hidr.exe and flec006.exe and exefld

Computing.Net > Forums > Security and Virus > hidr.exe and flec006.exe and exefld

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

hidr.exe and flec006.exe and exefld

Name: sophia loscos
Date: September 2, 2007 at 11:16:05 Pacific
OS: win xp pro sp zero
CPU/Ram: 600Mz 256pc133

Comment:

hello
need help here, im not joking i mean i like really really need help here....
1) i cant log into the windows account "without" selecting "boot from last known good config" - if i try a normal boot i get a blue screen "windows stopped loading to prevent damage to your pc" - if i boot in safe mode, the pc hangs on apg440.sys
2) i cant install anything . programs, anti virus -|- when i try, the .exe file just disappears (programs like winamp or opera etc...any installer basically) -|- avg, avast, spybot, adaware ALL fail/crash during install
i have found these really nasty things on my pc....
C:\WINDOWS\system32\drivers\hidr.exe
C:\Documents and Settings\user\Application Data\m\flac006.exe
C:\WINDOWS\exefld\random numbers.exe (like 234450.exe and 964634.exe
maybe there are also things that i havent found :(
i have searched the net for sites with removal solutions but the registry entries that are used in the removal process are NOT in the registry in said places ie,
flac006.exe writes the registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
mule_st_key = "%Application Data%\m\flec006.exe"
this entry IS NOT in my registry
the same goes for the other two (hidr and exefld) with respect to un found registry entries where instructed by removal instructions
other strange things are each time the connection is made to the internet, the page file is active for around five minutes
a copy of internet explorer loads in the process tree with NO browser window being produced
this 100M dsl line is going slower than normal

other than all this i am fine >.<
and how are you guys doing?

please, any help here would be well, you know

thanks

sophia

Sponsored Link

Ads by Google

Response Number 1

Name: sophia loscos
Date: September 2, 2007 at 11:19:28 Pacific

Reply:

oh yeah, the funny thing was i ran an online scan at trend .com (one of the sites that listed the flac006.exe) and it didnt find it, or any other nasty stuff
strange eh?

Response Number 2

Name: XpUser4Real
Date: September 2, 2007 at 11:21:02 Pacific

Reply:

Hi sophia,
Are you waiting long enough to get into safe mode? It may hang from 1 min to over an hour, BUT, safe mode will come up.
Try safe mode with networking and then do a free scan with Housecall or Kaspersky.
Also do this free cleaner:
http://www.spywareinfo.com/xscan.php
and remove all it finds.
You may have to wait for it to load, give it time...good luck
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Response Number 3

Name: sophia loscos
Date: September 2, 2007 at 11:37:40 Pacific

Reply:

XpUser4Real, hi
sorry, i should of said hangs and then restarts
when i try safe mode
i am trying http://www.spywareinfo.com/xscan.php now
i will post results

hey thanks for this :) as you can probably imagine, i am not such a happy chicken at the moment >.<

sophia

Response Number 4

Name: XpUser4Real
Date: September 2, 2007 at 11:43:10 Pacific

Reply:

hope it works out for you.
After cleaning out everything, if still no joy, if you have an actual XP install disc, you may want to do a repair install:
http://www.microsoft.com/windowsxp/...

Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Response Number 5

Name: sophia loscos
Date: September 2, 2007 at 11:43:12 Pacific

Reply:

the scan found this:
http://www.spywareguide.com/product...

need to reboot

druc-u2 Web.exe~ Web.w0x and up_lib.exe~up_lib.w0x.скачать es198x.sys	jpg ie blank driver Belkin Components BUFFALO WLI-U2-KG54-YB qttask.exe
See More

Response Number 6

Name: jabuck
Date: September 2, 2007 at 11:44:19 Pacific

Reply:

Most likely it is this virus W32.Bagle.iz and has disabled safe mode.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Then, please download and install the latest version of HijackThis v2.0.2 so cleanup can be done and so other spyware may be detected.
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 7

