cannot access control panel normally

Hi Bodawg

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these folders (if present):

C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9


Did you download Spyware Detector ? if so did you delete it as asked?

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets run a on-line scan.


Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks the ActiveX download, allow it, click on "Accept" again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please answer my question and post the Kaspersky log.

 

Kaspersky scan for bodawg 2/14/08 18:35

Hey Geri,
Here is the Kaspersky scan and also I did remove the Spybot spyware software as you requested yesterday.

KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 6:31:57 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 567190
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 16902
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:31:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\cert8.db Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\key3.db Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\Mail\Local Folders\Trash.msf Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\Mail\pop.earthlink-4.net\Inbox.msf Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\Mail\pop.earthlink-4.net\Trash.msf Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\panacea.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\parent.lock Object is locked skipped
C:\Documents and Settings\HomeUser\Application Data\Thunderbird\Profiles\dirtzfp5.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\HomeUser\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HomeUser\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080203-135815-304.dll Infected: not-a-virusownloader.Win32.PopCap.b skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\system32\TFTP1268 Infected: Backdoor.Win32.SdBot.bkk skipped
C:\WINNT\system32\TFTP676 Infected: Backdoor.Win32.SdBot.bkk skipped
C:\WINNT\system32\TFTP724 Infected: Backdoor.Win32.SdBot.bkk skipped
C:\WINNT\TEMP\JET7DB0.tmp Object is locked skipped
C:\WINNT\TEMP\JET864B.tmp Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Hi Bodawg

Download
OTMoveIt2 by OldTimer to your Desktop.

• Double click OTMoveIt2.exe to launch it.
• Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.

• Click the Move It button.
• The list will be processed and the results will appear in the right hand pane.
• If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
• When finished click Exit to exit the programme.
• A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Please run Kaspersky again and post the log.

Thanks
Geri

 

Geri, Kaspersky scan 22:00hrs

Hi,
Geri here is the second Kaspersky scan 22:00 2/15/08

KASPERSKY ONLINE SCANNER REPORT
Friday, February 15, 2008 9:57:50 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 568431
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 17357
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:31:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\History\History.IE5\MSHist012008021520080216\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HomeUser\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HomeUser\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080203-135815-304.dll Infected: not-a-virusownloader.Win32.PopCap.b skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\TEMP\JET7F2C.tmp Object is locked skipped
C:\WINNT\TEMP\JET8BC5.tmp Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\02152008_212144\WINNT\system32\TFTP1268 Infected: Backdoor.Win32.SdBot.bkk skipped
C:\_OTMoveIt\MovedFiles\02152008_212144\WINNT\system32\TFTP676 Infected: Backdoor.Win32.SdBot.bkk skipped
C:\_OTMoveIt\MovedFiles\02152008_212144\WINNT\system32\TFTP724 Infected: Backdoor.Win32.SdBot.bkk skipped

Scan process completed.

 

Hi Bodawg

OK very good

Open OTMoveIt2 and click the CleanUp button.

Post one more new HJT log to make sure there is no cleaning up to do on it.

Let me know how things are running.

Thanks
Geri

 

Geri, HJT scann ?

Hey Geri,
I am sorry to be so forgetful about this stuff but, on the HJT scan is this did in safe mode or just run it from desktop?

thanks

Bo (13:30hrs)

 

Hi
HJT should be installed in your All Programs or Program files list. (Windows 2000) ?

No, don't run it in safe mode.

Geri

 

HJT scan....14:00hrs 2/16/08

Geri,
here is the HJT scan.
one ? for you, how does my system look???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:38 PM, on 2/16/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - http://md.stv.org/portal/applets/SharedSession.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.103.downloads.est...255.247.242_1502&=&req=1196212733173OneCC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186931097352
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - http://md.stv.org/portal/applets/mckntauth.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)

--
End of file - 3864 bytes

 

Hi Bodawg

Things are looking good.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O16 - DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} (SharedSessionService Class) - http://md.stv.org/portal/applets/SharedSession.dll
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.103.downloads.esta...33173OneCC.cab
O16 - DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} (Mckntauth Control) - http://md.stv.org/portal/applets/mckntauth.ocx
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Can you get to your Add/Remove list?
Let me know.

