 --------- d-----w C:\Program Files\iConcepts Photo Frame
2008-08-03 16:23 --------- d-----w C:\Program Files\Canon Creative
2008-08-03 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 05:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 05:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-03 00:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-03 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-03 00:02 --------- d-----w C:\Program Files\CopyToDVD
2008-08-02 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-02 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-08-02 23:42 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-08-02 18:19 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-08-02 18:15 --------- d-----w C:\Program Files\Downloads
2008-08-02 17:32 --------- d-----w C:\Program Files\Bonjour
2008-07-20 21:30 --------- d-----w C:\Program Files\Doom 3
2008-07-15 23:42 --------- d-----w C:\Program Files\HP
2008-07-14 16:32 --------- d-----w C:\Program Files\Quick Screen Capture
2008-07-12 22:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-12 21:54 --------- d-----w C:\Program Files\Windows Messaging
2008-07-12 21:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-12 16:41 --------- d-----w C:\Program Files\iTunes
2008-07-12 16:41 --------- d-----w C:\Program Files\iPod
2008-07-12 16:38 --------- d-----w C:\Program Files\QuickTime
2008-07-01 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-28 19:51 88 --sh--r C:\Documents and Settings\All Users\Application Data\A814ACFD49.sys
2008-05-28 19:51 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-23 19:08 353,840 ----a-w C:\Program Files\RealPlayer11GOLD.exe
2007-01-14 23:36 105,143,305 -c--a-w C:\Program Files\SonicDVDitProv6_SST.exe
2007-01-14 23:29 721,507 ----a-w C:\Program Files\RNPatch72.exe
2006-09-03 22:38 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe
2005-03-18 13:47 3,409 -c--a-w C:\Program Files\scan.dat
2005-03-17 22:34 512 ----a-w C:\Program Files\data2.cab
2005-03-17 22:34 29,760 -c--a-w C:\Program Files\layout.bin
2005-03-17 22:34 236,953 -c--a-w C:\Program Files\data1.hdr
2005-03-17 22:33 397 -c--a-w C:\Program Files\setup.ini
2005-03-17 22:33 342,212 ----a-w C:\Program Files\setup.boot
2005-03-17 22:33 299,375 -c--a-w C:\Program Files\setup.inx
2005-03-17 22:33 2,349,117 -c--a-w C:\Program Files\data1.cab
2005-03-17 17:33 46,648 -c--a-w C:\Program Files\fditxf.1ph
2005-03-17 17:33 34,585 -c--a-w C:\Program Files\comfed.1ph
2005-03-17 17:33 27,320 -c--a-w C:\Program Files\fdiimb.1ph
2005-03-17 17:33 12,538 -c--a-w C:\Program Files\fdiofx.1ph
2005-02-21 20:15 28,672 ----a-w C:\Documents and Settings\Owner\atwbxdet.dll
2004-10-25 15:11 80,161 -c--a-w C:\Program Files\bustax.thp
2004-10-25 15:06 60,591 -c--a-w C:\Program Files\bustax.scd
2004-10-25 13:55 54,232 -c--a-w C:\Program Files\tax.thp
2004-10-25 13:55 13,248 -c--a-w C:\Program Files\tax.scd
2004-10-07 13:58 49,142 ----a-w C:\Program Files\license.txt
2004-09-17 19:59 114,688 ----a-w C:\Program Files\autorun.exe
2004-09-17 18:04 7,406 -c--a-w C:\Program Files\ttax.ico
2004-09-17 18:03 142 -c--a-w C:\Program Files\autorun.ini
2004-07-17 13:57 63,499 ----a-w C:\Documents and Settings\Owner\setup.exe
2004-01-30 14:32 20,480 -c--a-w C:\Program Files\cdrun.exe
2003-02-27 21:16 420,432 -c--a-w C:\Program Files\engine32.cab
2002-12-02 20:33 107,512 -c--a-w C:\Program Files\Setup.exe
2002-05-01 21:01 695 -c--a-w C:\Program Files\os.dat
2004-12-30 15:51 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-17_16.04.35.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-20 00:47:18 1,502 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{2E82A502-7BDC-41FF-966F-167CA6353DF2}.bin
- 2008-08-15 00:43:35 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 22:52:55 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-15 00:43:36 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 22:52:55 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 21:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 09:58 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 06:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 12:22]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 12:22]
R2 PD91Agent;PD91Agent;C:\Program Files\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28]
S3 PD91Engine;PD91Engine;C:\Program Files\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00]
S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 10:44]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-12-11 07:18]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]
S4 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 12:21]
S4 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-16 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-03 10:55]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 00:15:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-20 0:21:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 04:21:15
ComboFix2.txt 2008-08-17 20:05:20
ComboFix3.txt 2008-08-15 00:47:13
ComboFix4.txt 2008-02-17 15:03:51

Pre-Run: 65,480,863,744 bytes free
Post-Run: 65,472,417,792 bytes free

224 --- E O F --- 2008-08-20 00:47:08

______________________________________________________________
3. two logs attached for Panda, one with AVG active and one with it disabled.
_____________________________________________________________
4. Kaspersky did not run - Java version error?
____________________________________________________________
5. PEEK log:

----a-w 10,752 2004-02-12 04:05:00 C:\WINDOWS\system32\clb.dll
-c--a-w 10,752 2004-02-12 04:05:00 C:\WINDOWS\system32\dllcache\clb.dll

Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 21,504 Blocks: 42

-c--a-w 110,080 2005-07-26 04:20:23 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
-c----w 110,080 2004-03-06 02:16:10 C:\WINDOWS\$NtServicePackUninstall$\clbcatex.dll
-c----w 100,864 2004-02-12 04:05:00 C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
-c----w 110,080 2004-08-04 07:56:41 C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
-c----w 110,080 2004-08-04 07:56:41 C:\WINDOWS\ServicePackFiles\i386\clbcatex.dll
----a-w 110,592 2008-04-14 00:11:50 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\clbcatex.dll
----a-w 110,080 2005-07-26 04:39:43 C:\WINDOWS\system32\clbcatex.dll

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 761,856 Blocks: 1,488

-c--a-w 498,688 2005-07-26 04:20:24 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
-c----w 499,712 2004-03-06 02:16:11 C:\WINDOWS\$NtServicePackUninstall$\clbcatq.dll
-c----w 468,480 2004-02-12 04:05:00 C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
-c----w 501,248 2004-08-04 07:56:41 C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
-c----w 501,248 2004-08-04 07:56:41 C:\WINDOWS\ServicePackFiles\i386\clbcatq.dll
----a-w 498,688 2008-04-14 00:11:50 C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\clbcatq.dll
----a-w 498,688 2005-07-26 04:39:43 C:\WINDOWS\system32\clbcatq.dll

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 3,466,752 Blocks: 6,771

Total Entries: 16 (16)
Total Directories: 0 Files: 16
Total Bytes: 4,250,112 Blocks: 8,301

________________________________________________________________

6. Fresh Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:02 AM, on 8/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5519 bytes

_____________________________________________________________
COMPLETE

Roc 65 · 08-20-2008, 11:39 AM

Moved files to the c: root

1. Recovery Console installation log below. The same two errors occured:
attrib.exe is not a valid Win32 file and,
Cannot open Attrib.cfexe - several times

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

2. CFScript drag and drop on ComboFix log:

ComboFix 08-08-19.02 - Owner 2008-08-21 13:12:25.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1605 [GMT -4:00]
Running from: C:\Combo-Fix.exe
Command switches used :: C:\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-21 13:03 . 2008-08-21 13:03 2,719,778 --a------ C:\Combo-Fix.exe
2008-08-21 13:01 . 2008-08-21 13:01 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-08-15 19:05 . 2008-08-15 19:10 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-15 17:57 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-03 12:09 . 2008-08-03 12:09 <DIR> d-------- C:\Program Files\Western Digital
2008-08-03 03:09 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET326.tmp
2008-08-03 03:08 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET196.tmp
2008-08-03 03:03 . 2004-08-04 03:56 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll
2008-08-03 03:02 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2008-08-02 20:24 . 2008-08-02 20:24 <DIR> d-------- C:\Program Files\Panda Security
2008-08-02 20:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-02 18:52 . 2008-08-02 18:52 <DIR> d-------- C:\WINDOWS\system32\dll
2008-08-02 17:59 . 2008-04-14 05:41 1,082,368 --a------ C:\WINDOWS\system32\SET38F.tmp
2008-08-02 17:58 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2E5.tmp
2008-08-02 17:57 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET1D5.tmp
2008-08-02 17:51 . 2004-08-04 02:00 71,040 --------- C:\WINDOWS\system32\drivers\_003977_.tmp.dll
2008-08-02 16:22 . 2008-08-03 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-02 14:34 . 2008-08-02 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-08-02 14:05 . 2008-08-02 14:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-07-27 19:37 . 2008-07-27 19:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-27 19:37 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-27 12:25 . 2008-08-16 08:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-27 12:22 . 2008-08-20 17:24 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-27 12:22 . 2008-07-27 12:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-27 12:22 . 2008-07-27 12:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-27 12:22 . 2008-07-27 12:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Program Files\AVG
2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 23:04 . 2008-07-24 23:04 <DIR> d-------- C:\Deckard
2008-07-24 22:14 . 2004-02-12 20:59 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-24 20:22 . 2008-07-24 20:23 <DIR> d-------- C:\Webstar Cable Modem Drivers
2008-07-23 23:38 . 2008-07-23 23:38 <DIR> d-------- C:\Program Files\PerformanceTest
2008-07-23 22:31 . 2008-07-23 22:31 <DIR> d-------- C:\Program Files\WinImage
2008-07-21 23:06 . 2008-07-22 00:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 00:47 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-05 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-08-03 17:19 --------- d-----w C:\Program Files\Java
2008-08-03 17:15 --------- d-----w C:\Program Files\iConcepts Photo Frame
2008-08-03 16:23 --------- d-----w C:\Program Files\Canon Creative
2008-08-03 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-03 05:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-03 05:38 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-03 00:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-03 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-03 00:02 --------- d-----w C:\Program Files\CopyToDVD
2008-08-02 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Corel
2008-08-02 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel
2008-08-02 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland
2008-08-02 23:42 --------- d-----w C:\Program Files\ItsDeductibleEX
2008-08-02 18:19 --------- d-----w C:\Program Files\MSN Encarta Plus
2008-08-02 18:15 --------- d-----w C:\Program Files\Downloads
2008-08-02 17:32 --------- d-----w C:\Program Files\Bonjour
2008-07-21 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-20 21:30 --------- d-----w C:\Program Files\Doom 3
2008-07-20 18:04 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-07-15 23:42 --------- d-----w C:\Program Files\HP
2008-07-14 16:32 --------- d-----w C:\Program Files\Quick Screen Capture
2008-07-12 22:01 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-07-12 21:54 --------- d-----w C:\Program Files\Windows Messaging
2008-07-12 21:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-12 16:41 --------- d-----w C:\Program Files\iTunes
2008-07-12 16:41 --------- d-----w C:\Program Files\iPod
2008-07-12 16:38 --------- d-----w C:\Program Files\QuickTime
2008-07-01 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd
2008-05-28 19:51 88 --sh--r C:\Documents and Settings\All Users\Application Data\A814ACFD49.sys
2008-05-28 19:51 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-04-23 19:08 353,840 ----a-w C:\Program Files\RealPlayer11GOLD.exe
2007-01-14 23:36 105,143,305 -c--a-w C:\Program Files\SonicDVDitProv6_SST.exe
2007-01-14 23:29 721,507 ----a-w C:\Program Files\RNPatch72.exe
2006-09-03 22:38 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe
2005-03-18 13:47 3,409 -c--a-w C:\Program Files\scan.dat
2005-03-17 22:34 512 ----a-w C:\Program Files\data2.cab
2005-03-17 22:34 29,760 -c--a-w C:\Program Files\layout.bin
2005-03-17 22:34 236,953 -c--a-w C:\Program Files\data1.hdr
2005-03-17 22:33 397 -c--a-w C:\Program Files\setup.ini
2005-03-17 22:33 342,212 ----a-w C:\Program Files\setup.boot
2005-03-17 22:33 299,375 -c--a-w C:\Program Files\setup.inx
2005-03-17 22:33 2,349,117 -c--a-w C:\Program Files\data1.cab
2005-03-17 17:33 46,648 -c--a-w C:\Program Files\fditxf.1ph
2005-03-17 17:33 34,585 -c--a-w C:\Program Files\comfed.1ph
2005-03-17 17:33 27,320 -c--a-w C:\Program Files\fdiimb.1ph
2005-03-17 17:33 12,538 -c--a-w C:\Program Files\fdiofx.1ph
2005-02-21 20:15 28,672 ----a-w C:\Documents and Settings\Owner\atwbxdet.dll
2004-10-25 15:11 80,161 -c--a-w C:\Program Files\bustax.thp
2004-10-25 15:06 60,591 -c--a-w C:\Program Files\bustax.scd
2004-10-25 13:55 54,232 -c--a-w C:\Program Files\tax.thp
2004-10-25 13:55 13,248 -c--a-w C:\Program Files\tax.scd
2004-10-07 13:58 49,142 ----a-w C:\Program Files\license.txt
2004-09-17 19:59 114,688 ----a-w C:\Program Files\autorun.exe
2004-09-17 18:04 7,406 -c--a-w C:\Program Files\ttax.ico
2004-09-17 18:03 142 -c--a-w C:\Program Files\autorun.ini
2004-07-17 13:57 63,499 ----a-w C:\Documents and Settings\Owner\setup.exe
2004-01-30 14:32 20,480 -c--a-w C:\Program Files\cdrun.exe
2003-02-27 21:16 420,432 -c--a-w C:\Program Files\engine32.cab
2002-12-02 20:33 107,512 -c--a-w C:\Program Files\Setup.exe
2002-05-01 21:01 695 -c--a-w C:\Program Files\os.dat
2004-12-30 15:51 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-17_16.04.35.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 00:43:35 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-17 22:52:55 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-15 00:43:36 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-17 22:52:55 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk]
backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-04-02 21:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-23 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 09:58 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2006-08-03 06:12 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 12:22]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 12:22]
R2 PD91Agent;PD91Agent;C:\Program Files\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12]
S2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28]
S3 PD91Engine;PD91Engine;C:\Program Files\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00]
S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 10:44]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-12-11 07:18]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 10:57]
S4 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 12:21]
S4 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21]
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-16 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-03 10:55]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 13:17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-21 13:25:13 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-21 17:25:07
ComboFix2.txt 2008-08-20 04:21:22
ComboFix3.txt 2008-08-17 20:05:20
ComboFix4.txt 2008-08-15 00:47:13
ComboFix5.txt 2008-08-21 17:03:43

Pre-Run: 64,944,291,840 bytes free
Post-Run: 65,026,748,416 bytes free

214 --- E O F --- 2008-08-20 00:47:08

Still no console???????

