Virus Suspected - Computer slow and programs closing unexpectedly

[scoricha]

Hello,

My computer (XP Op system) has been running slowly for about a month. Programs are constantly closing unexpectedly (especially Yahoo Messenger and Gmail email notifier). Many times IE won't even open. I have AT&T Yahoo DSL which provides online protection (anti-spyware, anti-virus, pop-up blocker), but it doesn't detect anything.

Last week I ran a virus remover program that supposedly removed a couple Trojan viruses, but not I notice similarly named files are back in my C:\WINDOWS\system32 folder (__c008D1F2.dat and __c002224A.dat), which I suspect are new Trojan viruses, but they cannot be deleted - Access is denied.

Please help me get my computer back! Thank you for helping!

Here is my dds report:


DDS (Version 1.0) - NTFSx86
Run by HP_Administrator at 23:36:15.50 on Thu 11/13/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1351 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Playskool\MADE FOR ME Software\HbDetect.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\gmer.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [HbDetect.exe] c:\program files\playskool\made for me software\HbDetect.exe
uRun: [A00F59DDC49.exe] c:\docume~1\hp_adm~1\locals~1\temp\_A00F59DDC49.exe
uRun: [A00F5A5A803.exe] c:\docume~1\hp_adm~1\locals~1\temp\_A00F5A5A803.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [CaAvTray] "c:\program files\yahoo!\antivirus\CAVTray.exe"
mRun: [CAVRID] "c:\program files\yahoo!\antivirus\CAVRID.exe"
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\windows\installer\{00000409-78e1-11d2-b60f-006097c998e7}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\VetRedir.dll
Notify: __c002224A - c:\windows\system32\__c002224A.dat
Notify: __c00280F1 - c:\windows\system32\__c00280F1.dat
Notify: __c0069664 - c:\windows\system32\__c0069664.dat
Notify: __c008D1F2 - c:\windows\system32\__c008D1F2.dat
Notify: __c009B5E0 - c:\windows\system32\__c009B5E0.dat
Notify: __c00CC610 - c:\windows\system32\__c00CC610.dat

============= SERVICES / DRIVERS ===============

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe

=============== Created Last 30 ================

2008-11-13 23:21 250 a------- c:\windows\gmer.ini
2008-11-11 19:58 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:57 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-10-29 20:27 25,088 a------- c:\windows\system32\__c008D1F2.dat
2008-10-29 20:27 25,088 a------- c:\windows\system32\__c002224A.dat
2008-10-29 13:42 <DIR> --d----- c:\windows\system32\NtmsData
2008-10-28 08:35 663 a------- C:\xcrashdump.dat
2008-10-26 10:19 35,328 a------- c:\windows\system32\~.exe
2008-10-24 00:32 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 11:28 56 a---h--- c:\windows\system32\ezsidmv.dat
2008-10-18 11:24 <DIR> --d----- c:\program files\Skype
2008-10-15 11:40 <DIR> --d----- c:\windows\BBSTORE
2008-10-15 11:40 <DIR> --d----- c:\program files\The Learning Company
2008-10-15 11:39 0 a------- c:\windows\SETUP32.INI
2008-10-15 06:10 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-10-15 06:10 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 06:09 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 06:09 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 06:09 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 06:09 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

==================== Find3M ====================

2008-11-08 12:02 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Move Networks
2008-11-06 12:08 <DIR> --d----- c:\program files\HP
2008-11-03 15:10 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\WeatherBug
2008-10-28 22:45 <DIR> --d----- c:\program files\GemMaster
2008-10-15 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Digital Interactive Systems Corporation
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-20 00:30 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-20 00:30 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-08-20 00:30 666,112 a------- c:\windows\system32\wininet.dll
2008-08-20 00:30 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-08-20 00:30 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-08-19 16:52 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-04-09 16:51 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Download Manager
2008-03-28 09:42 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Snapfish
2008-03-11 13:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2008-01-14 20:58 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Playskool
2007-12-19 23:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent
2007-10-10 22:11 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\WinBatch
2007-09-11 23:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2007-09-11 22:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2007-09-10 20:03 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\HPQ
2006-08-24 02:17 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Intuit
2006-08-24 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2006-08-24 01:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 23:36:37.04 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
c:\windows\system32\__c008D1F2.dat
c:\windows\system32\__c002224A.dat
C:\xcrashdump.dat
c:\windows\system32\~.exe
c:\windows\system32\ezsidmv.dat

DDS::
uRun: [A00F59DDC49.exe] c:\docume~1\hp_adm~1\locals~1\temp\_A00F59DDC49.exe
uRun: [A00F5A5A803.exe] c:\docume~1\hp_adm~1\locals~1\temp\_A00F5A5A803.exe
mRun: [<NO NAME>]
Notify: __c002224A - c:\windows\system32\__c002224A.dat
Notify: __c00280F1 - c:\windows\system32\__c00280F1.dat
Notify: __c0069664 - c:\windows\system32\__c0069664.dat
Notify: __c008D1F2 - c:\windows\system32\__c008D1F2.dat
Notify: __c009B5E0 - c:\windows\system32\__c009B5E0.dat
Notify: __c00CC610 - c:\windows\system32\__c00CC610.dat

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.