Please post a new HJT log.

Thanks
Geri

 

Geri, HJT done.

Hi Geri,
I completed the HJT scan.
I checked all the requested items and clicked fix.
I CANNOT get the add/remove program to open, when I click on it
it only gives me a gray window and I have to reboot to get it to go away.

Bo

 

Hi

Can you tell me what tax program and spyware/virus program was installed and this was when add/remove quit working?

Thanks
Geri

 

Geri, (18:15 hrs)2/18/08

Hey Geri,
I am sorry I am behind on replying to your questions and assistance.
Ok, I downloaded Taxact 2007 and it seems like about a fewdays I tried to got to add/remove programs and couldn't open it.
I can get to the control panel just fine, but when I click on the add/remove program Icon a grey window pops up and nothing else.
I cannot click the close button to close it. I have to re-start my computer in order to remove the grey window.

Bo

 

Hi Bodawg

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

Now please do this.
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

Folder::
C:\Documents and Settings\HomeUser\Application Data\iWinArcade
C:\Documents and Settings\All Users\Application Data\iWin Games
C:\Program Files\OneStepSearch
C:\Program Files\Winferno\RegistryPowerCleaner

File::
C:\WINNT\system32\ofcpi.dll
C:\WINNT\popcinfot.dat
C:\WINNT\popcreg.dat
C:\WINNT\system32\dllcache\ivchost.exe 
C:\WINDOWS\SYSTEM32\crypts.dll
C:\WINNT\system32\scricon.exe

Driver::
mshexdefx

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
 "Auto File System Conversion Utility "=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
 "{7265100a-17e1-41bf-bd08-63b95a25a9c3} "=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Auto File System Conversion Utility "=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
 "Auto File System Conversion Utility "=- 

Please post the new Combofix log.


Please copy and paste this into the run box.

Click Start > Run.

Code:

regedit /e  "%userprofile%\desktop\HKLMCP.txt" 
 "[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]" 

It should leave a txt file on your desk top called HKLMCP.txt, Please post the contents of that here.

Thanks
Geri

 