**amateur** · 08-20-2008, 01:11 PM

Hi,

A stubborn machine refusing to install the recovery console.

Do you know what this setupxv.exe file on your desktop for? Panda reports it as infected. Please delete it.
Empty the quarantine folder of SpyEraser.

===========================

Please go to Start - Run - type in eventvwr.msc and click OK to open the event viewer. Look under both "application" and "system" for any errors indicated in red that occured in the last 24-48 hours and do this for each one:

Double click the error to open it up and then click on the icon that looks like two pieces of paper which will copy it. Open up Notepad and paste the error there.

Once you have all the errors pasted in your document, copy and paste them here please.

================================================

Run HJT and click on Open the Misc Tools section.
In the next window, click on Open Uninstall Manager…
In the final window, click on Save list... and save it to your Desktop.
Copy and paste this file: uninstall_list.txt into your next reply.

================================================

Quote:

Panda worked, kaspersky would not - something about Java 1.5 or higher. I verified Java and it's up to date?

I have just tried the link myself and not experiencing any problems. Please try it again but go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner if present prior to trying it again.

================================================

Please post back the event errors list, uninstall list and the Kaspersky report

Roc 65 · 08-20-2008, 10:14 PM

I deleted setupxv - both c and g drives.

I could not find Kaspersky in the uninstall programs list

1. Unfortunately, KASPERSKY WOULD NOT RUN..............
"You need to install Java version 1.5 or later to run Kaspersky Online Scanner ". It shows a link to get Java. I went there and.......

"Verified Java Version
Congratulations!
You have the recommended Java installed (Version 6 Update 7)."

=======================================
2. EVENT VIEWER ERRORS:

No red warnings under 'Application'
JUST THIS Yellow WARNING REPEATED.....

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 8/16/2008
Time: 7:54:26 PM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-C8BH3JAGLT
Description:
Windows saved user YOUR-C8BH3JAGLT\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

RED WARNINGS UNDER 'System':

ALL WARNINGS REPEATED.....
---------------------------------------
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 8/21/2008
Time: 10:45:20 PM
User: N/A
Computer: YOUR-C8BH3JAGLT
Description:
The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

--------------------------
Event Type: Error
Event Source: ati2mtag
Event Category: CRT
Event ID: 45062
Date: 8/21/2008
Time: 10:43:36 PM
User: N/A
Computer: YOUR-C8BH3JAGLT
Description:
CRT invalid display type
Data:
0000: 00 00 00 00 01 00 5a 00 ......Z.
0008: 2c 00 00 00 06 b0 00 c0 ,....°.À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

---------------------------------------------
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 8/21/2008
Time: 10:44:08 PM
User: N/A
Computer: YOUR-C8BH3JAGLT
Description:
The Upload Manager service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

---------------------------------------------------
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 8/21/2008
Time: 10:44:08 PM
User: N/A
Computer: YOUR-C8BH3JAGLT
Description:
The ABS PortIO Service service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-------------------------------------------------------
Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 8/21/2008
Time: 1:02:44 AM
User: N/A
Computer: YOUR-C8BH3JAGLT
Description:
The device, \Device\Harddisk0\D, has a bad block.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h...¶.
0008: 00 00 00 00 07 00 04 c0 .......À
0010: 00 01 00 00 9c 00 00 c0 ....?..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 a0 43 4b 03 00 00 00 .*CK....
0028: 6e 14 0b 00 00 00 00 00 n.......
0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ....
0038: 40 00 00 84 02 00 00 00 @..?....
0040: 00 20 0a 12 40 03 20 40 . ..@. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 a0 94 8a f0 e8 ce 89 .*??ðèÎ?
0058: 00 00 00 00 58 68 f2 88 ....Xhò?
0060: 00 00 00 00 d0 a1 a5 01 ....Ð¡¥.
0068: 28 00 01 a5 a1 d0 00 00 (..¥¡Ð..
0070: 60 00 00 00 00 00 00 00 `.......
0078: f0 00 03 00 00 00 00 0b ð.......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

======================================================
THIS ERROR REPEATS MANY (100+) TIMES - I SUSPECTED MY HARDDRIVE WAS GOING BAD AND I HAVE INSTALLED ANOTHER, JUST NOT "GHOSTED" IT OVER YET
========================================================

3. UNINSTALL LIST -

Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS2
Adobe Reader 7.1.0
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Advanced WMA Workshop version 2.09b
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Bonjour
CCleaner (remove only)
Charter Solution Controls Installation
ColorDesk Photo
Data Lifeguard Tools
Doom 3
Flickr Uploadr 2.5.0.15
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Product Detection
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
Java(TM) 6 Update 7
Linksys EasyLink Advisor 1.5 (1010)
Master Poker Demo
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Panda ActiveScan 2.0
PerfectDisk 2008 Professional
PerformanceTest v6.1
Photo Viewer
Photosmart 140,240,7200,7600,7700,7900 Series
PS2
PurePlay Poker
Quick Screen Capture 3.0
QuickTime
RealPlayer
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
SpywareBlaster 4.1
TRENDnet TEW-424UB
TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Uniblue RegistryBooster 2
Uniblue SpyEraser
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
VIA Rhine-Family Fast-Ethernet Adapter
Virtual Earth 3D (Beta)
WexTech AnswerWorks
Windows Driver Package - (mr7910) Image 08/08/2006 1.4.0.0
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
You Don't Know Jack - XL 1.0

=========================================================
4. I know this is a repeat, but ...........When I boot my pc I get this error message - Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search.

I press OK and it continues and boots-up.

=========================

I appreciate you sticking with me on this one.

By the way, since I disabled AVG (start/run/services.msc), I noticed that my IE home page was set to htp:/// (blank)?

Similar activity to the time when the original virus surfaced....

I will restore AVG until the next scan. Hope we can kick this thing.

Thanks.

**amateur** · 08-21-2008, 03:11 AM

Hi,

Quote:

I deleted setupxv - both c and g drives.

That's good.

Quote:

Unfortunately, KASPERSKY WOULD NOT RUN..............
"You need to install Java version 1.5 or later to run Kaspersky Online Scanner ". It shows a link to get Java. I went there and.......

"Verified Java Version
Congratulations!
You have the recommended Java installed (Version 6 Update 7)."

Yes, I see that you have the correct version. Which browser are you using, IE? Try using Firefox.

There appears to be something wrong with the system, not necessarily malware, but I cannot put my finger on it. I noticed that you are using Uniblue RegistryBooster 2. Please read this about the registry tools: http://miekiemoes.blogspot.com/2008/...eaking_13.html
The system may have been tweaked to the point that it's causing problems. Do you have your XP installation disk by any chance? A re-installation of the OS may help, but I would recommend that you post these error reports at the Windows XP forum, where you'd be better served with the non-malware issues. As far as the logs are concerned, the system appears to be clean. How is the computer running otherwise? Are you able to update to SP3 now?

===========================================

Quote:

I will restore AVG until the next scan.

Yes, please do. Never be online without an antivirus protection.

============================================

It's not related to the problems you were having but you have some old Turbotax files scattered around in the Programs folder, instead of being in their own folder. They are cluttering the folder. Please remove these via Add or Remove Programs in the Control Panel, if present:

TurboTax Deluxe 2004
TurboTax Deluxe 2005
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006

Did you install this yourself, if not please remove it also:

PurePlay Poker

Roc 65 · 08-22-2008, 07:57 PM

Good news, SP3 installed without errors!

Quote:

Which browser are you using, IE? Try using Firefox.

I use IE and never used anything else. I guess I can try Firefox, I am just so used-to IE?

Quote:

I noticed that you are using Uniblue RegistryBooster 2. Please read this about the registry tools

I will no longer use Registry Booster, should I uninstall it?

Quote:

Do you have your XP installation disk by any chance? A re-installation of the OS may help, but I would recommend that you post these error reports at the Windows XP forum

I only have original recovery disks. I may be worried about nothing here, but the recovery disks are from 2004 and I feel I will loose alot if I start at that point.

I will post the error reports (event viewer) to winxp forum.

Quote:

How is the computer running otherwise?

1. I still get the comboFix related error on bootup: "Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search."

Would you help me get rid of this error?

2. Kaspresky still will not run?

3. I guess Recovery Console is important. Do I still need to fix that issue?

General comments/questions:

Is it OK to run AVG and Spybot on startup? I heard they may fight each other.

In effort to "clean-up" from all the downloads, software and files you directed me to use, so I need to uninstall, delete anything? Should I keep anything?

I certainly appreciate all your help thus far.

In general my machine seems to be fine, just worried about non-malware issues and my haddrisk that's about to die at this point and will work with the correct forums.

I uninstalled the programs you recommended. I installed pureplay myself, so I think it's OK to leave installed.

**amateur** · 08-23-2008, 04:23 AM

Hi,

Quote:

Good news, SP3 installed without errors!

That's great!

Quote:

I will no longer use Registry Booster, should I uninstall it?

Yes, please uninstall/remove it via Add Remove Programs in Control Panel.

Quote:

I only have original recovery disks. I may be worried about nothing here, but the recovery disks are from 2004 and I feel I will loose alot if I start at that point.

I will post the error reports (event viewer) to winxp forum.

You're right about the recovery disks. That's why I asked if you had an XP installation disk. Let's see what the XP forum will say about the errors. Maybe they can resolve it without the installation disk.

===============================================

We need more information on some files.

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\WINDOWS\system32\drivers\_003977_.tmp.dll
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Please repeat it for the following files, one at a time:
- C:\WINDOWS\system32\SET326.tmp
- C:\WINDOWS\system32\SET1D5.tmp

==============================================

Quote:

2. Kaspresky still will not run?

Not with Firefox either?

Using Internet Explorer browser only, go to ESET Online Scanner website:

Accept the Terms of Use and press Start button;
Approve the install of the required ActiveX Control, then follow on-screen instructions;
Enable (check) the Remove found threats option, and run the scan.
After the scan completes, the Details tab in the Results window will display what was found and removed. At this time, the scanner does not produce a detailed report. That is a planned, future feature. If needed, you should be able to find a file named log.txt in your folder C:\Program Files\EsetOnlineScanner
Copy the contents of this file using Notepad or Wordpad and post it here.

After running the scan, you may uninstall ESET Online Scanner via Add/Remove Programs, if desired.

The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq

===============================================

Quote:

3. I guess Recovery Console is important. Do I still need to fix that issue?

While it may not be needed at this time, current infections tend to patch a lot of critical system files now. These often result in multiple problems, and sometimes they can cause unbootable machines. Having Window's Recovery Console installed on your machine will help you and us in case something goes wrong while we are in the process of cleaning your machine. It would be useful to have it installed, if not for now, for any future eventuality.

===============================================

Quote:

Is it OK to run AVG and Spybot on startup? I heard they may fight each other.

Your resident antivirus AVG8 should run at startup. However, Spybot doesn't need to. I would recommend Spybot to be used as an on-demand scanner. AVG8 has an in-built antispyware component which may possibly cause problems with Spybot Search and Destroy.

===============================================

Quote:

In effort to "clean-up" from all the downloads, software and files you directed me to use, so I need to uninstall, delete anything? Should I keep anything?

When we are done and as sure as possible that the system is free of malware, we'll uninstall the tools we used.

===============================================

Quote:

1. I still get the comboFix related error on bootup: "Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search."

Would you help me get rid of this error?

I don't know why you're getting that error on bootup. Do you have any older versions of Combofix installed anywhere?

====================================

Please post a fresh HijackThis log taken after a restart, along with the VirusTotal results and the Eset online scan report.

Roc 65 · 08-26-2008, 06:39 PM

More good news. Kaspersky ran. I unistalled-re-installed Java. You will notice instances duplicated on two harddrives within the kaspersky results. That is because I backed-up my c drive to g since c is about to die.

Also, I ran ESET and nothing was found, so there is no result file posted.

I still get the combo-fix error on start-up. I have a bitmap file of instances of anything "combo*.*" on c drive. Let me know if you would like me to attach it to my next post. I di not see combofix installed anywhere else.

Here is an outline of my post:
1. kaspersky
2. hijackthis
3. VirusTotal

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 26, 2008 06:36:48
Records in database: 1147335
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
K:\

Scan statistics:
Files scanned: 195277
Threat name: 2
Infected objects: 7
Suspicious objects: 8
Duration of the scan: 08:31:50

File name / Threat name / Threats count
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.du 1
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst Infected: Trojan-Spy.HTML.Paylap.du 2
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
G:\Outlook PST Files\Creazzo.pst Infected: Trojan-Spy.HTML.Paylap.du 2
G:\Outlook PST Files\Creazzo.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
H:\Outlook PST Files\Creazzo.pst Infected: Trojan-Spy.HTML.Paylap.du 2
H:\Outlook PST Files\Creazzo.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2

The selected area was scanned.