Name: XpUser4Real
Date: September 2, 2007 at 11:44:42 Pacific

Reply:

you didn't download the actual software to your PC did you?
You only want to do the on-line scan.
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Response Number 8

Name: sophia loscos
Date: September 2, 2007 at 12:02:41 Pacific

Reply:

hello jabuck and welcome to my world of pain >.<
anyway
YAY!!!!!! i have just rebooted in normal mode so i am guessing that i can/could now boot in safe mode too
XpUser4Real, i ran the scan using "open" not "download"
will follow instructions now for "ComboFix" and post results
you know, you two are starting to put a smile back on my face....that may sound a bit pathetic but what can i say, its true!!!
thanks bucket loads for your time and effort helping the world in the fight against these nasty things

Response Number 9

Name: XpUser4Real
Date: September 2, 2007 at 12:25:21 Pacific

Reply:

If you don't have any more problems, you should be fine now.
Try running your Spy scans again and see if they are functioning fine.
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Response Number 10

Name: sophia loscos
Date: September 2, 2007 at 12:27:46 Pacific

Reply:

log report....

ComboFix 07-08-30.3 - "userpc" 2007-09-03 4:11:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.141 [GMT 9:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_SROSA
-------\nm
-------\srosa

((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))

2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\user\DoctorWeb
2007-09-01 05:06 <DIR> d--h----- C:\DOCUME~1\user\APPLIC~1\m
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:47 13 C:\DOCUME~1\ALLUSE~1\APPLIC~1\UYAŽ3113>.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.exe
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-01 2OCUME~1\user\APPLIC~1\Skype
2007-09-01 1rogram Files\mIRC
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ÙÝÃÄ3113›.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]
"mule_st_key"="C:\Documents and Settings\user\Application Data\m\flec006.exe" [2007-09-03 01:54]
[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr]
C:\WINDOWS\System32\hldrrr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 04:17:22
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-09-03 4:21:18 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-03 04:20
--- E O F ---

Response Number 11

Name: sophia loscos
Date: September 2, 2007 at 12:34:08 Pacific

Reply:

hijack this log report....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:31:19, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\user\Application Data\m\flec006.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\user\Application Data\m\flec006.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
--
End of file - 2517 bytes

Response Number 12

Name: XpUser4Real
Date: September 2, 2007 at 12:36:39 Pacific

Reply:

sophia, looks like your IE isn't up-to-date with the critical updates. You may want to do that
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!

Response Number 13

Name: sophia loscos
Date: September 2, 2007 at 12:46:44 Pacific

Reply:

XpUser4Real, i dont use IE i use mozilla firefox or, and mostly, opera
i haven't ran anything other scans yet
i have downloaded avg, spybot and adaware
the last time ii tried to install these programs they crashed during the installer
should i try installing them now

that combofix found another little blighter
"srosa.sys"
i wonder just how many things are on my pc

thanks bucket loads for your time here :)

sophia

Response Number 14

Name: jabuck
Date: September 2, 2007 at 14:25:58 Pacific

Reply:

And you are still infected but looks much better. Can you boot into safe mode using the F8 method ? ( Do not try any other method yet or you may get in a boot loop and have to format)

Response Number 15

Name: sophia loscos
Date: September 2, 2007 at 16:21:03 Pacific

Reply:

after following the advice from jabuck and XpUser4Real i can now boot the pc in windows "normal" mode
the scans found these nasty thingys, one of which (flec006.exe) is one of the worst viruses you can "catch" (technical security rating is 77%, dangerous)

