Please check for infections / DECKARDS results attached

Dave, please see reply above before post below

ComboFix 08-05-01.3 - Gregg * 2008-05-06 23:14:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.564 [GMT -4:00]
Running from: C:\Documents and Settings\Gregg *\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gregg *\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - explorer.exe: deleted 1465960 bytes in 8 streams.

((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-05 10:25 . 2008-05-05 10:25 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 10:25 . 2008-05-05 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 10:19 . 2008-05-05 10:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-29 13:36 . 2008-04-29 13:36 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-04-29 06:54 . 2008-04-29 06:57 <DIR> d-------- C:\Documents and Settings\Gregg *\Application Data\Media Player Classic
2008-04-29 06:51 . 2006-09-24 16:11 389,120 --a------ C:\WINDOWS\system32\lameACM.acm
2008-04-29 06:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-04-29 06:51 . 2007-09-21 01:52 118,784 --a------ C:\WINDOWS\system32\ac3acm.acm
2008-04-29 06:51 . 2007-10-03 16:03 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2008-04-29 06:50 . 2007-11-29 23:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-29 06:50 . 2008-01-10 13:15 755,027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-29 06:50 . 2007-12-04 02:33 682,496 --a------ C:\WINDOWS\system32\divx.dll
2008-04-29 06:50 . 2004-01-25 17:18 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll
2008-04-29 06:50 . 2008-01-10 13:16 159,839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-29 06:50 . 2007-11-29 23:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-04-29 06:50 . 2007-12-24 13:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-29 06:50 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-04-28 12:41 . 2008-04-28 19:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 12:41 . 2008-04-28 12:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 10:55 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-28 10:27 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-28 10:27 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-28 10:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-28 10:27 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-28 10:27 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-24 13:29 . 2008-05-06 23:17 3,635,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-24 13:29 . 2008-05-06 23:15 43,652 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-24 13:05 . 2008-04-24 13:05 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-24 13:03 . 2008-04-24 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-24 13:03 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-24 13:03 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-24 13:02 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-24 12:31 . 2008-04-24 12:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 12:31 . 2008-04-24 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 11:40 . 2008-04-24 11:40 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 03:12 1,032,192 ----a-w C:\WINDOWS\explorer.exe
2008-05-02 02:50 51,834 ----a-w C:\Documents and Settings\Gregg *\Application Data\wklnhst.dat
2008-04-30 22:06 --------- d-----w C:\Documents and Settings\Gregg *\Application Data\U3
2008-03-28 20:51 --------- d-----w C:\Program Files\Nova Development
2008-02-19 23:36 69,408 ----a-w C:\Documents and Settings\Gregg *\Application Data\GDIPFONTCACHEV1.DAT
2006-10-04 17:47 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-10-04 17:43 482,512 ----a-w C:\Program Files\realarcade_cablevisi_stub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-24 13:05 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} "= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-24 13:05 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} "= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-24 13:05 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 23:05 68856]
"SoundMan "=" SOUNDMAN.EXE" [2007-12-03 18:05 3072 C:\WINDOWS\system32\ SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 13:00 339968]
"hpWirelessAssistant "= "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 18:11 794624]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 08:12 102492]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 08:11 692316]
"eabconfg.cpl "= "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 16:24 290816]
"Cpqset "= "C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 17:01 233534]
"LSBWatcher "= "c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 16:54 253952]
"OpwareSE2 "= "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-06-29 19:54 282624]
"HP Software Update "= "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-02 19:15 185896]
"ZoneAlarm Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12 "= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2004-06-23 15:22 729088 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 01:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
--a------ 2006-02-01 18:33 1880064 C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 17:37 936960 C:\Program Files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-04 21:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 11:18]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 23:17:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?2?1?1??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2008-05-06 23:21:51 - machine was rebooted [Gregg *]
ComboFix-quarantined-files.txt 2008-05-07 03:21:45

Pre-Run: 58,530,254,848 bytes free
Post-Run: 58,517,864,448 bytes free

142

 

Looks good. Please do 1 more ADS Spy scan with HijackThis to verify all have been fixed.

When did that error occur? Upon reboot?

 

upon reboot, came up with the log, at the same time.

Doing as you suggested now.


Denise

 

If you haven't done anything with that error yet, just click ignore. If it returns, abort.

Do another reboot and let me know if it happens again.

 

OK did another scan.. it found nothing..

Is there some clean up I need to do with the combo fix???

 

Yes, we'll do that now. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


How are things now?

 

autorun/play... reset

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it....

****Dave, just for fun can you tell me how to reset it now.... just in case???


I rebooted after removing combo fix and everything looks great.. computer seems to be running at normal speed.. thanks again for all your help.
Sincerely,
Denise

 

The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

Insert a game cd or software cd, and Windows might automatically begin the installation setup.

Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.


Glad to hear things are working normally again. You're most welcome.

 

Free AVG

Dave, trying to download free virus software for my husband, using the free AVG link on your website.

After trying to download I get a box that pops up and says that some of the installation files are corrupt, to try installing a fresh copy, and then a seperate box that states the following:

Extracting license_us.txt
Extracting avgsetup.exe
CRC failed in avgsetup.exe
Unexpected end of archive


Any idea what I should do, or should I just try avast?

Thanks
Denise

 

Hi Denise,

Did you save the setup file to the hard drive before trying to run it?

 

Thanks.. it worked

You're the best...

Anything else I should do at this point???

Denise

 

I'd say you're good to go.