++++++++++++++++++++++++++++++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:24 PM, on 8/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://support2.charter.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6292 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++

VirusTotal

1. C:\WINDOWS\system32\drivers\_003977_.tmp.dll

File _004808_.tmp.dll received on 07.29.2008 16:13:39 (CET)

Result: 0/35 (0.00%)

Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.07.29 -
AntiVir 7.8.1.12 2008.07.29 -
Authentium 5.1.0.4 2008.07.29 -
Avast 4.8.1195.0 2008.07.29 -
AVG 8.0.0.130 2008.07.29 -
BitDefender 7.2 2008.07.29 -
CAT-QuickHeal 9.50 2008.07.29 -
ClamAV 0.93.1 2008.07.29 -
DrWeb 4.44.0.09170 2008.07.29 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5992 2008.07.29 -
Ewido 4.0 2008.07.29 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.29 -
Fortinet 3.14.0.0 2008.07.29 -
GData 2.0.7306.1023 2008.07.29 -
Ikarus T3.1.1.34.0 2008.07.29 -
Kaspersky 7.0.0.125 2008.07.29 -
McAfee 5348 2008.07.28 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3306 2008.07.29 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.29 -
Prevx1 V2 2008.07.29 -
Rising 20.55.12.00 2008.07.29 -
Sophos 4.31.0 2008.07.29 -
Sunbelt 3.1.1537.1 2008.07.29 -
Symantec 10 2008.07.29 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.29 -
VBA32 3.12.8.1 2008.07.29 -
ViRobot 2008.7.29.1315 2008.07.29 -
VirusBuster 4.5.11.0 2008.07.29 -
Webwasher-Gateway 6.6.2 2008.07.29 -
Additional information
File size: 71040 bytes
MD5...: d3dac8432110aad0b02a58b4459ab835
SHA1..: 21cc55d1e2bae42c9e00c3bc84bba6beea25718b
SHA256: ca44b2a02554e76ccbe95623ad129edab3aadfa5e675cb528e62f6440dfc295d
SHA512: 192286eb83b9fccfd44a12010e80de170b1434efb29d6b21f02180c7f7f07182
513ea0d723a3507f5b63805021374ce26f1cf60923c8b64e2845be2909f79339
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x20090
timedatestamp.....: 0x41107b93 (Wed Aug 04 06:00:51 2004)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0xef28 0xef80 6.37 07b5a596bf3d0e7820a896448bfd6cf2
.rdata 0xf280 0x954 0x980 4.92 58fcb9d4ff80ffd63d648140cccd3e6a
.data 0xfc00 0x33c 0x380 3.61 1a18c46bcfcdc96d7c55b0db623b4548
.edata 0xff80 0x86 0x100 2.66 6640a77659270eadb2754610fe439ca1
INIT 0x10080 0x6e6 0x700 5.47 bbc4b9a222c335a5398140f1bec406c2
.rsrc 0x10780 0x3e8 0x400 3.39 28adec91bd9872862b7641331ffc6df0
.reloc 0x10b80 0x9ac 0xa00 6.23 a1340f262da2fb7d0bc906b9b06fa18a

( 2 imports )
> ntoskrnl.exe: KeDetachProcess, KeAttachProcess, PsGetCurrentProcess, ExRaiseDatatypeMisalignment, IofCallDriver, IoBuildSynchronousFsdRequest, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTag, ZwOpenProcess, PsGetThreadProcessId, KeResetEvent, KeWaitForSingleObject, KeSetEvent, _allmul, MmUnlockPages, ObfDereferenceObject, ZwCreateEvent, MmMapLockedPagesSpecifyCache, IoFreeMdl, MmProbeAndLockPages, IoAllocateMdl, KeInitializeSpinLock, KeInitializeDpc, MmResetDriverPaging, MmUserProbeAddress, KeTickCount, KeBugCheckEx, ZwQuerySystemInformation, RtlInitUnicodeString, ZwOpenKey, ZwQueryValueKey, ZwClose, PsGetCurrentThread, PsGetCurrentProcessId, memmove, MmMapUserAddressesToPage, ZwAllocateVirtualMemory, ZwFreeVirtualMemory, ExRaiseAccessViolation, MmSecureVirtualMemory, MmUnsecureVirtualMemory, _except_handler3, ProbeForWrite, KeRestoreFloatingPointState, ObReferenceObjectByHandle, KeSaveFloatingPointState
> dxgthk.sys: EngUnloadImage, EngCopyBits, EngLockSurface, EngCreatePalette, EngDeleteSurface, EngCreateBitmap, EngDeletePalette, EngUnlockSurface, EngAllocUserMem, EngFreeUserMem, EngReleaseSemaphore, EngAcquireSemaphore, EngSetLastError, EngCreateSemaphore, EngDeleteSemaphore, EngAllocMem, EngFreeMem, EngFindImageProcAddress

( 3 exports )
DriverEntry, DxDdCleanupDxGraphics, DxDdStartupDxGraphics

---------------------------------------------------

2. C:\WINDOWS\system32\SET326.tmp

File SET326.tmp received on 08.23.2008 15:26:19 (CET)

Result: 0/36 (0.00%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 -
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3381 2008.08.22 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 -
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1571.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Additional information
File size: 2843136 bytes
MD5...: d3f72d50de53f9f1f55240115af4d42e
SHA1..: 27591ee4bc2970090d421423e771ec51e46b6a41
SHA256: f8831b6b33ee2ee49615ae45a81c8434e154331beb1e64c491e64c1348314f3c
SHA512: f7c21142aff7d2ea27e35c84834c9527f47f0cecae386105b7088b156af34b53
dc280e41626af5f470ad1913fa1e4043aa2a36df9a1259b453978d050ee17134
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7d1ee769
timedatestamp.....: 0x4802a15a (Mon Apr 14 00:12:10 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.orpc 0x1000 0x128 0x200 3.73 10aad703cca73fad7eac7a5d343ea8cc
.text 0x2000 0x1b1462 0x1b1600 6.20 50ddbb8ebfe5486b248c957e8806cd1a
.data 0x1b4000 0xbb78 0x9400 2.63 82d181b26b92bccd297ab1730347f713
.rsrc 0x1c0000 0xeed70 0xeee00 4.48 a14c0d5e9d985a8ca973b9555c32ddfa
.reloc 0x2af000 0xc2b8 0xc400 6.74 8fd75eb1c62c1f8640ee741db6490898

( 7 imports )
> ADVAPI32.dll: RegFlushKey, DuplicateToken, AddAccessDeniedAce, GetSidSubAuthorityCount, GetSidLengthRequired, LookupAccountNameW, RegSetKeySecurity, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegGetKeySecurity, PrivilegeCheck, EqualSid, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, ConvertSidToStringSidW, CopySid, GetFileSecurityW, MakeAbsoluteSD, GetUserNameW, RegEnumKeyW, CreateServiceW, ChangeServiceConfigW, DeleteService, QueryServiceConfigW, StartServiceW, IsValidSecurityDescriptor, SetFileSecurityW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, GetLengthSid, AllocateAndInitializeSid, FreeSid, RegOpenKeyExW, RegCloseKey, RegDeleteValueW, MakeSelfRelativeSD, GetSecurityDescriptorLength, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetAce, AddAccessAllowedAce, InitializeAcl, RegSetValueExW, RegCreateKeyExW, RegDeleteKeyW, RegQueryValueExW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegConnectRegistryW, RegQueryValueExA, RegEnumValueA, RegEnumKeyExA, RegSetValueExA, SetThreadToken, OpenThreadToken, SetTokenInformation, GetTokenInformation, CloseServiceHandle, OpenServiceW, OpenSCManagerW, GetServiceDisplayNameW, QueryServiceStatus, ControlService, EnumDependentServicesW
> GDI32.dll: GetTextExtentPoint32W, CreateFontW, EnumFontFamiliesExW, GetDeviceCaps, CreateFontIndirectW, GetTextFaceW, DeleteObject, RemoveFontResourceW, AddFontResourceW, GetTextMetricsW, SelectObject
> KERNEL32.dll: DuplicateHandle, GetSystemTimeAsFileTime, GetDiskFreeSpaceW, ResetEvent, DosDateTimeToFileTime, FileTimeToDosDateTime, GetFileSizeEx, GetFileTime, SetFileTime, EnumResourceNamesW, EnumResourceLanguagesW, SizeofResource, GetDiskFreeSpaceExW, QueryPerformanceCounter, UnhandledExceptionFilter, MoveFileW, InterlockedExchange, GetLastError, CloseHandle, GetCurrentProcess, Sleep, GetVersionExW, GetEnvironmentVariableW, GetExitCodeThread, lstrlenW, lstrcmpW, lstrcmpiW, GlobalFree, GetSystemDefaultLangID, GlobalAlloc, GetSystemInfo, SetLastError, GetModuleFileNameW, DeleteFileW, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, InitializeCriticalSection, ExpandEnvironmentStringsW, SetEnvironmentVariableW, GetTickCount, FreeLibrary, LockResource, LoadResource, FindResourceExW, LoadLibraryExW, FormatMessageW, CreateDirectoryW, GetTempPathW, TlsFree, GetCurrentThreadId, DisableThreadLibraryCalls, DeleteCriticalSection, CompareStringW, FileTimeToSystemTime, GetUserDefaultLCID, GetFileAttributesW, LocalFileTimeToFileTime, SystemTimeToFileTime, FileTimeToLocalFileTime, GetFileSize, GetFileType, CreateFileW, LeaveCriticalSection, lstrcpynA, lstrcpynW, LocalFree, EnterCriticalSection, ExpandEnvironmentStringsA, SetErrorMode, lstrcmpA, GetProcAddress, lstrcmpiA, GetModuleFileNameA, GetLocalTime, InterlockedIncrement, SetEvent, GetSystemDirectoryW, InterlockedDecrement, WaitForSingleObject, ResumeThread, GetCurrentProcessId, IsDebuggerPresent, LoadLibraryW, TlsSetValue, TlsAlloc, CreateEventW, CreateThread, GetCurrentThread, TerminateProcess, GetShortPathNameW, FindClose, FindFirstFileW, GetPrivateProfileStringW, GetProfileStringW, SetUnhandledExceptionFilter, MoveFileExW, CreateMutexW, WriteFile, FindNextFileW, GetACP, UnlockFile, SetEndOfFile, LockFile, SetFilePointer, FreeEnvironmentStringsW, GetEnvironmentStringsW, DebugBreak, GetTempFileNameW, ExitThread, GetExitCodeProcess, CreateProcessW, VirtualFree, GetOverlappedResult, FlushFileBuffers, LocalAlloc, MulDiv, VirtualAlloc, FreeLibraryAndExitThread, WaitForMultipleObjects, TerminateThread, RaiseException, GetLocaleInfoW, GetUserDefaultLangID, ReadFile, WriteProfileStringW, WritePrivateProfileStringW, GetComputerNameW, GlobalMemoryStatus, RemoveDirectoryW, GetModuleHandleW, GetDateFormatW, GetTimeFormatW, ReleaseMutex, GetWindowsDirectoryW, TlsGetValue, SetFileAttributesW, GetVolumeInformationW, GetCurrentDirectoryW, OpenMutexW, ExitProcess, OpenProcess, OutputDebugStringA, FormatMessageA, OutputDebugStringW, GetNumberFormatW, GlobalUnlock, GlobalLock, GlobalReAlloc, IsValidCodePage, GetDriveTypeW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW
> msvcrt.dll: _vsnprintf, _wtoi, _ui64tow, wcsstr, _wtoi64, strtol, memmove, _itoa, isdigit, _itow, iswdigit, _vsnwprintf, _ultow, wcstoul, qsort, _except_handler3, wcschr, free, _initterm, malloc, _adjust_fdiv, __dllonexit, _onexit, _wcsnicmp, wcstol, _i64tow
> ntdll.dll: NtQueryInformationProcess
> RPCRT4.dll: NdrDllUnregisterProxy, NdrDllRegisterProxy, NdrCStdStubBuffer_Release, NdrDllGetClassObject, NdrClientCall2, NdrOleAllocate, NdrOleFree, IUnknown_QueryInterface_Proxy, IUnknown_AddRef_Proxy, IUnknown_Release_Proxy, CStdStubBuffer_QueryInterface, CStdStubBuffer_AddRef, CStdStubBuffer_DebugServerQueryInterface, CStdStubBuffer_CountRefs, CStdStubBuffer_IsIIDSupported, CStdStubBuffer_Invoke, CStdStubBuffer_Disconnect, CStdStubBuffer_Connect, CStdStubBuffer_DebugServerRelease
> USER32.dll: CharUpperW, PostThreadMessageW, GetActiveWindow, PeekMessageW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjects, MessageBoxW, ExitWindowsEx, PostQuitMessage, CharPrevW, SendMessageTimeoutW, PostMessageW, DefWindowProcW, CreateWindowExW, RegisterClassW, UnregisterClassW, DestroyWindow, GetSystemMetrics, SystemParametersInfoW, GetWindowRect, IsDialogMessageW, SetDlgItemTextW, SendDlgItemMessageW, CharNextA, GetWindowLongW, GetDlgItemTextW, GetDlgItem, InvalidateRect, ReleaseDC, SendMessageW, GetDC, EnableWindow, SetCursor, LoadCursorW, IsWindowEnabled, IsWindowVisible, LoadIconW, SetForegroundWindow, CharPrevA, SetFocus, MoveWindow, CreateDialogParamW, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW, SetWindowPos, CharLowerW, EndDialog, GetClientRect, MapWindowPoints, DrawTextW, CopyRect, RemoveMenu, GetSystemMenu, GetFocus, RegisterWindowMessageW, DialogBoxParamW, CharUpperBuffW, SetUserObjectSecurity, GetWindowThreadProcessId, GetWindow, EnumWindows, CharNextW, LoadStringW, IsCharLowerW, GetProcessWindowStation, GetUserObjectInformationW, SetWindowLongW, ShowWindow