------------



Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[scoricha]

Hello, Thanks for your response. I am already havings problems - sorry! I cannot drag the CFScript.txt file into the ComboFix.exe icon. It just sits on top of it, but isn't deposited inside it. Thanks again for your help!

[sUBs]

Drag cfscript to the ComboFix icon. When you see the ComboFix icon change color, release your mouse click.

[scoricha]

Yes, I tried and it will not go into the ComboFix icon. Is there another was to do this? Thank you.

[scoricha]

Hello, I could not get the CFScript file icon to drag and drop into the ComboFix icon, but here my the Kapersky Online Scan Report, below. I will try to restart my computer in Safe Mode with Networking to download the ComboFix program again. Hopefully this works.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 15:18:08
Records in database: 1384926
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 139778
Threat name: 3
Infected objects: 36
Suspicious objects: 0
Duration of the scan: 01:51:11


File name / Threat name / Threats count
C:\WINDOWS\system32\__c002224A.dat/C:\WINDOWS\system32\__c002224A.dat Infected: Trojan-Downloader.Win32.Agent.ansp 22
C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!\Mail\attach\__c00280F1.dat Infected: Trojan-Downloader.Win32.Agent.ansp 1
C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!\Mail\attach\__c009B5E0.dat Infected: Trojan-Downloader.Win32.Agent.ansp 1
C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!\Mail\attach\__c00BF5E4.dat Infected: Trojan-Downloader.Win32.Agent.ansp 1
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Infected: Trojan-Downloader.Win32.Agent.ansp 3
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\sst_inst.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
C:\WINDOWS\system32\__c002224A.dat Infected: Trojan-Downloader.Win32.Agent.ansp 1
C:\WINDOWS\system32\__c008D1F2.dat Infected: Trojan-Downloader.Win32.Agent.ansp 1
D:\I386\APPS\APP24364\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP24364\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

[sUBs]

Please double click on ComboFix.exe to run it

[scoricha]

Thank you for your response. I ran the ComboFix (see the log below). My firewall kept trying to block it from running, so I had to disable the firewall while I ran it. The computer seems to be running okay when I am on the internet (IE), but many programs and still closing ontheir own (Yahoo! Messenger, Gmail notifier, Outlook, etc.). Thanks again for your help!

Here's the Combo Fix log:

ComboFix 08-11-16.05 - HP_Administrator 2008-11-17 9:24:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1512 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\windows\IE4 Error Log.txt
c:\windows\system32\__c002224A.dat
c:\windows\system32\__c008D1F2.dat
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-14 15:23 . 2008-11-14 15:23 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2008-11-14 08:41 . 2008-11-14 08:41 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Comodo
2008-11-14 01:11 . 2008-11-14 01:11 <DIR> d-------- c:\program files\COMODO
2008-11-14 01:11 . 2008-11-14 08:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-11-14 01:11 . 2008-11-14 01:11 143,096 --a------ c:\windows\system32\guard32.dll
2008-11-14 01:11 . 2008-11-14 01:11 99,856 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-11-14 01:11 . 2008-11-14 01:11 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-11-13 23:21 . 2008-11-13 23:21 250 --a------ c:\windows\gmer.ini
2008-11-11 19:58 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:57 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-29 14:16 . 2008-10-29 16:55 <DIR> d-------- c:\windows\BDOSCAN8
2008-10-29 13:42 . 2008-11-14 09:48 <DIR> d-------- c:\windows\system32\NtmsData
2008-10-29 09:01 . 2008-10-29 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 00:32 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-18 11:28 . 2008-10-28 07:50 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\skypePM
2008-10-18 11:28 . 2008-10-18 11:28 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-10-18 11:24 . 2008-10-28 13:36 <DIR> d-------- c:\program files\Skype
2008-10-18 11:24 . 2008-10-28 13:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-08 17:02 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2008-11-06 17:08 --------- d-----w c:\program files\HP
2008-11-06 17:07 --------- d-----w c:\program files\Hewlett-Packard
2008-10-29 14:42 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2008-10-29 03:45 --------- d-----w c:\program files\GemMaster
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Digital Interactive Systems Corporation
2008-10-15 16:40 --------- d-----w c:\program files\The Learning Company
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2007-01-19 01:21 150 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-13 68856]
"HbDetect.exe"="c:\program files\Playskool\MADE FOR ME Software\HbDetect.exe" [2006-10-26 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-24 180269]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"CaAvTray"="c:\program files\Yahoo!\Antivirus\CAVTray.exe" [2007-09-11 230512]
"CAVRID"="c:\program files\Yahoo!\Antivirus\CAVRID.exe" [2007-09-11 185456]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-11-14 1797880]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Outlook.lnk - c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2007-09-13 104960]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-08-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 6.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-11-14 99856]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-14 31504]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 124832]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPBootOp - c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
HKLM-Run-PCDrProfiler - (no file)
Notify-__c002224A - c:\windows\system32\__c002224A.dat
Notify-__c00280F1 - c:\windows\system32\__c00280F1.dat
Notify-__c0069664 - c:\windows\system32\__c0069664.dat
Notify-__c008D1F2 - c:\windows\system32\__c008D1F2.dat
Notify-__c009B5E0 - c:\windows\system32\__c009B5E0.dat
Notify-__c00CC610 - c:\windows\system32\__c00CC610.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://cm.my.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
LSP: c:\windows\system32\VetRedir.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 09:34:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Yahoo!\Antivirus\iSafe.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\system32\CTSVCCDA.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\ehome\ehSched.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Yahoo!\Antivirus\VetMsg.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-17 9:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-17 14:41:07