xscan
http://www.spywareinfo.com/xscan.php
xscan has removed:
W32/Bagle.dm (causing system to fail "normal" boot up and safe mode boot up)
Spy-Agent.ak
combofix
http://download.bleepingcomputer.co...
combofix has removed:
C:\WINDOWS\system32\drivers\hidr.exe
I Worm Beagle.XH
C:\WINDOWS\system32\drivers\srosa.sys
Trojan Horse Downloader.Generic6.BEO
avg
http://free.grisoft.com/filedir/ins...
avg has removed:
C:\Documents and Settings\user\Application Data\m\flec006.exe
Trojan.Lodeight.C
spybot
http://fileforum.betanews.com/sendf...
spybot has removed:
Alexa Data Miner

nothing else is being picked up
i have ran all of the above processes again for the second time and the pc now "seems" clear

what can i say
a rose for you XpUser4Real @>---
a rose for you jabuck @>---

if you think that there are more things that i should do please please continue this thread
thank you both so very very much

sophia

note to admin: this thread could save others thanks to the great work from the above mentioned users.....please keep it for others to read

Response Number 16

Name: jabuck
Date: September 2, 2007 at 16:51:14 Pacific

Reply:

I see a file that may represent a bug of sorts, this file from the combofix log UYAŽ3113>.sys.
Run Hijack This again, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\user\Application Data\m\flec006.exe
Exit Hijack This.
Please download SDFix by AndyManchesta and save it to your desktop.
Please then reboot your computer in Safe Mode.
Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt inot your next reply.
Then navigate to the following two files and delete them if found:
C:\Documents and Settings\user\Application Data\m\flec006.exe
C:\Documents and Settings\Allusers\Application Data\ÙÝÃÄ3113›.sys
Then navigate to and delete this folder if found:
C:\Documents and Settings\user\Application Data\m
Go start>control panel.add/remove progtams and uninstall this program if found:
CoffeeCup Web JukeBox
Then to clean you system restore folder as then virus probably copied itself there.To empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Response Number 17

Name: sophia loscos
Date: September 2, 2007 at 17:17:29 Pacific

Reply:

oooh, something is still indeed a miss because the safe mode boot is the same as before ie, hangs on agp440.sys and then restarts the pc
so i still cant boot in safe mode
i thought that as i can now boot in "normal" mode, that safe mode would be the same
i have downloaded SDFix.zip but ave not ran it as you said to do this in safe mode
also, i havn't done any of the other things that you posted to do but will do said things where relevant on your signal
here is a highjackthis log after rebooting in "normal" mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:07:29, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.exe (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
--
End of file - 3234 bytes

Response Number 18

Name: jabuck
Date: September 2, 2007 at 17:31:40 Pacific

Reply:

Do not try any other methods of entering safe mode other than F8.
I will post a suggestion shortly.

Response Number 19

Name: sophia loscos
Date: September 2, 2007 at 17:42:00 Pacific

Reply:

ok, no safe mode until instructed otherwise
here is another combofix log post scanning as carried out before by xscan, combofix, avg and spybot
i noticed this entry in the log;
[color=red]Safeusert registry key needs repairs. This machine cannot enter Safe Mode.[/color]

ComboFix 07-08-30.3 - "userpc" 2007-09-03 9:29:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.92 [GMT 9:00]

((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))

2007-09-03 07:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 05:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\user\DoctorWeb
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswusert.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:47 13 C:\DOCUME~1\ALLUSE~1\APPLIC~1\UYAŽ3113>.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.exe
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 0rogram Files\mIRC
2007-09-01 2OCUME~1\user\APPLIC~1\Skype
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ÙÝÃÄ3113›.sys

((((((((((((((((((((((((((((( snapshot_2007-09-03_ 41901.87 )))))))))))))))))))))))))))))))))))))))))
----a-w 12,359 2007-09-03 00:05:48 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-03 00:05:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,536 2007-09-02 20:09:34 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-09-02 20:09:42 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-09-02 20:09:44 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-09-02 20:09:46 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgmfx86.sys
----a-w 4,960 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgtdi.sys
----a-w 12,359 2007-09-02 19:16:47 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 05:08]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
[color=red]Safeusert registry key needs repairs. This machine cannot enter Safe Mode.[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeusert\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr]
C:\WINDOWS\System32\hldrrr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atuserttime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 09:31:53
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-09-03 9:33:41
C:\ComboFix-quarantined-files.txt ... 2007-09-03 09:33
C:\ComboFix2.txt ... 2007-09-03 04:21
--- E O F ---