( 281 exports )
DllCanUnloadNow, DllGetClassObject, DllGetVersion, DllRegisterServer, DllUnregisterServer, Migrate10CachedPackagesA, Migrate10CachedPackagesW, MsiAdvertiseProductA, MsiAdvertiseProductExA, MsiAdvertiseProductExW, MsiAdvertiseProductW, MsiAdvertiseScriptA, MsiAdvertiseScriptW, MsiApplyMultiplePatchesA, MsiApplyMultiplePatchesW, MsiApplyPatchA, MsiApplyPatchW, MsiCloseAllHandles, MsiCloseHandle, MsiCollectUserInfoA, MsiCollectUserInfoW, MsiConfigureFeatureA, MsiConfigureFeatureFromDescriptorA, MsiConfigureFeatureFromDescriptorW, MsiConfigureFeatureW, MsiConfigureProductA, MsiConfigureProductExA, MsiConfigureProductExW, MsiConfigureProductW, MsiCreateAndVerifyInstallerDirectory, MsiCreateRecord, MsiCreateTransformSummaryInfoA, MsiCreateTransformSummaryInfoW, MsiDatabaseApplyTransformA, MsiDatabaseApplyTransformW, MsiDatabaseCommit, MsiDatabaseExportA, MsiDatabaseExportW, MsiDatabaseGenerateTransformA, MsiDatabaseGenerateTransformW, MsiDatabaseGetPrimaryKeysA, MsiDatabaseGetPrimaryKeysW, MsiDatabaseImportA, MsiDatabaseImportW, MsiDatabaseIsTablePersistentA, MsiDatabaseIsTablePersistentW, MsiDatabaseMergeA, MsiDatabaseMergeW, MsiDatabaseOpenViewA, MsiDatabaseOpenViewW, MsiDecomposeDescriptorA, MsiDecomposeDescriptorW, MsiDeleteUserDataA, MsiDeleteUserDataW, MsiDetermineApplicablePatchesA, MsiDetermineApplicablePatchesW, MsiDeterminePatchSequenceA, MsiDeterminePatchSequenceW, MsiDoActionA, MsiDoActionW, MsiEnableLogA, MsiEnableLogW, MsiEnableUIPreview, MsiEnumClientsA, MsiEnumClientsW, MsiEnumComponentCostsA, MsiEnumComponentCostsW, MsiEnumComponentQualifiersA, MsiEnumComponentQualifiersW, MsiEnumComponentsA, MsiEnumComponentsW, MsiEnumFeaturesA, MsiEnumFeaturesW, MsiEnumPatchesA, MsiEnumPatchesExA, MsiEnumPatchesExW, MsiEnumPatchesW, MsiEnumProductsA, MsiEnumProductsExA, MsiEnumProductsExW, MsiEnumProductsW, MsiEnumRelatedProductsA, MsiEnumRelatedProductsW, MsiEvaluateConditionA, MsiEvaluateConditionW, MsiExtractPatchXMLDataA, MsiExtractPatchXMLDataW, MsiFormatRecordA, MsiFormatRecordW, MsiGetActiveDatabase, MsiGetComponentPathA, MsiGetComponentPathW, MsiGetComponentStateA, MsiGetComponentStateW, MsiGetDatabaseState, MsiGetFeatureCostA, MsiGetFeatureCostW, MsiGetFeatureInfoA, MsiGetFeatureInfoW, MsiGetFeatureStateA, MsiGetFeatureStateW, MsiGetFeatureUsageA, MsiGetFeatureUsageW, MsiGetFeatureValidStatesA, MsiGetFeatureValidStatesW, MsiGetFileHashA, MsiGetFileHashW, MsiGetFileSignatureInformationA, MsiGetFileSignatureInformationW, MsiGetFileVersionA, MsiGetFileVersionW, MsiGetLanguage, MsiGetLastErrorRecord, MsiGetMode, MsiGetPatchInfoA, MsiGetPatchInfoExA, MsiGetPatchInfoExW, MsiGetPatchInfoW, MsiGetProductCodeA, MsiGetProductCodeFromPackageCodeA, MsiGetProductCodeFromPackageCodeW, MsiGetProductCodeW, MsiGetProductInfoA, MsiGetProductInfoExA, MsiGetProductInfoExW, MsiGetProductInfoFromScriptA, MsiGetProductInfoFromScriptW, MsiGetProductInfoW, MsiGetProductPropertyA, MsiGetProductPropertyW, MsiGetPropertyA, MsiGetPropertyW, MsiGetShortcutTargetA, MsiGetShortcutTargetW, MsiGetSourcePathA, MsiGetSourcePathW, MsiGetSummaryInformationA, MsiGetSummaryInformationW, MsiGetTargetPathA, MsiGetTargetPathW, MsiGetUserInfoA, MsiGetUserInfoW, MsiInstallMissingComponentA, MsiInstallMissingComponentW, MsiInstallMissingFileA, MsiInstallMissingFileW, MsiInstallProductA, MsiInstallProductW, MsiInvalidateFeatureCache, MsiIsProductElevatedA, MsiIsProductElevatedW, MsiLoadStringA, MsiLoadStringW, MsiLocateComponentA, MsiLocateComponentW, MsiMessageBoxA, MsiMessageBoxExA, MsiMessageBoxExW, MsiMessageBoxW, MsiNotifySidChangeA, MsiNotifySidChangeW, MsiOpenDatabaseA, MsiOpenDatabaseW, MsiOpenPackageA, MsiOpenPackageExA, MsiOpenPackageExW, MsiOpenPackageW, MsiOpenProductA, MsiOpenProductW, MsiPreviewBillboardA, MsiPreviewBillboardW, MsiPreviewDialogA, MsiPreviewDialogW, MsiProcessAdvertiseScriptA, MsiProcessAdvertiseScriptW, MsiProcessMessage, MsiProvideAssemblyA, MsiProvideAssemblyW, MsiProvideComponentA, MsiProvideComponentFromDescriptorA, MsiProvideComponentFromDescriptorW, MsiProvideComponentW, MsiProvideQualifiedComponentA, MsiProvideQualifiedComponentExA, MsiProvideQualifiedComponentExW, MsiProvideQualifiedComponentW, MsiQueryComponentStateA, MsiQueryComponentStateW, MsiQueryFeatureStateA, MsiQueryFeatureStateExA, MsiQueryFeatureStateExW, MsiQueryFeatureStateFromDescriptorA, MsiQueryFeatureStateFromDescriptorW, MsiQueryFeatureStateW, MsiQueryProductStateA, MsiQueryProductStateW, MsiRecordClearData, MsiRecordDataSize, MsiRecordGetFieldCount, MsiRecordGetInteger, MsiRecordGetStringA, MsiRecordGetStringW, MsiRecordIsNull, MsiRecordReadStream, MsiRecordSetInteger, MsiRecordSetStreamA, MsiRecordSetStreamW, MsiRecordSetStringA, MsiRecordSetStringW, MsiReinstallFeatureA, MsiReinstallFeatureFromDescriptorA, MsiReinstallFeatureFromDescriptorW, MsiReinstallFeatureW, MsiReinstallProductA, MsiReinstallProductW, MsiRemovePatchesA, MsiRemovePatchesW, MsiSequenceA, MsiSequenceW, MsiSetComponentStateA, MsiSetComponentStateW, MsiSetExternalUIA, MsiSetExternalUIRecord, MsiSetExternalUIW, MsiSetFeatureAttributesA, MsiSetFeatureAttributesW, MsiSetFeatureStateA, MsiSetFeatureStateW, MsiSetInstallLevel, MsiSetInternalUI, MsiSetMode, MsiSetPropertyA, MsiSetPropertyW, MsiSetTargetPathA, MsiSetTargetPathW, MsiSourceListAddMediaDiskA, MsiSourceListAddMediaDiskW, MsiSourceListAddSourceA, MsiSourceListAddSourceExA, MsiSourceListAddSourceExW, MsiSourceListAddSourceW, MsiSourceListClearAllA, MsiSourceListClearAllExA, MsiSourceListClearAllExW, MsiSourceListClearAllW, MsiSourceListClearMediaDiskA, MsiSourceListClearMediaDiskW, MsiSourceListClearSourceA, MsiSourceListClearSourceW, MsiSourceListEnumMediaDisksA, MsiSourceListEnumMediaDisksW, MsiSourceListEnumSourcesA, MsiSourceListEnumSourcesW, MsiSourceListForceResolutionA, MsiSourceListForceResolutionExA, MsiSourceListForceResolutionExW, MsiSourceListForceResolutionW, MsiSourceListGetInfoA, MsiSourceListGetInfoW, MsiSourceListSetInfoA, MsiSourceListSetInfoW, MsiSummaryInfoGetPropertyA, MsiSummaryInfoGetPropertyCount, MsiSummaryInfoGetPropertyW, MsiSummaryInfoPersist, MsiSummaryInfoSetPropertyA, MsiSummaryInfoSetPropertyW, MsiUseFeatureA, MsiUseFeatureExA, MsiUseFeatureExW, MsiUseFeatureW, MsiVerifyDiskSpace, MsiVerifyPackageA, MsiVerifyPackageW, MsiViewClose, MsiViewExecute, MsiViewFetch, MsiViewGetColumnInfo, MsiViewGetErrorA, MsiViewGetErrorW, MsiViewModify

----------------------------------------------------

3. C:\WINDOWS\system32\SET196.tmp

Result: 0/36 (0.00%)
File SET196.tmp received on 08.23.2008 15:29:01 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 -
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3381 2008.08.22 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 -
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1571.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Additional information
File size: 713216 bytes
MD5...: 694503348b586e99d56c0e30ab5b3ef8
SHA1..: c7c0702f8ee09d5d5da9b9a2995e41b15622e619
SHA256: 53a0c2604574058f1520d8f0805f1247b15bb0e00a5b5bafe027c702d55e5076
SHA512: eba119342bfdb071fd0a96b95e66f7be3e7699f1390633648f01e84bfbab36cf
890de23e7845be0fb687cf29e7ab6004beccaa30891f6f43083e648dda26af8a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7e745310
timedatestamp.....: 0x4802a11a (Mon Apr 14 00:11:06 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x98cfc 0x98e00 6.57 13d1470731a39db360ab83b76e3a3cd1
.data 0x9a000 0x27a8 0x2800 1.10 ad4c7f6274d3d67f43b271a2ec411938
.rsrc 0x9d000 0x9638 0x9800 4.49 cd9b30b92484d00565863b3bbc10bb84
.reloc 0xa7000 0x8e58 0x9000 6.54 90b3e5be2aaa257c699b1df8fab34e54

( 4 imports )
> ADVAPI32.dll: ElfReportEventW, ElfRegisterEventSourceW, RegDeleteKeyW, ElfDeregisterEventSource, RegEnumValueW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptAcquireContextW, CryptReleaseContext, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, CryptDestroyHash, RegQueryInfoKeyW, RegCloseKey, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, CryptDestroyKey, CryptExportKey
> KERNEL32.dll: LoadLibraryW, IsDebuggerPresent, OutputDebugStringA, GetProcessHeap, SearchPathW, FormatMessageW, GetTickCount, GetSystemTimeAsFileTime, GetProcAddress, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, HeapFree, HeapCreate, HeapDestroy, HeapAlloc, GetLastError, RaiseException, GetCurrentProcessId, GetCurrentThreadId, DeleteCriticalSection, InitializeCriticalSection, GetModuleHandleW, QueryActCtxW, FindActCtxSectionGuid, GetCurrentActCtx, FindActCtxSectionStringW, AddRefActCtx, SetFileAttributesW, FindClose, InterlockedIncrement, InterlockedDecrement, MultiByteToWideChar, FindFirstFileW, SetLastError, FindNextFileW, CreateDirectoryW, GetFileAttributesW, MoveFileExW, ExpandEnvironmentStringsW, GetFileSize, CloseHandle, UnmapViewOfFile, CreateFileW, CreateFileMappingW, MapViewOfFile, DeleteFileW, RemoveDirectoryW, LeaveCriticalSection, EnterCriticalSection, ReadFile, Sleep, GetFileSizeEx, LocalAlloc, SetFilePointerEx, WriteFile, GetFileAttributesExW, lstrlenW, GetVolumeInformationW, GetDriveTypeW, FormatMessageA, GetModuleFileNameW, GetModuleHandleA, ResetEvent, WaitForMultipleObjects, ReadDirectoryChangesW, CreateEventW, GetSystemInfo, InterlockedExchange, GetUserDefaultLangID, QueryPerformanceCounter, GetUserDefaultUILanguage, GetCurrentProcess, SetEvent, WaitForSingleObject, QueueUserWorkItem, GetShortPathNameW, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, GetFullPathNameW, GetVolumePathNameW, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, SetErrorMode, GetLogicalDriveStringsW, WriteConsoleA, GetStdHandle, TlsSetValue, GetCommandLineA, GetVersionExA, TlsFree, TlsGetValue, TlsAlloc, SetHandleCount, GetFileType, GetStartupInfoA, GetModuleFileNameA, UnhandledExceptionFilter, GetACP, GetOEMCP, GetCPInfo, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, WideCharToMultiByte, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, FlushFileBuffers, SetFilePointer, VirtualProtect, VirtualQuery, SetStdHandle, GetLocaleInfoW, DelayLoadFailureHook, GetFileInformationByHandle, GetSystemDefaultUILanguage, SizeofResource, LockResource, LoadResource, FindResourceExW, EnumResourceNamesW, LocalFree
> ntdll.dll: RtlHashUnicodeString, RtlExpandEnvironmentStrings_U, NtAllocateLocallyUniqueId, _ui64tow, NtQueryVirtualMemory, RtlNtStatusToDosError, NtQueryDebugFilterState, _snprintf, _vsnprintf, wcscat, RtlGetFrame, RtlFindCharInUnicodeString, bsearch, RtlCompareUnicodeString, RtlSetLastWin32ErrorAndNtStatusFromNtStatus, NtDeleteKey, RtlUnhandledExceptionFilter, _lfind, _i64tow, _wcsnicmp, wcsstr, _snwprintf, wcsncpy, sprintf, wcsrchr, memmove, qsort, swprintf, _vsnwprintf, _ftol, RtlUpcaseUnicodeChar, RtlNtStatusToDosErrorNoTeb, _wcsicmp, wcsspn, wcscspn, RtlDetermineDosPathNameType_U, wcschr, vDbgPrintExWithPrefix, RtlDowncaseUnicodeChar, wcscpy, wcslen, RtlPopFrame, RtlPushFrame, RtlInterlockedPushEntrySList, RtlInterlockedPopEntrySList, RtlInitializeSListHead, RtlFirstEntrySList, RtlUnwind
> USER32.dll: RegisterWindowMessageW, SetThreadDesktop, DialogBoxParamW, UnregisterDeviceNotification, PostMessageA, EndDialog, GetWindowRect, OpenInputDesktop, MessageBoxW, LoadStringW, SetDlgItemTextW, GetDlgItemTextW, RegisterDeviceNotificationA, FlashWindowEx, SetForegroundWindow, MoveWindow, GetSystemMetrics

( 30 exports )
CreateAssemblyCache, CreateAssemblyNameObject, SxsBeginAssemblyInstall, SxsEndAssemblyInstall, SxsFindClrClassInformation, SxsFindClrSurrogateInformation, SxsGenerateActivationContext, SxsInstallAssemblyW, SxsInstallW, SxsLookupClrGuid, SxsOleAut32MapConfiguredClsidToReferenceClsid, SxsOleAut32MapIIDOrCLSIDToTypeLibrary, SxsOleAut32MapIIDToProxyStubCLSID, SxsOleAut32MapIIDToTLBPath, SxsOleAut32MapReferenceClsidToConfiguredClsid, SxsOleAut32RedirectTypeLibrary, SxsProbeAssemblyInstallation, SxsProtectionGatherEntriesW, SxsProtectionNotifyW, SxsProtectionPerformScanNow, SxsProtectionUserLogoffEvent, SxsProtectionUserLogonEvent, SxsQueryManifestInformation, SxsRunDllInstallAssembly, SxsRunDllInstallAssemblyW, SxsUninstallW, SxspGenerateManifestPathOnAssemblyIdentity, SxspGeneratePolicyPathOnAssemblyIdentity, SxspRunDllDeleteDirectory, SxspRunDllDeleteDirectoryW

---------------------------------------------

4. C:\WINDOWS\system32\SET38F.tmp

File SET38F.tmp received on 08.23.2008 15:39:26 (CET)

