hello

need help here, im not joking i mean i like really really need help here....

1) i cant log into the windows account "without" selecting "boot from last known good config" - if i try a normal boot i get a blue screen "windows stopped loading to prevent damage to your pc" - if i boot in safe mode, the pc hangs on apg440.sys

2) i cant install anything . programs, anti virus -|- when i try, the .exe file just disappears (programs like winamp or opera etc...any installer basically) -|- avg, avast, spybot, adaware ALL fail/crash during install

i have found these really nasty things on my pc....

C:\WINDOWS\system32\drivers\hidr.exe

C:\Documents and Settings\user\Application Data\m\flac006.exe

C:\WINDOWS\exefld\random numbers.exe (like 234450.exe and 964634.exe

maybe there are also things that i havent found :(

i have searched the net for sites with removal solutions but the registry entries that are used in the removal process are NOT in the registry in said places ie,

flac006.exe writes the registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
mule_st_key = "%Application Data%\m\flec006.exe"

this entry IS NOT in my registry

the same goes for the other two (hidr and exefld) with respect to un found registry entries where instructed by removal instructions

other strange things are each time the connection is made to the internet, the page file is active for around five minutes

a copy of internet explorer loads in the process tree with NO browser window being produced

this 100M dsl line is going slower than normal

other than all this i am fine >.<

and how are you guys doing?

please, any help here would be well, you know

thanks

sophia

oh yeah, the funny thing was i ran an online scan at trend .com (one of the sites that listed the flac006.exe) and it didnt find it, or any other nasty stuff

strange eh?

Hi sophia,
Are you waiting long enough to get into safe mode? It may hang from 1 min to over an hour, BUT, safe mode will come up.
Try safe mode with networking and then do a free scan with Housecall or Kaspersky.

Also do this free cleaner:
http://www.spywareinfo.com/xscan.php
and remove all it finds.
You may have to wait for it to load, give it time...good luck

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

XpUser4Real, hi

sorry, i should of said hangs and then restarts
when i try safe mode

i am trying http://www.spywareinfo.com/xscan.php now

i will post results

hey thanks for this :) as you can probably imagine, i am not such a happy chicken at the moment >.<

sophia

hope it works out for you.
After cleaning out everything, if still no joy, if you have an actual XP install disc, you may want to do a repair install:
http://www.microsoft.com/windowsxp/...

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

the scan found this:

http://www.spywareguide.com/product...

need to reboot

Most likely it is this virus W32.Bagle.iz and has disabled safe mode.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Then, please download and install the latest version of HijackThis v2.0.2 so cleanup can be done and so other spyware may be detected.

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

you didn't download the actual software to your PC did you?
You only want to do the on-line scan.

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

hello jabuck and welcome to my world of pain >.<

anyway

YAY!!!!!! i have just rebooted in normal mode so i am guessing that i can/could now boot in safe mode too

XpUser4Real, i ran the scan using "open" not "download"

will follow instructions now for "ComboFix" and post results

you know, you two are starting to put a smile back on my face....that may sound a bit pathetic but what can i say, its true!!!

thanks bucket loads for your time and effort helping the world in the fight against these nasty things

If you don't have any more problems, you should be fine now.
Try running your Spy scans again and see if they are functioning fine.

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

log report....

ComboFix 07-08-30.3 - "userpc" 2007-09-03 4:11:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.141 [GMT 9:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_SROSA
-------\nm
-------\srosa

((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))

2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\user\DoctorWeb
2007-09-01 05:06 <DIR> d--h----- C:\DOCUME~1\user\APPLIC~1\m
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:47 13 C:\DOCUME~1\ALLUSE~1\APPLIC~1\UYAŽ3113>.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.EXE
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-01 2OCUME~1\user\APPLIC~1\Skype
2007-09-01 1rogram Files\mIRC
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ÙÝÃÄ3113›.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]
"mule_st_key"="C:\Documents and Settings\user\Application Data\m\flec006.exe" [2007-09-03 01:54]

[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr]
C:\WINDOWS\System32\hldrrr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 04:17:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-09-03 4:21:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-03 04:20

--- E O F ---

hijack this log report....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:31:19, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\user\Application Data\m\flec006.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\user\Application Data\m\flec006.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 2517 bytes

sophia, looks like your IE isn't up-to-date with the critical updates. You may want to do that