Geri, combo.fix scan 17:50hrs 2/19/08

ComboFix 08-02-20.2 - HomeUser 02/19/2008 17:44:46.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.95 [GMT -6:00]
Running from: C:\Documents and Settings\HomeUser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HomeUser\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\ecfaecefbf4_d.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-16 22:20 . 02/16/08 10:41p 206 --a------ C:\WINNT\system32\bbfcfeecabd_d.ocx
2008-02-16 18:43 . 02/18/08 08:09p 742,410 ---h----- C:\WINNT\ShellIconCache
2008-02-16 14:40 . 02/16/08 02:40p <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-02-16 14:40 . 02/16/08 02:40p <DIR> d-------- C:\Program Files\ATT
2008-02-14 17:40 . 02/14/08 05:40p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 17:39 . 02/14/08 05:39p <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-02-14 17:21 . 02/14/08 05:21p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_568.dat
2008-02-09 23:09 . 02/09/08 11:09p <DIR> d-------- C:\Program Files\ESET
2008-02-09 23:09 . 02/09/08 11:09p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-09 16:42 . 02/09/08 04:42p <DIR> d-------- C:\Program Files\HP DeskJet 810C Series
2008-02-09 16:42 . 02/09/08 04:42p 243 --a------ C:\WINNT\HPFTBX11.INI
2008-02-08 21:14 . 02/08/08 09:14p 170 --a------ C:\WINNT\system32\SDRemoveDB.db
2008-02-08 21:13 . 06/14/05 12:09p 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2008-02-08 21:13 . 02/08/08 09:13p 63 --a------ C:\WINNT\system\SysSD.dll
2008-02-06 23:00 . 02/06/08 11:00p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-02-04 22:46 . 09/05/07 11:22p 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-02-04 22:46 . 04/27/06 04:49p 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-02-04 22:46 . 02/05/08 12:23a 85,504 --a------ C:\WINNT\system32\VACFix.exe
2008-02-04 22:46 . 01/27/08 02:37p 81,920 --a------ C:\WINNT\system32\IEDFix.exe
2008-02-04 22:46 . 07/31/04 05:50p 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-02-04 22:46 . 10/03/07 11:36p 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-02-03 17:03 . 02/03/08 05:03p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TrojanHunter
2008-02-03 16:39 . 02/03/08 04:39p <DIR> d-a------ C:\Program Files\TrojanHunter 5.0
2008-02-03 13:43 . 02/03/08 01:43p <DIR> d-a------ C:\Program Files\Trend Micro
2008-02-03 00:11 . 02/03/08 12:11a 1,632 --a------ C:\WINNT\system32\d3d8caps.dat
2008-02-02 23:46 . 02/02/08 11:46p <DIR> d-------- C:\windows
2008-02-02 23:37 . 02/06/08 10:57p <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2008-02-02 21:34 . 02/17/08 09:46p <DIR> d-a------ C:\Program Files\Mozilla Thunderbird
2008-02-02 08:59 . 02/02/08 09:00a <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-29 12:53 . 01/29/08 12:53p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\TaxCut
2008-01-29 12:53 . 02/06/08 09:12p 249,856 --a------ C:\WINNT\system32\pdfmona.dll
2008-01-29 12:53 . 02/06/08 09:12p 51,716 --a------ C:\WINNT\system32\pdf995mon.dll
2008-01-29 12:53 . 08/24/07 11:13a 142 --a------ C:\WINNT\wpd99.drv
2008-01-26 20:48 . 01/26/08 08:48p <DIR> d-a------ C:\Program Files\Common Files\Adaptec Shared
2008-01-26 17:01 . 01/26/08 05:01p <DIR> d--hs---- C:\WINNT\ftpcache
2008-01-23 19:14 . 01/23/08 07:29p <DIR> d-------- C:\Documents and Settings\HomeUser\Application Data\MailWasherPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 02:43 --------- d---a-w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-31 00:41 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\LimeWire
2008-01-27 02:48 57,344 ----a-w C:\WINNT\uneng.exe
2008-01-27 02:48 49,152 ----a-w C:\WINNT\system32\cdrtc.dll
2008-01-27 02:48 45,056 ----a-w C:\WINNT\system32\cdral.dll
2008-01-26 17:06 --------- d---a-w C:\Program Files\Shockwave.com
2008-01-24 01:30 --------- d---a-w C:\Program Files\Yahoo!
2008-01-19 20:34 --------- d---a-w C:\Program Files\Common Files\eSellerate
2008-01-13 05:28 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2008-01-09 01:20 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\GameHouse
2008-01-09 01:14 --------- d---a-w C:\Program Files\Google
2008-01-09 00:13 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\Zylom
2008-01-09 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-03 23:28 --------- d-----w C:\Documents and Settings\HomeUser\Application Data\SpinTop
2007-12-21 14:21 33,800 ----a-w C:\WINNT\system32\drivers\epfwtdir.sys
2007-12-21 14:20 30,216 ----a-w C:\WINNT\system32\drivers\easdrv.sys
2007-12-21 14:19 39,944 ----a-w C:\WINNT\system32\drivers\eamon.sys
2007-12-20 14:10 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2007-12-20 14:10 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2007-08-01 00:21 1,126 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 22:20 271 ---ha-w C:\Program Files\desktop.ini
2007-07-31 22:20 21,952 -c-ha-w C:\Program Files\folder.htt
2007-05-14 22:03 445,696 -c----w C:\WINNT\inf\rt73.sys
2002-06-04 07:06 65,536 -c----w C:\WINNT\inf\copyinf.exe
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

"C:\WINNT\system32\svchost.exe "
----a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\svchost.exe
-c--a-w 7,952 1999-12-07 12:00:00 C:\WINNT\system32\dllcache\svchost.exe