Result: 0/36 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 -
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3382 2008.08.23 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 -
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Additional information
File size: 1082368 bytes
MD5...: f5b754cdea20bbb3a31e16a776ede6d6
SHA1..: ae8c6716967b384f4d74e42ab0a7c483c66a3217
SHA256: c5d682fa9b86810c6e3d741e507eda024c4554beb5b6a1686f70e109ee9cd746
SHA512: e6f648316419bd8900c2976e6066d8e36a63bd397ef35a2d9f35011dc52c437c
3a9aca9e46c965c0703c29410903e25ee2a9e21f64d8a1c74a1a5f1a0e4d1005
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x606b12dd
timedatestamp.....: 0x4802a0df (Mon Apr 14 00:10:07 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xec2a2 0xec400 6.70 7c5b4161f682958fb84ee32703c160e0
.data 0xee000 0x7698 0x6000 2.23 0d9ce34febdfc29060e4d8fe9e88175a
cachelin 0xf6000 0x600 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0xf7000 0xd8c0 0xda00 3.40 afde9090107bde7f09fe870aa2fdc348
.reloc 0x105000 0x7ef4 0x8000 6.76 e02618193678d582c29b83ea98c8437a

( 4 imports )
> ADVAPI32.dll: FreeSid, RegCloseKey, AllocateAndInitializeSid, GetLengthSid, InitializeAcl, AddAccessAllowedAce, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegQueryValueExA, RegisterEventSourceA, ReportEventA, DeregisterEventSource, RegCreateKeyExA, RegDeleteValueA, RegSetValueExA, RegOpenKeyExA
> KERNEL32.dll: CreateSemaphoreA, SetEndOfFile, WaitForMultipleObjectsEx, MapViewOfFile, SetEvent, CreateMutexW, CreateFileW, GetWindowsDirectoryW, GetOverlappedResult, ReadFile, FlushViewOfFile, HeapCreate, HeapAlloc, HeapDestroy, HeapFree, FindNextFileA, FindClose, FindFirstFileA, GetFileAttributesA, GetFileInformationByHandle, CopyFileA, MoveFileA, FlushFileBuffers, MoveFileExA, DeleteFileA, RemoveDirectoryA, CreateDirectoryA, GetDiskFreeSpaceA, WideCharToMultiByte, MultiByteToWideChar, lstrcpyA, lstrlenW, lstrlenA, OutputDebugStringA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualAlloc, VirtualFree, LeaveCriticalSection, TlsFree, EnterCriticalSection, TlsSetValue, GetProcAddress, GetModuleHandleA, Sleep, QueryPerformanceFrequency, CloseHandle, CreateMutexA, SetHandleInformation, CreateFileA, ReleaseMutex, WriteFile, SetFilePointer, WaitForSingleObject, LocalFree, LocalAlloc, DuplicateHandle, FreeLibrary, GetModuleFileNameA, VirtualQueryEx, LoadLibraryA, SetThreadAffinityMask, GetProcessAffinityMask, SetThreadIdealProcessor, GetCurrentThread, TlsGetValue, GetSystemDefaultLCID, WaitForSingleObjectEx, ReleaseSemaphore, DeleteCriticalSection, GetVersionExA, GetSystemInfo, InitializeCriticalSection, GetExitCodeThread, TlsAlloc, GlobalMemoryStatus, VirtualQuery, VirtualUnlock, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingA, GetLastError, SleepEx, ResumeThread, SetThreadPriority, CreateThread, FormatMessageA, CreateEventA, GetSystemPowerStatus, SetConsoleCtrlHandler, GetLocalTime, SetLastError, GetQueuedCompletionStatus, PostQueuedCompletionStatus, CreateIoCompletionPort, GetLocaleInfoA, LCMapStringW, IsValidLocale, GetUserDefaultLCID, GetFileSize
> msvcrt.dll: _adjust_fdiv, malloc, _initterm, free, _onexit, __dllonexit, wcsrchr, strcspn, _fullpath, _mbsnbicmp, wcscat, time, _mbsicmp, _mbspbrk, _mbsrchr, _mbstok, strpbrk, strtok, _strupr, srand, rand, strtoul, _snprintf, sscanf, _splitpath, _makepath, _mbscspn, _vsnprintf, strncpy, _itow, _except_handler3, _strnicmp, swprintf, vsprintf, vprintf, _iob, _itoa, printf, isprint, wcscpy, memmove, fopen, fprintf, fflush, fclose, _ultoa, strchr, _stricmp, wcslen, sprintf, atol, modf, _ftol, _purecall
> USER32.dll: MessageBoxA

( 173 exports )
JetAddColumn, JetAttachDatabase, JetAttachDatabase2, JetAttachDatabase@12, JetAttachDatabaseWithStreaming, JetBackup, JetBackup@12, JetBackupInstance, JetBeginExternalBackup, JetBeginExternalBackupInstance, JetBeginSession, JetBeginSession@16, JetBeginTransaction, JetBeginTransaction2, JetBeginTransaction@4, JetCloseDatabase, JetCloseDatabase@12, JetCloseFile, JetCloseFileInstance, JetCloseTable, JetCloseTable@8, JetCommitTransaction, JetCommitTransaction@8, JetCompact, JetComputeStats, JetConvertDDL, JetCreateDatabase, JetCreateDatabase2, JetCreateDatabase@20, JetCreateDatabaseWithStreaming, JetCreateIndex, JetCreateIndex2, JetCreateInstance, JetCreateInstance2, JetCreateTable, JetCreateTableColumnIndex, JetCreateTableColumnIndex2, JetCreateTableColumnIndex@12, JetDBUtilities, JetDefragment, JetDefragment2, JetDelete, JetDelete@8, JetDeleteColumn, JetDeleteColumn2, JetDeleteIndex, JetDeleteTable, JetDetachDatabase, JetDetachDatabase2, JetDetachDatabase@8, JetDupCursor, JetDupSession, JetEnableMultiInstance, JetEndExternalBackup, JetEndExternalBackupInstance, JetEndExternalBackupInstance2, JetEndSession, JetEndSession@8, JetEnumerateColumns, JetEscrowUpdate, JetExternalRestore, JetExternalRestore2, JetFreeBuffer, JetGetAttachInfo, JetGetAttachInfoInstance, JetGetBookmark, JetGetColumnInfo, JetGetColumnInfo@28, JetGetCounter, JetGetCurrentIndex, JetGetCursorInfo, JetGetDatabaseFileInfo, JetGetDatabaseInfo, JetGetIndexInfo, JetGetInstanceInfo, JetGetLS, JetGetLock, JetGetLogInfo, JetGetLogInfoInstance, JetGetLogInfoInstance2, JetGetObjectInfo, JetGetRecordPosition, JetGetSecondaryIndexBookmark, JetGetSystemParameter, JetGetTableColumnInfo, JetGetTableIndexInfo, JetGetTableInfo, JetGetTruncateLogInfoInstance, JetGetVersion, JetGotoBookmark, JetGotoPosition, JetGotoSecondaryIndexBookmark, JetGrowDatabase, JetIdle, JetIndexRecordCount, JetInit, JetInit2, JetInit3, JetInit@4, JetIntersectIndexes, JetMakeKey, JetMakeKey@20, JetMove, JetMove@16, JetOSSnapshotFreeze, JetOSSnapshotPrepare, JetOSSnapshotThaw, JetOpenDatabase, JetOpenDatabase@20, JetOpenFile, JetOpenFileInstance, JetOpenFileSectionInstance, JetOpenTable, JetOpenTable@28, JetOpenTempTable, JetOpenTempTable2, JetOpenTempTable3, JetPrepareToCommitTransaction, JetPrepareUpdate, JetPrepareUpdate@12, JetReadFile, JetReadFileInstance, JetRegisterCallback, JetRenameColumn, JetRenameTable, JetResetCounter, JetResetSessionContext, JetResetTableSequential, JetRestore, JetRestore2, JetRestore2@12, JetRestoreInstance, JetRetrieveColumn, JetRetrieveColumn@32, JetRetrieveColumns, JetRetrieveKey, JetRetrieveTaggedColumnList, JetRollback, JetRollback@8, JetSeek, JetSeek@12, JetSetColumn, JetSetColumn@28, JetSetColumnDefaultValue, JetSetColumns, JetSetCurrentIndex, JetSetCurrentIndex2, JetSetCurrentIndex3, JetSetCurrentIndex4, JetSetCurrentIndex@12, JetSetDatabaseSize, JetSetIndexRange, JetSetLS, JetSetSessionContext, JetSetSystemParameter, JetSetSystemParameter@20, JetSetTableSequential, JetSnapshotStart, JetSnapshotStop, JetStopBackup, JetStopBackupInstance, JetStopService, JetStopServiceInstance, JetTerm, JetTerm2, JetTerm@4, JetTruncateLog, JetTruncateLogInstance, JetUnregisterCallback, JetUpdate, JetUpdate@20, JetUpgradeDatabase, ese

----------------------------------------------------

5. C:\WINDOWS\system32\SET2E5.tmp

File SET326.tmp received on 08.23.2008 15:26:19 (CET)
Current status: finished

Result: 0/36 (0.00%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 -
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3381 2008.08.22 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 -
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1571.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Additional information
File size: 2843136 bytes
MD5...: d3f72d50de53f9f1f55240115af4d42e
SHA1..: 27591ee4bc2970090d421423e771ec51e46b6a41
SHA256: f8831b6b33ee2ee49615ae45a81c8434e154331beb1e64c491e64c1348314f3c
SHA512: f7c21142aff7d2ea27e35c84834c9527f47f0cecae386105b7088b156af34b53
dc280e41626af5f470ad1913fa1e4043aa2a36df9a1259b453978d050ee17134
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7d1ee769
timedatestamp.....: 0x4802a15a (Mon Apr 14 00:12:10 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.orpc 0x1000 0x128 0x200 3.73 10aad703cca73fad7eac7a5d343ea8cc
.text 0x2000 0x1b1462 0x1b1600 6.20 50ddbb8ebfe5486b248c957e8806cd1a
.data 0x1b4000 0xbb78 0x9400 2.63 82d181b26b92bccd297ab1730347f713
.rsrc 0x1c0000 0xeed70 0xeee00 4.48 a14c0d5e9d985a8ca973b9555c32ddfa
.reloc 0x2af000 0xc2b8 0xc400 6.74 8fd75eb1c62c1f8640ee741db6490898

( 7 imports )
> ADVAPI32.dll: RegFlushKey, DuplicateToken, AddAccessDeniedAce, GetSidSubAuthorityCount, GetSidLengthRequired, LookupAccountNameW, RegSetKeySecurity, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegGetKeySecurity, PrivilegeCheck, EqualSid, GetSecurityDescriptorControl, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, ConvertSidToStringSidW, CopySid, GetFileSecurityW, MakeAbsoluteSD, GetUserNameW, RegEnumKeyW, CreateServiceW, ChangeServiceConfigW, DeleteService, QueryServiceConfigW, StartServiceW, IsValidSecurityDescriptor, SetFileSecurityW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, GetLengthSid, AllocateAndInitializeSid, FreeSid, RegOpenKeyExW, RegCloseKey, RegDeleteValueW, MakeSelfRelativeSD, GetSecurityDescriptorLength, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, GetAce, AddAccessAllowedAce, InitializeAcl, RegSetValueExW, RegCreateKeyExW, RegDeleteKeyW, RegQueryValueExW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegConnectRegistryW, RegQueryValueExA, RegEnumValueA, RegEnumKeyExA, RegSetValueExA, SetThreadToken, OpenThreadToken, SetTokenInformation, GetTokenInformation, CloseServiceHandle, OpenServiceW, OpenSCManagerW, GetServiceDisplayNameW, QueryServiceStatus, ControlService, EnumDependentServicesW
> GDI32.dll: GetTextExtentPoint32W, CreateFontW, EnumFontFamiliesExW, GetDeviceCaps, CreateFontIndirectW, GetTextFaceW, DeleteObject, RemoveFontResourceW, AddFontResourceW, GetTextMetricsW, SelectObject
> KERNEL32.dll: DuplicateHandle, GetSystemTimeAsFileTime, GetDiskFreeSpaceW, ResetEvent, DosDateTimeToFileTime, FileTimeToDosDateTime, GetFileSizeEx, GetFileTime, SetFileTime, EnumResourceNamesW, EnumResourceLanguagesW, SizeofResource, GetDiskFreeSpaceExW, QueryPerformanceCounter, UnhandledExceptionFilter, MoveFileW, InterlockedExchange, GetLastError, CloseHandle, GetCurrentProcess, Sleep, GetVersionExW, GetEnvironmentVariableW, GetExitCodeThread, lstrlenW, lstrcmpW, lstrcmpiW, GlobalFree, GetSystemDefaultLangID, GlobalAlloc, GetSystemInfo, SetLastError, GetModuleFileNameW, DeleteFileW, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, InitializeCriticalSection, ExpandEnvironmentStringsW, SetEnvironmentVariableW, GetTickCount, FreeLibrary, LockResource, LoadResource, FindResourceExW, LoadLibraryExW, FormatMessageW, CreateDirectoryW, GetTempPathW, TlsFree, GetCurrentThreadId, DisableThreadLibraryCalls, DeleteCriticalSection, CompareStringW, FileTimeToSystemTime, GetUserDefaultLCID, GetFileAttributesW, LocalFileTimeToFileTime, SystemTimeToFileTime, FileTimeToLocalFileTime, GetFileSize, GetFileType, CreateFileW, LeaveCriticalSection, lstrcpynA, lstrcpynW, LocalFree, EnterCriticalSection, ExpandEnvironmentStringsA, SetErrorMode, lstrcmpA, GetProcAddress, lstrcmpiA, GetModuleFileNameA, GetLocalTime, InterlockedIncrement, SetEvent, GetSystemDirectoryW, InterlockedDecrement, WaitForSingleObject, ResumeThread, GetCurrentProcessId, IsDebuggerPresent, LoadLibraryW, TlsSetValue, TlsAlloc, CreateEventW, CreateThread, GetCurrentThread, TerminateProcess, GetShortPathNameW, FindClose, FindFirstFileW, GetPrivateProfileStringW, GetProfileStringW, SetUnhandledExceptionFilter, MoveFileExW, CreateMutexW, WriteFile, FindNextFileW, GetACP, UnlockFile, SetEndOfFile, LockFile, SetFilePointer, FreeEnvironmentStringsW, GetEnvironmentStringsW, DebugBreak, GetTempFileNameW, ExitThread, GetExitCodeProcess, CreateProcessW, VirtualFree, GetOverlappedResult, FlushFileBuffers, LocalAlloc, MulDiv, VirtualAlloc, FreeLibraryAndExitThread, WaitForMultipleObjects, TerminateThread, RaiseException, GetLocaleInfoW, GetUserDefaultLangID, ReadFile, WriteProfileStringW, WritePrivateProfileStringW, GetComputerNameW, GlobalMemoryStatus, RemoveDirectoryW, GetModuleHandleW, GetDateFormatW, GetTimeFormatW, ReleaseMutex, GetWindowsDirectoryW, TlsGetValue, SetFileAttributesW, GetVolumeInformationW, GetCurrentDirectoryW, OpenMutexW, ExitProcess, OpenProcess, OutputDebugStringA, FormatMessageA, OutputDebugStringW, GetNumberFormatW, GlobalUnlock, GlobalLock, GlobalReAlloc, IsValidCodePage, GetDriveTypeW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW
> msvcrt.dll: _vsnprintf, _wtoi, _ui64tow, wcsstr, _wtoi64, strtol, memmove, _itoa, isdigit, _itow, iswdigit, _vsnwprintf, _ultow, wcstoul, qsort, _except_handler3, wcschr, free, _initterm, malloc, _adjust_fdiv, __dllonexit, _onexit, _wcsnicmp, wcstol, _i64tow
> ntdll.dll: NtQueryInformationProcess
> RPCRT4.dll: NdrDllUnregisterProxy, NdrDllRegisterProxy, NdrCStdStubBuffer_Release, NdrDllGetClassObject, NdrClientCall2, NdrOleAllocate, NdrOleFree, IUnknown_QueryInterface_Proxy, IUnknown_AddRef_Proxy, IUnknown_Release_Proxy, CStdStubBuffer_QueryInterface, CStdStubBuffer_AddRef, CStdStubBuffer_DebugServerQueryInterface, CStdStubBuffer_CountRefs, CStdStubBuffer_IsIIDSupported, CStdStubBuffer_Invoke, CStdStubBuffer_Disconnect, CStdStubBuffer_Connect, CStdStubBuffer_DebugServerRelease
> USER32.dll: CharUpperW, PostThreadMessageW, GetActiveWindow, PeekMessageW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjects, MessageBoxW, ExitWindowsEx, PostQuitMessage, CharPrevW, SendMessageTimeoutW, PostMessageW, DefWindowProcW, CreateWindowExW, RegisterClassW, UnregisterClassW, DestroyWindow, GetSystemMetrics, SystemParametersInfoW, GetWindowRect, IsDialogMessageW, SetDlgItemTextW, SendDlgItemMessageW, CharNextA, GetWindowLongW, GetDlgItemTextW, GetDlgItem, InvalidateRect, ReleaseDC, SendMessageW, GetDC, EnableWindow, SetCursor, LoadCursorW, IsWindowEnabled, IsWindowVisible, LoadIconW, SetForegroundWindow, CharPrevA, SetFocus, MoveWindow, CreateDialogParamW, GetWindowTextW, GetWindowTextLengthW, SetWindowTextW, SetWindowPos, CharLowerW, EndDialog, GetClientRect, MapWindowPoints, DrawTextW, CopyRect, RemoveMenu, GetSystemMenu, GetFocus, RegisterWindowMessageW, DialogBoxParamW, CharUpperBuffW, SetUserObjectSecurity, GetWindowThreadProcessId, GetWindow, EnumWindows, CharNextW, LoadStringW, IsCharLowerW, GetProcessWindowStation, GetUserObjectInformationW, SetWindowLongW, ShowWindow