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

XpUser4Real, i dont use IE i use mozilla firefox or, and mostly, opera

i haven't ran anything other scans yet

i have downloaded avg, spybot and adaware

the last time ii tried to install these programs they crashed during the installer

should i try installing them now

that combofix found another little blighter

"srosa.sys"

i wonder just how many things are on my pc

thanks bucket loads for your time here :)

sophia

And you are still infected but looks much better. Can you boot into safe mode using the F8 method ? ( Do not try any other method yet or you may get in a boot loop and have to format)

after following the advice from jabuck and XpUser4Real i can now boot the pc in windows "normal" mode

the scans found these nasty thingys, one of which (flec006.exe) is one of the worst viruses you can "catch" (technical security rating is 77%, dangerous)

xscan
http://www.spywareinfo.com/xscan.php

xscan has removed:

W32/Bagle.dm (causing system to fail "normal" boot up and safe mode boot up)

Spy-Agent.ak

combofix
http://download.bleepingcomputer.co...

combofix has removed:

C:\WINDOWS\system32\drivers\hidr.exe
I Worm Beagle.XH
C:\WINDOWS\system32\drivers\srosa.sys
Trojan Horse Downloader.Generic6.BEO

avg
http://free.grisoft.com/filedir/ins...

avg has removed:

C:\Documents and Settings\user\Application Data\m\flec006.exe
Trojan.Lodeight.C

spybot
http://fileforum.betanews.com/sendf...

spybot has removed:

Alexa Data Miner

nothing else is being picked up

i have ran all of the above processes again for the second time and the pc now "seems" clear

what can i say

a rose for you XpUser4Real @>---

a rose for you jabuck @>---

if you think that there are more things that i should do please please continue this thread

thank you both so very very much

sophia

note to admin: this thread could save others thanks to the great work from the above mentioned users.....please keep it for others to read

I see a file that may represent a bug of sorts, this file from the combofix log UYAŽ3113>.sys.

Run Hijack This again, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":

O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\user\Application Data\m\flec006.exe

Exit Hijack This.

Please download SDFix by AndyManchesta and save it to your desktop.

Please then reboot your computer in Safe Mode.

Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt inot your next reply.

Then navigate to the following two files and delete them if found:

C:\Documents and Settings\user\Application Data\m\flec006.exe

C:\Documents and Settings\Allusers\Application Data\ÙÝÃÄ3113›.sys

Then navigate to and delete this folder if found:

C:\Documents and Settings\user\Application Data\m

Go start>control panel.add/remove progtams and uninstall this program if found:

CoffeeCup Web JukeBox

Then to clean you system restore folder as then virus probably copied itself there.To empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

oooh, something is still indeed a miss because the safe mode boot is the same as before ie, hangs on agp440.sys and then restarts the pc

so i still cant boot in safe mode

i thought that as i can now boot in "normal" mode, that safe mode would be the same

i have downloaded SDFix.zip but ave not ran it as you said to do this in safe mode

also, i havn't done any of the other things that you posted to do but will do said things where relevant on your signal

here is a highjackthis log after rebooting in "normal" mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:29, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

--
End of file - 3234 bytes

Do not try any other methods of entering safe mode other than F8.

I will post a suggestion shortly.

ok, no safe mode until instructed otherwise

here is another combofix log post scanning as carried out before by xscan, combofix, avg and spybot

i noticed this entry in the log;

[color=red]Safeusert registry key needs repairs. This machine cannot enter Safe Mode.[/color]

ComboFix 07-08-30.3 - "userpc" 2007-09-03 9:29:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.92 [GMT 9:00]

((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))

2007-09-03 07:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 05:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\user\DoctorWeb
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswusert.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:47 13 C:\DOCUME~1\ALLUSE~1\APPLIC~1\UYAŽ3113>.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.EXE
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 0rogram Files\mIRC
2007-09-01 2OCUME~1\user\APPLIC~1\Skype
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ÙÝÃÄ3113›.sys

((((((((((((((((((((((((((((( snapshot_2007-09-03_ 41901.87 )))))))))))))))))))))))))))))))))))))))))

----a-w 12,359 2007-09-03 00:05:48 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,536 2007-09-02 20:09:34 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-09-02 20:09:42 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-09-02 20:09:44 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-09-02 20:09:46 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgmfx86.sys
----a-w 4,960 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgtdi.sys

----a-w 12,359 2007-09-02 19:16:47 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 05:08]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[color=red]Safeusert registry key needs repairs. This machine cannot enter Safe Mode.[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr]
C:\WINDOWS\System32\hldrrr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atuserttime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 09:31:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-09-03 9:33:41
C:\ComboFix-quarantined-files.txt ... 2007-09-03 09:33
C:\ComboFix2.txt ... 2007-09-03 04:21

--- E O F ---

Please disable Spybot's "Tea Timer" as it will interfere with any fixes but be sure to restart it once the compuer is repaired.