"C:\WINNT\system32\ws2_32.dll "
-c----w 71,440 1999-12-07 12:00:00 C:\WINNT\$NtServicePackUninstall$\ws2_32.dll
-c----w 69,904 2003-06-19 17:05:04 C:\WINNT\ServicePackFiles\i386\ws2_32.dll
----a-w 69,904 2003-06-19 17:05:04 C:\WINNT\system32\ws2_32.dll

"C:\WINNT\system32\drivers\ndis.sys "
-c----w 167,760 1999-12-07 12:00:00 C:\WINNT\$NtServicePackUninstall$\ndis.sys
-c----w 170,928 2003-06-19 17:05:04 C:\WINNT\ServicePackFiles\i386\ndis.sys
----a-w 170,928 2003-06-19 17:05:04 C:\WINNT\system32\drivers\ndis.sys

"C:\WINNT\explorer.exe "
----a-w 243,472 2003-06-19 17:05:04 C:\WINNT\explorer.exe
-c----w 238,352 1999-12-07 12:00:00 C:\WINNT\$NtServicePackUninstall$\explorer.exe
------w 243,472 2003-06-19 17:05:04 C:\WINNT\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [06/19/03 11:05a 111376 C:\WINNT\system32\mobsync.exe]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/08 10:16p 39792]
"egui "= "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/07 08:21a 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector "= "C:\Program Files\Picasa2\PicasaMediaDetector.exe" [09/27/07 07:17p 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 11:05a 186640]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Auto File System Conversion Utility REG_SZ C:\WINNT\system32\scricon.exe

R1 epfwtdir;epfwtdir;C:\WINNT\system32\DRIVERS\epfwtdir.sys [12/21/07 08:21a]
R1 VIAPFD;VIAPFD;C:\WINNT\system32\Drivers\VIAPFD.SYS [05/04/01 09:24a]
R2 HPFECP11;HPFECP11;C:\WINNT\system32\drivers\HPFECP11.SYS [05/03/99 03:19a]
R2 SetupNT;SetupNT;C:\WINNT\system32\SetupNT.sys [10/25/00 02:27p]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [03/09/01 10:04a]
S2 mshexdefx;ms hexidecimal defx; "C:\WINNT\system32\dllcache\ivchost.exe" []
S3 3C460B;3Com 3C460B USB Ethernet Adapter Driver;C:\WINNT\system32\DRIVERS\3C460B.SYS [11/20/00 03:11p]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [09/25/99 04:36a]
S4 OneStep Search Service;OneStep Search Service; "C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 05:32:46 C:\WINNT\Tasks\rpc.job "
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 17:46:04
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 02/20/2008 17:46:36
ComboFix-quarantined-files.txt 2008-02-20 23:46:28
.
2008-02-04 02:43:07 --- E O F ---

 

Geri, new HJT scan 17:55 hrs 2/19/08

Geri,
here is the new HJT scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:57 PM, on 2/20/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\tlntsvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186931097352
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINNT\system32\dllcache\ivchost.exe (file missing)

--
End of file - 3591 bytes
Thanks.... Bo

 

HKLMCP file

Hey Geri,
listen, I got the above file on my desktop, but I cannot get it here on the reply for you to view. Each time I try to ctrl +c and ctrl +v it freezes up and nothing is shown. Is there another way to get this on here or to you?

Bo

 

Hi Bodawg

Double click the file, it should open in notepad.

At the top click on "Edit "
Click "Select all" in the list that opens
Click Edit again
Click Copy.

Then come back here and paste it.

Geri

 

Hey Geri,
I tried to copy and paste and it just freezez my machine.
I did it manually, ctrl+c and ctrl+v and neither one worked
cursor stop flashing and had to use ctrl+alt+delete to end program that
was not responding.

 

Hi Bodawg

OK please do this.

Click Start > Run
Copy and paste each one into the run box one at a time and click OK.

appwiz.cpl
desk.cpl
main.cpl

Try to open Add/remove again, see if it works.

Thanks
Geri

 

Hi,
ok Geri I just did that and the add/remove still popped up with the grey window. this is ridiculous ain't it.
Are you thinking that there is spyware or a virus keeping me from opening
the add/remove program window????

bo