( 281 exports )
DllCanUnloadNow, DllGetClassObject, DllGetVersion, DllRegisterServer, DllUnregisterServer, Migrate10CachedPackagesA, Migrate10CachedPackagesW, MsiAdvertiseProductA, MsiAdvertiseProductExA, MsiAdvertiseProductExW, MsiAdvertiseProductW, MsiAdvertiseScriptA, MsiAdvertiseScriptW, MsiApplyMultiplePatchesA, MsiApplyMultiplePatchesW, MsiApplyPatchA, MsiApplyPatchW, MsiCloseAllHandles, MsiCloseHandle, MsiCollectUserInfoA, MsiCollectUserInfoW, MsiConfigureFeatureA, MsiConfigureFeatureFromDescriptorA, MsiConfigureFeatureFromDescriptorW, MsiConfigureFeatureW, MsiConfigureProductA, MsiConfigureProductExA, MsiConfigureProductExW, MsiConfigureProductW, MsiCreateAndVerifyInstallerDirectory, MsiCreateRecord, MsiCreateTransformSummaryInfoA, MsiCreateTransformSummaryInfoW, MsiDatabaseApplyTransformA, MsiDatabaseApplyTransformW, MsiDatabaseCommit, MsiDatabaseExportA, MsiDatabaseExportW, MsiDatabaseGenerateTransformA, MsiDatabaseGenerateTransformW, MsiDatabaseGetPrimaryKeysA, MsiDatabaseGetPrimaryKeysW, MsiDatabaseImportA, MsiDatabaseImportW, MsiDatabaseIsTablePersistentA, MsiDatabaseIsTablePersistentW, MsiDatabaseMergeA, MsiDatabaseMergeW, MsiDatabaseOpenViewA, MsiDatabaseOpenViewW, MsiDecomposeDescriptorA, MsiDecomposeDescriptorW, MsiDeleteUserDataA, MsiDeleteUserDataW, MsiDetermineApplicablePatchesA, MsiDetermineApplicablePatchesW, MsiDeterminePatchSequenceA, MsiDeterminePatchSequenceW, MsiDoActionA, MsiDoActionW, MsiEnableLogA, MsiEnableLogW, MsiEnableUIPreview, MsiEnumClientsA, MsiEnumClientsW, MsiEnumComponentCostsA, MsiEnumComponentCostsW, MsiEnumComponentQualifiersA, MsiEnumComponentQualifiersW, MsiEnumComponentsA, MsiEnumComponentsW, MsiEnumFeaturesA, MsiEnumFeaturesW, MsiEnumPatchesA, MsiEnumPatchesExA, MsiEnumPatchesExW, MsiEnumPatchesW, MsiEnumProductsA, MsiEnumProductsExA, MsiEnumProductsExW, MsiEnumProductsW, MsiEnumRelatedProductsA, MsiEnumRelatedProductsW, MsiEvaluateConditionA, MsiEvaluateConditionW, MsiExtractPatchXMLDataA, MsiExtractPatchXMLDataW, MsiFormatRecordA, MsiFormatRecordW, MsiGetActiveDatabase, MsiGetComponentPathA, MsiGetComponentPathW, MsiGetComponentStateA, MsiGetComponentStateW, MsiGetDatabaseState, MsiGetFeatureCostA, MsiGetFeatureCostW, MsiGetFeatureInfoA, MsiGetFeatureInfoW, MsiGetFeatureStateA, MsiGetFeatureStateW, MsiGetFeatureUsageA, MsiGetFeatureUsageW, MsiGetFeatureValidStatesA, MsiGetFeatureValidStatesW, MsiGetFileHashA, MsiGetFileHashW, MsiGetFileSignatureInformationA, MsiGetFileSignatureInformationW, MsiGetFileVersionA, MsiGetFileVersionW, MsiGetLanguage, MsiGetLastErrorRecord, MsiGetMode, MsiGetPatchInfoA, MsiGetPatchInfoExA, MsiGetPatchInfoExW, MsiGetPatchInfoW, MsiGetProductCodeA, MsiGetProductCodeFromPackageCodeA, MsiGetProductCodeFromPackageCodeW, MsiGetProductCodeW, MsiGetProductInfoA, MsiGetProductInfoExA, MsiGetProductInfoExW, MsiGetProductInfoFromScriptA, MsiGetProductInfoFromScriptW, MsiGetProductInfoW, MsiGetProductPropertyA, MsiGetProductPropertyW, MsiGetPropertyA, MsiGetPropertyW, MsiGetShortcutTargetA, MsiGetShortcutTargetW, MsiGetSourcePathA, MsiGetSourcePathW, MsiGetSummaryInformationA, MsiGetSummaryInformationW, MsiGetTargetPathA, MsiGetTargetPathW, MsiGetUserInfoA, MsiGetUserInfoW, MsiInstallMissingComponentA, MsiInstallMissingComponentW, MsiInstallMissingFileA, MsiInstallMissingFileW, MsiInstallProductA, MsiInstallProductW, MsiInvalidateFeatureCache, MsiIsProductElevatedA, MsiIsProductElevatedW, MsiLoadStringA, MsiLoadStringW, MsiLocateComponentA, MsiLocateComponentW, MsiMessageBoxA, MsiMessageBoxExA, MsiMessageBoxExW, MsiMessageBoxW, MsiNotifySidChangeA, MsiNotifySidChangeW, MsiOpenDatabaseA, MsiOpenDatabaseW, MsiOpenPackageA, MsiOpenPackageExA, MsiOpenPackageExW, MsiOpenPackageW, MsiOpenProductA, MsiOpenProductW, MsiPreviewBillboardA, MsiPreviewBillboardW, MsiPreviewDialogA, MsiPreviewDialogW, MsiProcessAdvertiseScriptA, MsiProcessAdvertiseScriptW, MsiProcessMessage, MsiProvideAssemblyA, MsiProvideAssemblyW, MsiProvideComponentA, MsiProvideComponentFromDescriptorA, MsiProvideComponentFromDescriptorW, MsiProvideComponentW, MsiProvideQualifiedComponentA, MsiProvideQualifiedComponentExA, MsiProvideQualifiedComponentExW, MsiProvideQualifiedComponentW, MsiQueryComponentStateA, MsiQueryComponentStateW, MsiQueryFeatureStateA, MsiQueryFeatureStateExA, MsiQueryFeatureStateExW, MsiQueryFeatureStateFromDescriptorA, MsiQueryFeatureStateFromDescriptorW, MsiQueryFeatureStateW, MsiQueryProductStateA, MsiQueryProductStateW, MsiRecordClearData, MsiRecordDataSize, MsiRecordGetFieldCount, MsiRecordGetInteger, MsiRecordGetStringA, MsiRecordGetStringW, MsiRecordIsNull, MsiRecordReadStream, MsiRecordSetInteger, MsiRecordSetStreamA, MsiRecordSetStreamW, MsiRecordSetStringA, MsiRecordSetStringW, MsiReinstallFeatureA, MsiReinstallFeatureFromDescriptorA, MsiReinstallFeatureFromDescriptorW, MsiReinstallFeatureW, MsiReinstallProductA, MsiReinstallProductW, MsiRemovePatchesA, MsiRemovePatchesW, MsiSequenceA, MsiSequenceW, MsiSetComponentStateA, MsiSetComponentStateW, MsiSetExternalUIA, MsiSetExternalUIRecord, MsiSetExternalUIW, MsiSetFeatureAttributesA, MsiSetFeatureAttributesW, MsiSetFeatureStateA, MsiSetFeatureStateW, MsiSetInstallLevel, MsiSetInternalUI, MsiSetMode, MsiSetPropertyA, MsiSetPropertyW, MsiSetTargetPathA, MsiSetTargetPathW, MsiSourceListAddMediaDiskA, MsiSourceListAddMediaDiskW, MsiSourceListAddSourceA, MsiSourceListAddSourceExA, MsiSourceListAddSourceExW, MsiSourceListAddSourceW, MsiSourceListClearAllA, MsiSourceListClearAllExA, MsiSourceListClearAllExW, MsiSourceListClearAllW, MsiSourceListClearMediaDiskA, MsiSourceListClearMediaDiskW, MsiSourceListClearSourceA, MsiSourceListClearSourceW, MsiSourceListEnumMediaDisksA, MsiSourceListEnumMediaDisksW, MsiSourceListEnumSourcesA, MsiSourceListEnumSourcesW, MsiSourceListForceResolutionA, MsiSourceListForceResolutionExA, MsiSourceListForceResolutionExW, MsiSourceListForceResolutionW, MsiSourceListGetInfoA, MsiSourceListGetInfoW, MsiSourceListSetInfoA, MsiSourceListSetInfoW, MsiSummaryInfoGetPropertyA, MsiSummaryInfoGetPropertyCount, MsiSummaryInfoGetPropertyW, MsiSummaryInfoPersist, MsiSummaryInfoSetPropertyA, MsiSummaryInfoSetPropertyW, MsiUseFeatureA, MsiUseFeatureExA, MsiUseFeatureExW, MsiUseFeatureW, MsiVerifyDiskSpace, MsiVerifyPackageA, MsiVerifyPackageW, MsiViewClose, MsiViewExecute, MsiViewFetch, MsiViewGetColumnInfo, MsiViewGetErrorA, MsiViewGetErrorW, MsiViewModify

-----------------------------------------------------

6. C:\WINDOWS\system32\SET1D5.tmp

File SET196.tmp received on 08.23.2008 15:29:01 (CET)
Current status: finished

Result: 0/36 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 -
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3381 2008.08.22 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 -
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1571.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Additional information
File size: 713216 bytes
MD5...: 694503348b586e99d56c0e30ab5b3ef8
SHA1..: c7c0702f8ee09d5d5da9b9a2995e41b15622e619
SHA256: 53a0c2604574058f1520d8f0805f1247b15bb0e00a5b5bafe027c702d55e5076
SHA512: eba119342bfdb071fd0a96b95e66f7be3e7699f1390633648f01e84bfbab36cf
890de23e7845be0fb687cf29e7ab6004beccaa30891f6f43083e648dda26af8a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7e745310
timedatestamp.....: 0x4802a11a (Mon Apr 14 00:11:06 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x98cfc 0x98e00 6.57 13d1470731a39db360ab83b76e3a3cd1
.data 0x9a000 0x27a8 0x2800 1.10 ad4c7f6274d3d67f43b271a2ec411938
.rsrc 0x9d000 0x9638 0x9800 4.49 cd9b30b92484d00565863b3bbc10bb84
.reloc 0xa7000 0x8e58 0x9000 6.54 90b3e5be2aaa257c699b1df8fab34e54