Response Number 20

Name: jabuck
Date: September 2, 2007 at 18:07:12 Pacific

Reply:

Please disable Spybot's "Tea Timer" as it will interfere with any fixes but be sure to restart it once the compuer is repaired.
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.
Fix SafeBoot Reg key if you find it to be blank:
This would be Incorporated into your fix or alone.
Step : Download and run AVZ from this link Repair SafeBoot

Unzip it to a folder on your desktop
Double click on AVZ.exe (Must be unzipped or the options will not appear)
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations
Restart the computer and see if you can enter safe mode by the F8 method and let me know the results.

Response Number 21

Name: sophia loscos
Date: September 2, 2007 at 18:56:22 Pacific

Reply:

safe mode successful after running AVZ
C:\Documents and Settings\user\Application Data\m\flec006.exe - not found
C:\Documents and Settings\Allusers\Application Data\ÙÝÃÄ3113›.sys - found and deleted
C:\Documents and Settings\user\Application Data\m - not found
CoffeeCup Web JukeBox - uninstalled
system restore tab has disappeared strangely
"start>control panel>system>"

also, after sdfix scan and reboot in "normal" mode "helpsvc.exe" was loaded and was using 80%-100% of the cpu for about five minutes and then stopped/disappeared from the process tree
here is the sdfix report...teatimer was disabled before scanning

SDFix: Version 1.101
Run by userpc on 03/09/2007 at 10:23
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\user\Desktop\SDFix\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
No Trojan Files Found

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------

Files with Hidden Attributes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\Application Data\UYAŽ3113>.sys
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
Finished

Response Number 22

Name: jabuck
Date: September 2, 2007 at 19:55:21 Pacific

Reply:

Let's try this process first to repair the restore tab.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=-
"DisableSR"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Restart the computer and see if you have repaired the tab.

Response Number 23

Name: sophia loscos
Date: September 3, 2007 at 01:04:16 Pacific

Reply:

yes it did indeed bring the system restore
tab back :)
also, the helpsvc.exe DID NOT start this time :)
i have turned the system restore off and back on again
these two entries were found during the sdfix scan
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
after looking in google they are two more nasty things :(

thanks again jabuck for all this

sophia

Response Number 24

Name: sophia loscos
Date: September 3, 2007 at 04:27:46 Pacific

Reply:

update.........
the pc is running a lot better now after following your advices and the nasty things seem to have been fixed however...
...something else has changed also and that is that the "combofix.exe" tool now fails to run with these two error messages;
swreg.cexe - Application Error
The instruction at "0x00403eca" referenced memory at "0x00a4c968". The memory could not be "read".
Click on OK to terminate the program

this error message is then followed by;

swreg.cexe - Application Error
The instruction at "0x77f5ed3" referenced memory at "0x006b0060". The memory could not be "read".
Click on OK to terminate the program
this said, the program still ran after i clicked "ok"
RE:
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
they form part of a folder;
C:\WINDOWS\erdnt\subs
this directory has the file "erdnt.exe"
which after looking in google, is in fact a registry recovery and backup tool
http://www.personal-computer-tutor....

so i guess this/these files are OK? i didnt install them unless they form part of the things that we have been installing during this forum thread

sophia

Response Number 25

Name: jabuck
Date: September 3, 2007 at 05:57:20 Pacific

Reply:

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Boot into safe mode
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Response Number 26