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

Fix SafeBoot Reg key if you find it to be blank:

This would be Incorporated into your fix or alone.

Step : Download and run AVZ from this link Repair SafeBoot

Unzip it to a folder on your desktop
Double click on AVZ.exe (Must be unzipped or the options will not appear)
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations

Restart the computer and see if you can enter safe mode by the F8 method and let me know the results.

safe mode successful after running AVZ

C:\Documents and Settings\user\Application Data\m\flec006.exe - not found

C:\Documents and Settings\Allusers\Application Data\ÙÝÃÄ3113›.sys - found and deleted

C:\Documents and Settings\user\Application Data\m - not found

CoffeeCup Web JukeBox - uninstalled

system restore tab has disappeared strangely
"start>control panel>system>"

also, after sdfix scan and reboot in "normal" mode "helpsvc.exe" was loaded and was using 80%-100% of the cpu for about five minutes and then stopped/disappeared from the process tree

here is the sdfix report...teatimer was disabled before scanning

SDFix: Version 1.101

Run by userpc on 03/09/2007 at 10:23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\user\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\Application Data\UYAŽ3113>.sys
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

Finished

Let's try this process first to repair the restore tab.

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=-
"DisableSR"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Restart the computer and see if you have repaired the tab.

yes it did indeed bring the system restore
tab back :)

also, the helpsvc.exe DID NOT start this time :)

i have turned the system restore off and back on again

these two entries were found during the sdfix scan

C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

after looking in google they are two more nasty things :(

thanks again jabuck for all this

sophia

update.........

the pc is running a lot better now after following your advices and the nasty things seem to have been fixed however...

...something else has changed also and that is that the "combofix.exe" tool now fails to run with these two error messages;

swreg.cexe - Application Error

The instruction at "0x00403eca" referenced memory at "0x00a4c968". The memory could not be "read".

Click on OK to terminate the program

this error message is then followed by;

swreg.cexe - Application Error

The instruction at "0x77f5ed3" referenced memory at "0x006b0060". The memory could not be "read".

Click on OK to terminate the program

this said, the program still ran after i clicked "ok"

RE:

C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG

they form part of a folder;

C:\WINDOWS\erdnt\subs

this directory has the file "erdnt.exe"
which after looking in google, is in fact a registry recovery and backup tool

http://www.personal-computer-tutor....

so i guess this/these files are OK? i didnt install them unless they form part of the things that we have been installing during this forum thread

sophia

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Download and install AVG Anti-Spyware We will need this later in safe mode

Be sure to update AVG Anti- Spyware

Boot into safe mode

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

ok, before post those results firstly i think i should share something with you.....

sorry if i shouldn't have done this

while i was waiting for you tot come back on line i was researching some of the log results from the last combofix scan....i came across this entry;

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

the last of which "ersvc" seems to be bad thing;

http://www.liutilities.com/products...

i then followed the instructed steps to remove this entry from the link from the above site;

http://www.liutilities.com/products...

this link installed "spyeraser"

the results were as follows;

PCAgent - Adware

Infected registry keys/values detected
hkey_local_machine\software\classes\.pca\\

Trojan-spy.BZub.hv - Trojan-spy

Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\curr
entversion\control panel\load\\

Trojan-Dropper.Agent.ack - Trojan-Dropper

Infected registry keys/values detected
hkey_local_machine\software\windows\\

Adware.BHO.t - adware

Infected registry keys/values detected
hkey_users\.default\software\microsoft\internet ex
plorer\main\check_associations\

the results found could not be removed unless you buy the program so....

obviously concerned about its findings, i ran xscan which did indeed find and remove;

"PCAgent"

but nothing else

i then ran avg anti virus which found nothing

i then ran avg anti spyware which too found nothing

both avg programs have been updated

i was just about to install adaware and run this when i saw your post....

i ran both ATF-Cleaner and avg anti spyware
in safe mode

avg found exactly the same results as the normal boot mode scan (which i didnt remove after the scan was complete because i wanted to wait for you)

here is the log from avg anti spyware (safe mode)

AVG Anti-Spyware - Scan Report

+ Created at: 22:49:55 03/09/2007

+ Scan result:

:mozilla.51:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.26:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Clickbank : No action taken.
:mozilla.39:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.179:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.29:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Hotlog : No action taken.
:mozilla.156:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Information : No action taken.
:mozilla.138:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.21:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.157:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.158:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.50:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.153:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
:mozilla.41:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end

Looks good, how is the computer running.