( 4 imports )
> ADVAPI32.dll: ElfReportEventW, ElfRegisterEventSourceW, RegDeleteKeyW, ElfDeregisterEventSource, RegEnumValueW, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptAcquireContextW, CryptReleaseContext, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExW, CryptDestroyHash, RegQueryInfoKeyW, RegCloseKey, RegDeleteValueW, RegSetValueExW, RegCreateKeyExW, CryptDestroyKey, CryptExportKey
> KERNEL32.dll: LoadLibraryW, IsDebuggerPresent, OutputDebugStringA, GetProcessHeap, SearchPathW, FormatMessageW, GetTickCount, GetSystemTimeAsFileTime, GetProcAddress, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, HeapFree, HeapCreate, HeapDestroy, HeapAlloc, GetLastError, RaiseException, GetCurrentProcessId, GetCurrentThreadId, DeleteCriticalSection, InitializeCriticalSection, GetModuleHandleW, QueryActCtxW, FindActCtxSectionGuid, GetCurrentActCtx, FindActCtxSectionStringW, AddRefActCtx, SetFileAttributesW, FindClose, InterlockedIncrement, InterlockedDecrement, MultiByteToWideChar, FindFirstFileW, SetLastError, FindNextFileW, CreateDirectoryW, GetFileAttributesW, MoveFileExW, ExpandEnvironmentStringsW, GetFileSize, CloseHandle, UnmapViewOfFile, CreateFileW, CreateFileMappingW, MapViewOfFile, DeleteFileW, RemoveDirectoryW, LeaveCriticalSection, EnterCriticalSection, ReadFile, Sleep, GetFileSizeEx, LocalAlloc, SetFilePointerEx, WriteFile, GetFileAttributesExW, lstrlenW, GetVolumeInformationW, GetDriveTypeW, FormatMessageA, GetModuleFileNameW, GetModuleHandleA, ResetEvent, WaitForMultipleObjects, ReadDirectoryChangesW, CreateEventW, GetSystemInfo, InterlockedExchange, GetUserDefaultLangID, QueryPerformanceCounter, GetUserDefaultUILanguage, GetCurrentProcess, SetEvent, WaitForSingleObject, QueueUserWorkItem, GetShortPathNameW, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, GetFullPathNameW, GetVolumePathNameW, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, SetErrorMode, GetLogicalDriveStringsW, WriteConsoleA, GetStdHandle, TlsSetValue, GetCommandLineA, GetVersionExA, TlsFree, TlsGetValue, TlsAlloc, SetHandleCount, GetFileType, GetStartupInfoA, GetModuleFileNameA, UnhandledExceptionFilter, GetACP, GetOEMCP, GetCPInfo, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, WideCharToMultiByte, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, FlushFileBuffers, SetFilePointer, VirtualProtect, VirtualQuery, SetStdHandle, GetLocaleInfoW, DelayLoadFailureHook, GetFileInformationByHandle, GetSystemDefaultUILanguage, SizeofResource, LockResource, LoadResource, FindResourceExW, EnumResourceNamesW, LocalFree
> ntdll.dll: RtlHashUnicodeString, RtlExpandEnvironmentStrings_U, NtAllocateLocallyUniqueId, _ui64tow, NtQueryVirtualMemory, RtlNtStatusToDosError, NtQueryDebugFilterState, _snprintf, _vsnprintf, wcscat, RtlGetFrame, RtlFindCharInUnicodeString, bsearch, RtlCompareUnicodeString, RtlSetLastWin32ErrorAndNtStatusFromNtStatus, NtDeleteKey, RtlUnhandledExceptionFilter, _lfind, _i64tow, _wcsnicmp, wcsstr, _snwprintf, wcsncpy, sprintf, wcsrchr, memmove, qsort, swprintf, _vsnwprintf, _ftol, RtlUpcaseUnicodeChar, RtlNtStatusToDosErrorNoTeb, _wcsicmp, wcsspn, wcscspn, RtlDetermineDosPathNameType_U, wcschr, vDbgPrintExWithPrefix, RtlDowncaseUnicodeChar, wcscpy, wcslen, RtlPopFrame, RtlPushFrame, RtlInterlockedPushEntrySList, RtlInterlockedPopEntrySList, RtlInitializeSListHead, RtlFirstEntrySList, RtlUnwind
> USER32.dll: RegisterWindowMessageW, SetThreadDesktop, DialogBoxParamW, UnregisterDeviceNotification, PostMessageA, EndDialog, GetWindowRect, OpenInputDesktop, MessageBoxW, LoadStringW, SetDlgItemTextW, GetDlgItemTextW, RegisterDeviceNotificationA, FlashWindowEx, SetForegroundWindow, MoveWindow, GetSystemMetrics

( 30 exports )
CreateAssemblyCache, CreateAssemblyNameObject, SxsBeginAssemblyInstall, SxsEndAssemblyInstall, SxsFindClrClassInformation, SxsFindClrSurrogateInformation, SxsGenerateActivationContext, SxsInstallAssemblyW, SxsInstallW, SxsLookupClrGuid, SxsOleAut32MapConfiguredClsidToReferenceClsid, SxsOleAut32MapIIDOrCLSIDToTypeLibrary, SxsOleAut32MapIIDToProxyStubCLSID, SxsOleAut32MapIIDToTLBPath, SxsOleAut32MapReferenceClsidToConfiguredClsid, SxsOleAut32RedirectTypeLibrary, SxsProbeAssemblyInstallation, SxsProtectionGatherEntriesW, SxsProtectionNotifyW, SxsProtectionPerformScanNow, SxsProtectionUserLogoffEvent, SxsProtectionUserLogonEvent, SxsQueryManifestInformation, SxsRunDllInstallAssembly, SxsRunDllInstallAssemblyW, SxsUninstallW, SxspGenerateManifestPathOnAssemblyIdentity, SxspGeneratePolicyPathOnAssemblyIdentity, SxspRunDllDeleteDirectory, SxspRunDllDeleteDirectoryW

**amateur** · 08-26-2008, 11:35 PM

Hi,

Quote:

More good news. Kaspersky ran.

Quote:

Also, I ran ESET and nothing was found

Good news indeed. But the bad news is that you have some infected mail in your Outlook STF Files in G and H drives, but Kaspersky is unable to give the detail. In other words, no idea which mails are infected. These are most likey some mails with attachments or links in them. You may have to go through them and have the ones with attachments or links scanned individually by your resident antivirus AVG8. Please do not click on any links or attachments though, you may get re-infected.

Always remember to re-enable your resident antivirus after the online scans. AVG8 still appears to be disabled in your last HijackThis log.

Quote:

still get the combo-fix error on start-up.

That will stop when we uninstall Combofix shortly.

Are you still unable to install the recovery console?

Roc 65 · 08-27-2008, 10:59 AM

Quote:

you have some infected mail in your Outlook STF Files in G and H drives

I have deleted the Outlook PST files from G and H drives. I assume you meant pst and not stf.

I saw that C drive also had an infection of the PST file. I am going to start the long process of going thru all email.

Quote:

Are you still unable to install the recovery console?

I am not sure what Microsoft download to use. Previously I selected the SP-2 file, but now I have updated to SP3. Would you point me to the right file to download and drag-drop onto combofix?

**amateur** · 08-27-2008, 01:18 PM

Hi,

Yes, I meant the PST Files. You'll also need to go through the inbox folder.

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst
G:\Outlook PST Files\Creazzo.pst
H:\Outlook PST Files\Creazzo.pst

Quote:

I am not sure what Microsoft download to use. Previously I selected the SP-2 file, but now I have updated to SP3. Would you point me to the right file to download and drag-drop onto combofix?

SP2 package can also be used for SP3.

Roc 65 · 08-28-2008, 05:08 PM

Hi,

OK, I deleted the files I didn't need:

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx
G:\Outlook PST Files\Creazzo.pst
H:\Outlook PST Files\Creazzo.pst

....and Kaspersky scanned the one I need after deleting many emails:

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 28, 2008 02:09:21
Records in database: 1152630
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - File:
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst

Scan statistics:
Files scanned: 1
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:01:22

No malware has been detected. The scan area is clean.

The selected area was scanned.
=====================================

Recovery Console finally installed! The combofix log.txt is too large to post here. Would you like me to attach it or just post portions or?

Thanks....

**amateur** · 08-28-2008, 09:35 PM

Hi,

Looks like you cleaned them all, and Kaspersky is not reporting any infected mail anymore in the location it scanned, but I would like you to scan the Outlook Express inbox too:

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx

Good to hear that you have the recovery console installed too. Well done.

Quote:

The combofix log.txt is too large to post here. Would you like me to attach it or just post portions or?

Try zipping and attaching it.

Roc 65 · 08-29-2008, 09:03 AM

Hi,

Quote:

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx

, does not exist. I no longer use Outlook Express, just the standrad Outlook. I did find:

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A1234.....CF9F}\Microsoft\Outlook Express\Inbox.dbx (and other like 'outbox') and deleted them as well.

Are there other Outlook files I need to scan?

I have zipped and attached combofix

Also, there have been recent intrusions on my machine that were caught by AVG. I have attached a AVG Vault snapshop of the three recent attacks.

**amateur** · 08-29-2008, 12:46 PM

Hi,

All is looking good. The combofix.txt was big because of all the files updated with SP3.

Quote:

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx

, does not exist. I no longer use Outlook Express, just the standrad Outlook.

Oh, yes you said you deleted it. Never mind that.

==========================

Quote:

Also, there have been recent intrusions on my machine that were caught by AVG. I have attached a AVG Vault snapshop of the three recent attacks.

One entry is in the Temporary Internet Files folder, and the rest are in the System Restore cache which we'll be taking care of shortly.
So, nothing to be concerned about.

==========================

Please delete the following files and folders:

The following files belong to the old Turbotax programs I mentioned earlier. It's up to you to keep them or delete them:

C:\Program Files\data2.cab
C:\Program Files\layout.bin
C:\Program Files\data1.hdr
C:\Program Files\setup.ini
C:\Program Files\setup.boot
C:\Program Files\setup.inx
C:\Program Files\data1.cab
C:\Program Files\fditxf.1ph
C:\Program Files\comfed.1ph
C:\Program Files\fdiimb.1ph
C:\Program Files\fdiofx.1ph
C:\Program Files\bustax.thp
C:\Program Files\bustax.scd
C:\Program Files\tax.thp
C:\Program Files\tax.scd
C:\Program Files\license.txt
C:\Program Files\autorun.exe
C:\Program Files\ttax.ico
C:\Program Files\autorun.ini
C:\Program Files\cdrun.exe
C:\Program Files\engine32.cab
C:\Program Files\Setup.exe
C:\Program Files\os.dat

C:\Program Files\Uniblue\RegistryBooster 2 <=== or you can delete the Uniblue folder if there isn't anything else in it that you'd like to keep.

===========================

There's a leftover registry entry for Symantec firewall. Make sure that TeaTimer is still disabled.

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

==============================

This may be a good time to clean all the cookies & temp files and defrag the system drive.

You already have Ccleaner installed. Please update it and run the cleaner. Do NOT use the Registry section. It's meant for professionals and it may cripple the system if used wrongly.

To open Disk Defragmenter, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter. Use Analyze to determine if your system needs to be defragmented. Please select Defragment if it does.

===========================

Please post a fresh HijackThis log and let me know how things are now.

Roc 65 · 08-31-2008, 11:31 AM

Hello,

OK files and folders indicated above have been deleted, except...
I use spyeraser as a spyware scanner occassionally. It seems to do a decent job. Do you think I should delete it?
Registry booster has been deleted.

Fixreg executed.

CCLeaner cleaned.

Defrag done - I use perfectdesk instead of windows defrag, hope that's ok.

Machine seems to run fine now

. I just need to get off this h/d that's about to die. That will be my next project after we're through.

Hijackthis log.......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:25 AM, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe
O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6118 bytes

08-19-2008, 04:59 AM	#21 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's I'm getting there..... will do

08-19-2008, 05:19 AM	#22 (permalink)
amateur Moderator, Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: USA Posts: 7,405 OS: XP SP3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's OK.. good. __________________ My services are free. However, you can donate to TSF to help keep it running. Member of ASAP since 2005 Member of UNITE since 2006

08-19-2008, 07:03 PM	#23 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's I noticed at the bottom of the directions for Panda Activescan that antivirus programs should be disabled. I have completed the scan with AVG on, so I am going to re-run the scan tonight with AVG disabled. Next I will do the kaspersky scan. Also, I noticed that during cfscript/combofix there was a warning - WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED. I recall you instructed me to install the console but, when I dragged and dropped the Microsoft Recovery Console download onto ComboFix, an error - c\windows\system32 attrib.exe is not a valid Win32 application - was reported. Just a reminder, so in my next post when you see the cfscript.txt/combofix report, you will see the warning above.