Name: sophia loscos
Date: September 3, 2007 at 07:15:18 Pacific

Reply:

ok, before post those results firstly i think i should share something with you.....
sorry if i shouldn't have done this
while i was waiting for you tot come back on line i was researching some of the log results from the last combofix scan....i came across this entry;
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
the last of which "ersvc" seems to be bad thing;
http://www.liutilities.com/products...
i then followed the instructed steps to remove this entry from the link from the above site;
http://www.liutilities.com/products...
this link installed "spyeraser"
the results were as follows;
PCAgent - Adware
Infected registry keys/values detected
hkey_local_machine\software\classes\.pca\\
Trojan-spy.BZub.hv - Trojan-spy
Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows\curr
entversion\control panel\load\\
Trojan-Dropper.Agent.ack - Trojan-Dropper
Infected registry keys/values detected
hkey_local_machine\software\windows\\
Adware.BHO.t - adware
Infected registry keys/values detected
hkey_users\.default\software\microsoft\internet ex
plorer\main\check_associations\
the results found could not be removed unless you buy the program so....

obviously concerned about its findings, i ran xscan which did indeed find and remove;
"PCAgent"
but nothing else
i then ran avg anti virus which found nothing
i then ran avg anti spyware which too found nothing
both avg programs have been updated
i was just about to install adaware and run this when i saw your post....

i ran both ATF-Cleaner and avg anti spyware
in safe mode
avg found exactly the same results as the normal boot mode scan (which i didnt remove after the scan was complete because i wanted to wait for you)

here is the log from avg anti spyware (safe mode)

AVG Anti-Spyware - Scan Report

+ Created at: 22:49:55 03/09/2007
+ Scan result:
:mozilla.51:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.26:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Clickbank : No action taken.
:mozilla.39:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.179:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.29:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Hotlog : No action taken.
:mozilla.156:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Information : No action taken.
:mozilla.138:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.21:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Paypal : No action taken.
:mozilla.157:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.158:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.50:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.153:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Webtrends : No action taken.
:mozilla.41:C:\Documents and Settings\userpc\Application Data\Mozilla\Firefox\Profiles\p2dcfx16.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end

Response Number 27

Name: jabuck
Date: September 3, 2007 at 07:39:17 Pacific

Reply:

Looks good, how is the computer running.
Remove/Uninstall all of the tools we used to repair the computer as they are updated every day and will be out of date almost immediately.
You can remove all cookies from Mozilla Firefox:
Click on Tools, then Options
Select the Privacy icon in the left-hand panel
Click on Cookies
Click on View Cookies
To remove a single cookie click on the entry in the list and click on the Remove Cookie button
To remove all cookies click on the Remove All Cookies button

Response Number 28

Name: sophia loscos
Date: September 3, 2007 at 08:13:32 Pacific

Reply:

the computer is running a lot better than when you began posting your knowledge :)
ALL of the problems that i originally posted have been fixed (with some that i didn't find also being fix too)

PC status;
it now boots in both "normal" and "safe" modes
it now doesnt have the "hidr.exe" threat
it now doesnt have the "flec006.exe" threat
it now doesnt have the "exefld" threat
the IE blank pop up doesnt er, "pop up"
the 100M line seems back to normal

Sophia Status;
my face has a smile on it :)

the tools that you both instructed me to use found other threats that i didn't find;
srosa.sys
W32/Bagle.dm
Spy-Agent.ak
ÙÝÃÄ3113›.sys

Tools used....
highjack this
i have un-installed highjack this
xscan
xscan ran from the developers site
combofix
combofix doesn't seem to install anything
sdfix
SDFix doesn't seem to install anything
avz anti virus
avz doesn't seem to install anything
avg anti virus
avg anti virus is still installed and running
avg anti spyware
avg anti sypware is still installed and running

here is the latest log from combofix...
the one thing that is coursing me concern is;
C:\WINDOWS\ERUNT
and how it got onto the system
what do you think? can you see any other threats in this log?