Pre-Run: 204,910,080,000 bytes free
Post-Run: 207,120,961,536 bytes free

183 --- E O F --- 2008-11-12 01:03:20

[sUBs]

Comodo looks like a new addition to your machine. It wasn't there in your first log. I suspect that it was Comodo interfering with your earlier ComboFix runs. While Comodo may be a respectable product, it is also a highly intrusive/invasive product. Your initial complaint stated ...

Quote:

My computer (XP Op system) has been running slowly for about a month. Programs are constantly closing unexpectedly (especially Yahoo Messenger and Gmail email notifier). Many times IE won't even open. I have AT&T Yahoo DSL which provides online protection (anti-spyware, anti-virus, pop-up blocker), but it doesn't detect anything.

Addding Comodo to the equation doesn't help. I bet the machine is even slower now. You would do well to be rid of it.

While we're on the subject of resource hogging applications, please tell me which is your security provider. I see entries for Symantec & CA Antivirus (Yahoo). Kindly take note that having more than one anti-virus programs on your machine is not a good idea!! This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

[scoricha]

Thank you for your response! CA Antivirus (Yahoo). is supposed to be my security provider, so I uninstalled Symantec, which I didn't realize was on my computer in the first place.

As far as the Comodo Firewall, yes you are correct, it is a new addition - I installed it because of the article "PC Safety and Security--What Do I Need?" on your website stressing the importance of having one. The computer doesn't really seem to be running more slowly with it, other than the prompts when trying to download a file. If I get rid of my Firewall, then what will be protecting my computer?

Also, have all the viruses been removed from my computer?

Thank you so much for all your help!

[scoricha]

Hello - Just one more question regarding the Firewall issue. I did a little research and realized that my AT&T 2Wire Gateway has a firewall that is on. In addition my Windows XP also offers a Firewall, but it is turned off (probably because Comodo turned it off). So if I uninstall Comodo, should I also turn off the 2Wire Gateway or the Windows XP Firewall? Sorry, but I don't have a clue! Thanks for putting up with these stupid questions!

[sUBs]

Quote:

If I get rid of my Firewall, then what will be protecting my computer?

Better question is ... do you need a firewall?
How are you connected to the net? Are you behind a router with NAT?

Here's something you can use for reference. I live in a country where the ISP is inefficient at regulating security across the local networks. As a result of this, we are a renowned bot hotspot. I connect to the internet behind a router with NAT. I do not have a 3rd party firewall program installed on the machine. Instead I use the built in firewall provided by Windows. My machine loads faster & runs better. I have never experienced a bot incursion. Prior to installing Comodo, did you ever get infected by a bot?

Quote:

my AT&T 2Wire Gateway has a firewall that is on. In addition my Windows XP also offers a Firewall, but it is turned off (probably because Comodo turned it off). So if I uninstall Comodo, should I also turn off the 2Wire Gateway or the Windows XP Firewall?

The 2Wire Gateway's firewall is built into the router. It's a hardware based firewall. Very much unlike the software based solution provided by Comodo. Since you have uninstalled Comodo, I would advise that the built in Windows firewall be reactivated.

How is the machine behaving now?

[scoricha]

Okay, I got rid of Comodo and am now using the Windows Firewall. As for as my router, I am not sure if it has NAT - how do I find this out? It is a 2Wire 2701HG-B Model.

The machine seems to be running great! Thank you so much for all your help!

[sUBs]

No need to check the router. If it has a hardware firewall built in, it shall have NAT too. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[scoricha]

The computer is working great - very fast and programs aren't closing suddenly either. Thank you so much!

I have followed your prevention Steps #1-4 and will start working on the others soon.

I can't thank you enough for all your help!