08-20-2008, 11:39 AM	#26 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's Moved files to the c: root 1. Recovery Console installation log below. The same two errors occured: attrib.exe is not a valid Win32 file and, Cannot open Attrib.cfexe - several times WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=3 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 2. CFScript drag and drop on ComboFix log: ComboFix 08-08-19.02 - Owner 2008-08-21 13:12:25.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1605 [GMT -4:00] Running from: C:\Combo-Fix.exe Command switches used :: C:\cfscript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 ))))))))))))))))))))))))))))))) . 2008-08-21 13:03 . 2008-08-21 13:03 2,719,778 --a------ C:\Combo-Fix.exe 2008-08-21 13:01 . 2008-08-21 13:01 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe 2008-08-15 19:05 . 2008-08-15 19:10 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-08-15 17:57 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-03 12:09 . 2008-08-03 12:09 <DIR> d-------- C:\Program Files\Western Digital 2008-08-03 03:09 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET326.tmp 2008-08-03 03:08 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET196.tmp 2008-08-03 03:03 . 2004-08-04 03:56 4,256,768 --a------ C:\WINDOWS\system32\dllcache\wmm2res.dll 2008-08-03 03:02 . 2007-10-25 23:34 8,460,288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll 2008-08-02 20:24 . 2008-08-02 20:24 <DIR> d-------- C:\Program Files\Panda Security 2008-08-02 20:24 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-02 18:52 . 2008-08-02 18:52 <DIR> d-------- C:\WINDOWS\system32\dll 2008-08-02 17:59 . 2008-04-14 05:41 1,082,368 --a------ C:\WINDOWS\system32\SET38F.tmp 2008-08-02 17:58 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\SET2E5.tmp 2008-08-02 17:57 . 2008-04-14 05:42 713,216 --a------ C:\WINDOWS\system32\SET1D5.tmp 2008-08-02 17:51 . 2004-08-04 02:00 71,040 --------- C:\WINDOWS\system32\drivers\_003977_.tmp.dll 2008-08-02 16:22 . 2008-08-03 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-02 14:34 . 2008-08-02 15:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue 2008-08-02 14:05 . 2008-08-02 14:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0 2008-07-27 19:37 . 2008-07-27 19:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-27 19:37 . 2008-08-03 19:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-27 12:25 . 2008-08-16 08:15 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-07-27 12:22 . 2008-08-20 17:24 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-07-27 12:22 . 2008-07-27 12:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-27 12:22 . 2008-07-27 12:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-27 12:22 . 2008-07-27 12:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Program Files\AVG 2008-07-27 12:21 . 2008-07-27 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-07-24 23:04 . 2008-07-24 23:04 <DIR> d-------- C:\Deckard 2008-07-24 22:14 . 2004-02-12 20:59 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-07-24 20:22 . 2008-07-24 20:23 <DIR> d-------- C:\Webstar Cable Modem Drivers 2008-07-23 23:38 . 2008-07-23 23:38 <DIR> d-------- C:\Program Files\PerformanceTest 2008-07-23 22:31 . 2008-07-23 22:31 <DIR> d-------- C:\Program Files\WinImage 2008-07-21 23:06 . 2008-07-22 00:54 <DIR> d-------- C:\WINDOWS\system32\NtmsData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-20 00:47 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-05 02:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer 2008-08-03 17:19 --------- d-----w C:\Program Files\Java 2008-08-03 17:15 --------- d-----w C:\Program Files\iConcepts Photo Frame 2008-08-03 16:23 --------- d-----w C:\Program Files\Canon Creative 2008-08-03 16:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-08-03 05:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-08-03 05:38 --------- d-----w C:\Program Files\SpywareBlaster 2008-08-03 00:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-08-03 00:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-08-03 00:02 --------- d-----w C:\Program Files\CopyToDVD 2008-08-02 23:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Corel 2008-08-02 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Corel 2008-08-02 23:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Borland 2008-08-02 23:42 --------- d-----w C:\Program Files\ItsDeductibleEX 2008-08-02 18:19 --------- d-----w C:\Program Files\MSN Encarta Plus 2008-08-02 18:15 --------- d-----w C:\Program Files\Downloads 2008-08-02 17:32 --------- d-----w C:\Program Files\Bonjour 2008-07-21 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters 2008-07-20 21:30 --------- d-----w C:\Program Files\Doom 3 2008-07-20 18:04 114,048 ----a-w C:\WINDOWS\system32\drivers\snapman.sys 2008-07-15 23:42 --------- d-----w C:\Program Files\HP 2008-07-14 16:32 --------- d-----w C:\Program Files\Quick Screen Capture 2008-07-12 22:01 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-07-12 21:54 --------- d-----w C:\Program Files\Windows Messaging 2008-07-12 21:54 --------- d-----w C:\Program Files\Microsoft.NET 2008-07-12 16:41 --------- d-----w C:\Program Files\iTunes 2008-07-12 16:41 --------- d-----w C:\Program Files\iPod 2008-07-12 16:38 --------- d-----w C:\Program Files\QuickTime 2008-07-01 17:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\CopyToDvd 2008-05-28 19:51 88 --sh--r C:\Documents and Settings\All Users\Application Data\A814ACFD49.sys 2008-05-28 19:51 2,516 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys 2008-04-23 19:08 353,840 ----a-w C:\Program Files\RealPlayer11GOLD.exe 2007-01-14 23:36 105,143,305 -c--a-w C:\Program Files\SonicDVDitProv6_SST.exe 2007-01-14 23:29 721,507 ----a-w C:\Program Files\RNPatch72.exe 2006-09-03 22:38 345,068,035 ----a-w C:\Program Files\Photoshop_CS2.exe 2005-03-18 13:47 3,409 -c--a-w C:\Program Files\scan.dat 2005-03-17 22:34 512 ----a-w C:\Program Files\data2.cab 2005-03-17 22:34 29,760 -c--a-w C:\Program Files\layout.bin 2005-03-17 22:34 236,953 -c--a-w C:\Program Files\data1.hdr 2005-03-17 22:33 397 -c--a-w C:\Program Files\setup.ini 2005-03-17 22:33 342,212 ----a-w C:\Program Files\setup.boot 2005-03-17 22:33 299,375 -c--a-w C:\Program Files\setup.inx 2005-03-17 22:33 2,349,117 -c--a-w C:\Program Files\data1.cab 2005-03-17 17:33 46,648 -c--a-w C:\Program Files\fditxf.1ph 2005-03-17 17:33 34,585 -c--a-w C:\Program Files\comfed.1ph 2005-03-17 17:33 27,320 -c--a-w C:\Program Files\fdiimb.1ph 2005-03-17 17:33 12,538 -c--a-w C:\Program Files\fdiofx.1ph 2005-02-21 20:15 28,672 ----a-w C:\Documents and Settings\Owner\atwbxdet.dll 2004-10-25 15:11 80,161 -c--a-w C:\Program Files\bustax.thp 2004-10-25 15:06 60,591 -c--a-w C:\Program Files\bustax.scd 2004-10-25 13:55 54,232 -c--a-w C:\Program Files\tax.thp 2004-10-25 13:55 13,248 -c--a-w C:\Program Files\tax.scd 2004-10-07 13:58 49,142 ----a-w C:\Program Files\license.txt 2004-09-17 19:59 114,688 ----a-w C:\Program Files\autorun.exe 2004-09-17 18:04 7,406 -c--a-w C:\Program Files\ttax.ico 2004-09-17 18:03 142 -c--a-w C:\Program Files\autorun.ini 2004-07-17 13:57 63,499 ----a-w C:\Documents and Settings\Owner\setup.exe 2004-01-30 14:32 20,480 -c--a-w C:\Program Files\cdrun.exe 2003-02-27 21:16 420,432 -c--a-w C:\Program Files\engine32.cab 2002-12-02 20:33 107,512 -c--a-w C:\Program Files\Setup.exe 2002-05-01 21:01 695 -c--a-w C:\Program Files\os.dat 2004-12-30 15:51 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( snapshot_2008-08-17_16.04.35.29 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-15 00:43:35 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-08-17 22:52:55 65,044 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-08-15 00:43:36 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-08-17 22:52:55 410,574 ----a-w C:\WINDOWS\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 23:13 98304] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 10:14 188416] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-27 12:21 1232152] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.14.lnk] backup=C:\WINDOWS\pss\Wireless Configuration Utility HW.14.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] --a------ 2006-04-02 21:07 389120 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] --a------ 1998-05-07 20:04 52736 c:\WINDOWS\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-04-23 15:11 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2] --a------ 2007-10-22 09:58 1885464 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2006-08-03 06:12 577536 C:\WINDOWS\soundman.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-27 12:22] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-27 12:22] R2 PD91Agent;PD91Agent;C:\Program Files\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00] R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-01-02 03:12] S2 portD;ABS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2003-03-19 10:28] S3 PD91Engine;PD91Engine;C:\Program Files\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00] S3 PD91VMDefrag;PD91VMDefrag;C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe [2008-02-29 10:44] S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-12-11 07:18] S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 10:57] S4 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-27 12:21] S4 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-27 12:21] . Contents of the 'Scheduled Tasks' folder 2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2008-08-16 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe [2007-12-03 10:55] . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-21 13:17:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************ . Completion time: 2008-08-21 13:25:13 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2008-08-21 17:25:07 ComboFix2.txt 2008-08-20 04:21:22 ComboFix3.txt 2008-08-17 20:05:20 ComboFix4.txt 2008-08-15 00:47:13 ComboFix5.txt 2008-08-21 17:03:43 Pre-Run: 64,944,291,840 bytes free Post-Run: 65,026,748,416 bytes free 214 --- E O F --- 2008-08-20 00:47:08 Still no console???????

08-20-2008, 10:14 PM	#28 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's I deleted setupxv - both c and g drives. I could not find Kaspersky in the uninstall programs list 1. Unfortunately, KASPERSKY WOULD NOT RUN.............. "You need to install Java version 1.5 or later to run Kaspersky Online Scanner ". It shows a link to get Java. I went there and....... "Verified Java Version Congratulations! You have the recommended Java installed (Version 6 Update 7)." ======================================= 2. EVENT VIEWER ERRORS: No red warnings under 'Application' JUST THIS Yellow WARNING REPEATED..... Event Type: Warning Event Source: Userenv Event Category: None Event ID: 1517 Date: 8/16/2008 Time: 7:54:26 PM User: NT AUTHORITY\SYSTEM Computer: YOUR-C8BH3JAGLT Description: Windows saved user YOUR-C8BH3JAGLT\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. RED WARNINGS UNDER 'System': ALL WARNINGS REPEATED..... --------------------------------------- Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7001 Date: 8/21/2008 Time: 10:45:20 PM User: N/A Computer: YOUR-C8BH3JAGLT Description: The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -------------------------- Event Type: Error Event Source: ati2mtag Event Category: CRT Event ID: 45062 Date: 8/21/2008 Time: 10:43:36 PM User: N/A Computer: YOUR-C8BH3JAGLT Description: CRT invalid display type Data: 0000: 00 00 00 00 01 00 5a 00 ......Z. 0008: 2c 00 00 00 06 b0 00 c0 ,....°.À 0010: 00 00 00 00 00 00 00 00 ........ 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 00 00 00 00 00 00 00 ........ --------------------------------------------- Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7000 Date: 8/21/2008 Time: 10:44:08 PM User: N/A Computer: YOUR-C8BH3JAGLT Description: The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --------------------------------------------------- Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7000 Date: 8/21/2008 Time: 10:44:08 PM User: N/A Computer: YOUR-C8BH3JAGLT Description: The ABS PortIO Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------------------------------------------------- Event Type: Error Event Source: Disk Event Category: None Event ID: 7 Date: 8/21/2008 Time: 1:02:44 AM User: N/A Computer: YOUR-C8BH3JAGLT Description: The device, \Device\Harddisk0\D, has a bad block. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 03 00 68 00 01 00 b6 00 ..h...¶. 0008: 00 00 00 00 07 00 04 c0 .......À 0010: 00 01 00 00 9c 00 00 c0 ....?..À 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 a0 43 4b 03 00 00 00 .CK.... 0028: 6e 14 0b 00 00 00 00 00 n....... 0030: ff ff ff ff 01 00 00 00 ÿÿÿÿ.... 0038: 40 00 00 84 02 00 00 00 @..?.... 0040: 00 20 0a 12 40 03 20 40 . ..@. @ 0048: 00 00 00 00 0a 00 00 00 ........ 0050: 00 a0 94 8a f0 e8 ce 89 .??ðèÎ? 0058: 00 00 00 00 58 68 f2 88 ....Xhò? 0060: 00 00 00 00 d0 a1 a5 01 ....Ð¡¥. 0068: 28 00 01 a5 a1 d0 00 00 (..¥¡Ð.. 0070: 60 00 00 00 00 00 00 00 `....... 0078: f0 00 03 00 00 00 00 0b ð....... 0080: 00 00 00 00 00 00 00 00 ........ 0088: 00 00 00 00 00 00 00 00 ........ ====================================================== THIS ERROR REPEATS MANY (100+) TIMES - I SUSPECTED MY HARDDRIVE WAS GOING BAD AND I HAVE INSTALLED ANOTHER, JUST NOT "GHOSTED" IT OVER YET ======================================================== 3. UNINSTALL LIST - Adobe Acrobat 5.0 Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Bridge 1.0 Adobe Common File Installer Adobe Flash Player ActiveX Adobe Help Center 1.0 Adobe Photoshop Album 2.0 Starter Edition Adobe Photoshop CS2 Adobe Reader 7.1.0 Adobe Shockwave Player 11 Adobe Stock Photos 1.0 Advanced WMA Workshop version 2.09b Agere Systems PCI Soft Modem Apple Mobile Device Support Apple Software Update ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver AVG Free 8.0 Bonjour CCleaner (remove only) Charter Solution Controls Installation ColorDesk Photo Data Lifeguard Tools Doom 3 Flickr Uploadr 2.5.0.15 Google Earth HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB952287) HP Product Detection InterVideo WinDVD Creator 2 InterVideo WinDVD Player iPod for Windows 2005-10-12 iPod for Windows 2006-01-10 iTunes Java(TM) 6 Update 7 Linksys EasyLink Advisor 1.5 (1010) Master Poker Demo Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Professional Edition 2003 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Panda ActiveScan 2.0 PerfectDisk 2008 Professional PerformanceTest v6.1 Photo Viewer Photosmart 140,240,7200,7600,7700,7900 Series PS2 PurePlay Poker Quick Screen Capture 3.0 QuickTime RealPlayer Realtek AC'97 Audio Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Security Update for Windows XP (KB950749) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Spybot - Search & Destroy SpywareBlaster 4.1 TRENDnet TEW-424UB TurboTax Deluxe 2004 TurboTax Deluxe 2005 TurboTax Deluxe Deduction Maximizer 2006 TurboTax ItsDeductible 2005 TurboTax ItsDeductible 2006 Uniblue RegistryBooster 2 Uniblue SpyEraser Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB900930) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB953356) VIA Rhine-Family Fast-Ethernet Adapter Virtual Earth 3D (Beta) WexTech AnswerWorks Windows Driver Package - (mr7910) Image 08/08/2006 1.4.0.0 Windows Genuine Advantage v1.3.0254.0 Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 You Don't Know Jack - XL 1.0 ========================================================= 4. I know this is a repeat, but ...........When I boot my pc I get this error message - Windows cannot find 'c:\combo-fix\combofix.bat'. Make sure you typed it correctly and try again. To search for the file click start then click search. I press OK and it continues and boots-up. ========================= I appreciate you sticking with me on this one. By the way, since I disabled AVG (start/run/services.msc), I noticed that my IE home page was set to htp:/// (blank)? Similar activity to the time when the original virus surfaced.... I will restore AVG until the next scan. Hope we can kick this thing. Thanks.

08-28-2008, 05:08 PM	#36 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's Hi, OK, I deleted the files I didn't need: C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{6BE14ADF-BF41-4394-B992-563A028010C1}\Microsoft\Outlook Express\Inbox.dbx G:\Outlook PST Files\Creazzo.pst H:\Outlook PST Files\Creazzo.pst ....and Kaspersky scanned the one I need after deleting many emails: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, August 27, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, August 28, 2008 02:09:21 Records in database: 1152630 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - File: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Creazzo.pst Scan statistics: Files scanned: 1 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 00:01:22 No malware has been detected. The scan area is clean. The selected area was scanned. ===================================== Recovery Console finally installed! The combofix log.txt is too large to post here. Would you like me to attach it or just post portions or? Thanks....

08-31-2008, 11:31 AM	#40 (permalink)
Roc 65 Registered User Join Date: Jan 2008 Posts: 51 OS: Windows XP sp3	Re: heur trojan mess - Cannot Update OS - SP3 cannot find CLBCATQ dll's Hello, OK files and folders indicated above have been deleted, except... I use spyeraser as a spyware scanner occassionally. It seems to do a decent job. Do you think I should delete it? Registry booster has been deleted. Fixreg executed. CCLeaner cleaned. Defrag done - I use perfectdesk instead of windows defrag, hope that's ok. Machine seems to run fine now . I just need to get off this h/d that's about to die. That will be my next project after we're through. Hijackthis log....... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:23:25 AM, on 8/31/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\PerfectDisk2008\PD91Agent.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093930840796 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124160269328 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/...ws-i586-jc.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Agent.exe O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91Engine.exe O23 - Service: PD91VMDefrag - Raxco Software, Inc. - C:\Program Files\PerfectDisk2008\PD91VMDefrag.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 6118 bytes