ComboFix 07-08-30.3 - "userpc" 2007-09-03 23:45:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.56 [GMT 9:00]

((((((((((((((((((((((((( Files Created from 2007-08-03 to 2007-09-03 )))))))))))))))))))))))))))))))

2007-09-03 21:11 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-03 20:23 <DIR> d-------- C:\DOCUME~1\userpc\APPLIC~1\Uniblue
2007-09-03 18:43 <DIR> d-------- C:\Program Files\SmartPCTools
2007-09-03 10:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-03 07:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-03 05:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-03 04:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-03 04:09 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 07:33 2,042,240 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-09-01 05:34 <DIR> d-------- C:\DOCUME~1\userpc\DoctorWeb
2007-09-01 01:02 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-01 01:02 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-01 01:02 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-01 01:02 783,224 --a------ C:\WINDOWS\system32\aswuserpct.exe
2007-09-01 01:02 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-01 01:02 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-01 01:02 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-31 06:46 61,440 --a------ C:\WINDOWS\system32\libfaac.dll
2007-08-31 06:46 53,248 --a------ C:\WINDOWS\system32\ogg.dll
2007-08-31 06:46 36,864 --a------ C:\WINDOWS\system32\DGRip.dll
2007-08-31 06:46 36,352 --a------ C:\WINDOWS\system32\MP2enc.dll
2007-08-31 06:46 220,160 --a------ C:\WINDOWS\system32\WnASPI32.dll
2007-08-31 06:46 172,032 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-08-31 06:46 1,163,264 --a------ C:\WINDOWS\system32\vorbis.dll
2007-08-31 06:46 1,015,808 --a------ C:\WINDOWS\system32\vorbisenc.dll
2007-08-31 06:46 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-08-31 03:38 164,862 --a------ C:\WINDOWS\Intellimapper-Basic Uninstaller.exe
2007-08-31 03:38 <DIR> d-------- C:\Program Files\Intellimapper-Basic
2007-08-29 05:27 24,084 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-08-27 21:27 212,992 --a------ C:\WINDOWS\ALCHUNIN.exe
2007-08-20 18:57 <DIR> d-------- C:\Program Files\Google
2007-08-20 18:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-08-15 15:49 <DIR> d-------- C:\DOCUME~1\userpc\APPLIC~1\Sony
2007-08-15 13:17 <DIR> d-------- C:\Program Files\MixMeister BPM Analyzer
2007-08-15 06:39 <DIR> d-------- C:\Program Files\TagRename
2007-08-15 06:23 73,216 --a------ C:\WINDOWS\ST6UNST.exe
2007-08-15 06:23 249,856 --------- C:\WINDOWS\Setup1.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-03 21:07 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-03 0rogram Files\mIRC
2007-09-01 2OCUME~1\userpc\APPLIC~1\Skype
2007-09-01 0rogram Files\InstallShield Installation Information
2007-08-30 1rogram Files\Netscape
2007-08-28 2rogram Files\Vstplugins
2007-08-15 0rogram Files\Winamp
2007-08-01 14:52 720896 --a------ C:\WINDOWS\iun6002.exe
2007-07-12 1rogram Files\Microsoft ActiveSync
2007-07-04 1rogram Files\AC3Filter