Remove/Uninstall all of the tools we used to repair the computer as they are updated every day and will be out of date almost immediately.

You can remove all cookies from Mozilla Firefox:
Click on Tools, then Options
Select the Privacy icon in the left-hand panel
Click on Cookies
Click on View Cookies
To remove a single cookie click on the entry in the list and click on the Remove Cookie button
To remove all cookies click on the Remove All Cookies button

the computer is running a lot better than when you began posting your knowledge :)

ALL of the problems that i originally posted have been fixed (with some that i didn't find also being fix too)

PC status;

it now boots in both "normal" and "safe" modes

it now doesnt have the "hidr.exe" threat

it now doesnt have the "flec006.exe" threat

it now doesnt have the "exefld" threat

the IE blank pop up doesnt er, "pop up"

the 100M line seems back to normal

Sophia Status;

my face has a smile on it :)

the tools that you both instructed me to use found other threats that i didn't find;

srosa.sys
W32/Bagle.dm
Spy-Agent.ak
ÙÝÃÄ3113›.sys

Tools used....

highjack this
i have un-installed highjack this

xscan
xscan ran from the developers site

combofix
combofix doesn't seem to install anything

sdfix
SDFix doesn't seem to install anything

avz anti virus
avz doesn't seem to install anything

avg anti virus
avg anti virus is still installed and running

avg anti spyware
avg anti sypware is still installed and running

here is the latest log from combofix...

the one thing that is coursing me concern is;

C:\WINDOWS\ERUNT

and how it got onto the system

what do you think? can you see any other threats in this log?

ComboFix 07-08-30.3 - "userpc" 2007-09-03 23:45:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.56 [GMT 9:00]

((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))

2007-09-03 21:11 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-03 20:23 <DIR> d-------- C:\DOCUME~1\userpc\APPLIC~1\Uniblue
2007-09-03 18:43 <DIR> d-------- C:\Program Files\SmartPCTools
2007-09-03 10:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-03 07:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 05:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\userpc\DoctorWeb
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswuserpct.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.EXE
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\userpc\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-03 21:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-03 0rogram Files\mIRC
2007-09-01 2OCUME~1\userpc\APPLIC~1\Skype
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter

((((((((((((((((((((((((((((( snapshot_2007-09-03_ 41901.87 )))))))))))))))))))))))))))))))))))))))))

----a-w 163,328 2007-09-01 15:18:41 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 3,407,872 2007-09-03 01:21:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 241,664 2007-09-03 01:21:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-01 15:18:41 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 3,407,872 2007-09-03 01:21:45 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 241,664 2007-09-03 01:21:46 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 12,359 2007-09-03 13:56:10 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,536 2007-09-02 20:09:34 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-09-02 20:09:42 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-09-02 20:09:44 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-09-02 20:09:46 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgmfx86.sys
----a-w 4,960 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgtdi.sys

----a-w 12,359 2007-09-02 19:16:47 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 05:08]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)

R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

Contents of the 'Scheduled Tasks' folder
2007-09-03 12:08:10 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-09-03 12:08:10 C:\WINDOWS\Tasks\Uniblue SpyEraser.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 23:47:25
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-09-03 23:49:52
C:\ComboFix-quarantined-files.txt ... 2007-09-03 23:49
C:\ComboFix2.txt ... 2007-09-03 20:11
C:\ComboFix3.txt ... 2007-09-03 09:33

--- E O F ---

As you can see in the last Combofix log in the "snapshop"...C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE is a registry backup created by SDFIX and can be deleted. I would put it in the recycle bin for a few days then delete it.

I see some minor things that do not need to be repaired.

You should delete all the tools used and only run them when requested, they are very powerful and can render the computer useless. Even files that appear harmful and are documented in some places on the internet as virus/spyware may be a normal files for your computer dependant on where they are located.

Glad we could help.

Well jabuck, i would just like to say a very BIG thank you for your time, energy and knowledge. (and XpUser4Real)

You have solved my problems and solved things that i didnt even know that i had

I dont know what to say apart from that what i have already said

THANK YOU :)

i hope this thread will help others in the future with simular problems

ALL THE BEST TO THE WHOLE COMPUTING.NET TEAM

sophia

Wow, I am having the same exact symptoms. Can't install any antivirus/antispyware.

Will try to follow this thread.