((((((((((((((((((((((((((((( snapshot_2007-09-03_ 41901.87 )))))))))))))))))))))))))))))))))))))))))
----a-w 163,328 2007-09-01 15:18:41 C:\WINDOWS\ERUNT\SDFIX\ERDNT.exe
----a-w 3,407,872 2007-09-03 01:21:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
----a-w 241,664 2007-09-03 01:21:53 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-01 15:18:41 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.exe
----a-w 3,407,872 2007-09-03 01:21:45 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
----a-w 241,664 2007-09-03 01:21:46 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 12,359 2007-09-03 13:56:10 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-03 13:56:07 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 821,536 2007-09-02 20:09:34 C:\WINDOWS\system32\drivers\avg7core.sys
----a-w 4,224 2007-09-02 20:09:42 C:\WINDOWS\system32\drivers\avg7rsw.sys
----a-w 27,776 2007-09-02 20:09:44 C:\WINDOWS\system32\drivers\avg7rsxp.sys
----a-w 3,968 2007-09-02 20:09:46 C:\WINDOWS\system32\drivers\avgclean.sys
----a-w 19,904 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgmfx86.sys
----a-w 4,960 2007-09-02 20:09:45 C:\WINDOWS\system32\drivers\avgtdi.sys
----a-w 12,359 2007-09-02 19:16:47 C:\WINDOWS\system32\tablet.dat
----a-w 16,384 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
------w 32,768 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
------w 49,152 2007-09-02 19:16:38 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-03 05:08]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 18:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 12:41]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"Messenger"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
R1 BUFADPT;BUFADPT;\??\C:\WINDOWS\System32\BUFADPT.SYS
R3 maestro;ESS Maestro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
R3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;C:\WINDOWS\System32\DRIVERS\U2KG54L.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv
S3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys

Contents of the 'Scheduled Tasks' folder
2007-09-03 12:08:10 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
2007-09-03 12:08:10 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-03 23:47:25
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-09-03 23:49:52
C:\ComboFix-quarantined-files.txt ... 2007-09-03 23:49
C:\ComboFix2.txt ... 2007-09-03 20:11
C:\ComboFix3.txt ... 2007-09-03 09:33
--- E O F ---

Response Number 29

Name: jabuck
Date: September 3, 2007 at 09:45:50 Pacific

Reply:

As you can see in the last Combofix log in the "snapshop"...C:\WINDOWS\ERUNT\SDFIX\ERDNT.exe is a registry backup created by SDFIX and can be deleted. I would put it in the recycle bin for a few days then delete it.
I see some minor things that do not need to be repaired.
You should delete all the tools used and only run them when requested, they are very powerful and can render the computer useless. Even files that appear harmful and are documented in some places on the internet as virus/spyware may be a normal files for your computer dependant on where they are located.
Glad we could help.

Response Number 30

Name: sophia loscos
Date: September 3, 2007 at 10:15:04 Pacific

Reply:

Well jabuck, i would just like to say a very BIG thank you for your time, energy and knowledge. (and XpUser4Real)
You have solved my problems and solved things that i didnt even know that i had
I dont know what to say apart from that what i have already said
THANK YOU :)

i hope this thread will help others in the future with simular problems

ALL THE BEST TO THE WHOLE COMPUTING.NET TEAM

sophia

Response Number 31

Name: danzg
Date: September 6, 2007 at 13:03:06 Pacific

Reply:

Wow, I am having the same exact symptoms. Can't install any antivirus/antispyware.
Will try to follow this thread.

Sponsored Link

Ads by Google

Access Denied to folders ...

Important Notice for AVG ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: hidr.exe and flec006.exe and exefld

h91746.exe and Ultimate Defender?

Summary

www.computing.net/answers/security/h91746exe-and-ultimate-defender/19025.html

Cool.exe and cool2.exe. FTP trojans

Summary

www.computing.net/answers/security/coolexe-and-cool2exe-ftp-trojans/9995.html

g2p3s.exe, kavo.exe and kavo0.dll

Summary

www.computing.net/answers/security/g2p3sexe-kavoexe-and-kavo0dll/22315.html

From the Geek Dictionary
486 - A shorter word for an Intel 80486.

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Computer Start Error

Boot problem, can't get past Windows XPscreen

Want original desktop theme back on Win XP

lenovo thinkpad T400 Recovery problems

Wont turn on at all!

All Awaiting Reply

Tom's News
Check Out the Homemade Portable GameCube

Apple Working on "World Mode" iPhone

EA: Single-Player A Thing of the Past

Verizon Calls the iPhone a "Misfit Toy"

Modern Warfare 2 for PC Locked Until Tomorrow

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE