Attn noahdfear can't install service packs

Great!

Please right click My Computer and select properties.
Select the Advanced tab.
Click Settings in the Performance section.
Select the Advanced tab.
In the Virtual Memory section, click Change.
Make sure System Managed size is selected then OK your way out.


Some of this might appear to be repetative, and may be, but it won't hurt. Some of it has not been done. Please highlight and copy the contents of the code box below.

Code:

cd /d  "%ProgramFiles%\Windows Resource Kits\Tools "
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
exit
cls

Click Start>Run and type cmd then hit Enter to open a command window.
Right click on the command window and select Paste.
Sit back and wait for it to complete, then reboot and try the installation again.

 

Same message appearing

I did everything and tried to install SP 1a again. I get the same message as before. It runs and runs and acts like it might just work this time, but then it gets to avc.sys and the message pops up:

Not enough quota is available to process this command. Then it just stops.

 

Please open My Computer, right click Local Disk C: and select properties.
Let me know the Used Space, Free Space and Capacity values.

 

Disc space

The used space is 32.1 Gb
Free space is 37.3 GB

Capacity is 69.4 GB

Thanks!

 

increased to the maximum

I don't have any other applications running. I found virtual memory and it was set at 736 MB. I gradually increased this up to 1536, the suggested maximum and just keep getting this same message.

Every time I try to install SB 1a, it runs and there's a little block on the screen and I see it going through the different files. It says something like

Extracting File
and it shows it going through the different files.

Under that it says

to Directory: C:\9

Then I get the message. Right before it all closes I can see that it shows the avp.sys as the file it's trying to extract.

I'm sorry I'm being the problem child. I follow all instructions very carefully. It this an unsolveable problem? Am I just going to have to totally reinstall/restore everything like I've heard about???

I'll keep checking this evening. I stayed up really late 2 evenings working on this, but last night I just had to get to bed and get some sleep.

Thanks,
Betsy

 

Hi Betsy,

Haven't forgotten you, or given up, just looking for answers.
Please open My Computer and right click Local Disk C:, then select Properties.
Select the Quota tab and let me know what you find there.

 

Thanks for getting back to me. I had started to think that I was a lost cause!

There's a little traffic light symbol and it looks like it's red. It says:
Status: Disc quotas are disabled

That doesn't sound very good to my untrained computer mind.

Also, I think that maybe I've picked up some bad junk again on the computer. It's acting weird, running a little slow. Yesterday afternoon when I started it up and opened Explorer, it kept opening up more and more windows of explorer, like over 20 of them. I couldn't get anything to close and finally just shut if off. When I restarted it was OK.

I ran Spybot and Malwarebytes and it found some things. One it deleted but the other, Wild Tangent, it says something about fixing it at restart, but it'll just be there again.

Also, something called RootKit.Agent.H comes up. It says it's in
C:\Windows\System32\drivers\mvxdavv.sys

I can't seem to get rid of that either.

I ran an online scan that Ken at Spybot had me run and it found a virus but quarantinned it.

I'm trying to be careful about where I go online. I'm only visiting a few select sites that I think are OK.

Also, I've tried to install 1a a few different times and keep getting that same message when it gets to avp.sys

I tried to run SP 3 yesterday and it acted like it installed everything but then the message comes up about having to have an earlier version first, or something like that. I think I've mentioned that before.

Sorry for the rambling. Just thought it might help find a solution.

musicteacher
Betsy

 

Disk quotas disabled is fine. I was concerned that it was enabled actually, limiting the amount of disk space available for use.

I began wondering last night if maybe there was something else hanging around using the disk/memory that we haven't seen yet, such as a rootkit, and had decided to have you run a scan today. Imagine my surprise at you mentioning the detection.

Download GMER

Right click and extract it to it's own folder on the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.


Then, if you still have ComboFix, please delete it and download a fresh copy from here, saving it to your desktop.

Important! ComboFix.exe must be on your desktop!


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Click Start>Run and type or paste the following command.
  
  "%userprofile%\desktop\combofix.exe" /skipfix
  
  
• ComboFix will run ..... follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

I downloaded GMER to my desktop, and right-clicked to extract it.

I now have another icon for GMER on the desktop, but when I click on that I get this message:

CreateFile C:\WINDOWS\system32\driver\gmer.sys

Not enough quota is available to process this command.

Sounds like the other message I was getting. I haven't done the Combo fix yet. Shall I proceed?

 

Yes, please see if you can run ComboFix.

 

Something for GMER finally opened up on my computer, so I ran it. It's been running since Saturday afternoon, about 20 hours. Doesn't seem normal to me.

You had instructed me to click in all the boxes except Show All. The only ones that were light up and available to check were: services, registry, file, and ADS. The top 8 were a light gray and I couldn't click in the boxes. Is this right?

I'll go and follow your instructions for Combo Fix now. I've pasted the results from GMER below. Not sure if it's worth anything and possibly it didn't run correctly:




GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-24 14:26:18
Windows 5.1.2600


---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2008-08-23 22:36:03

---- EOF - GMER 1.0.14 ----

 

Certainly not normal for gmer to run so long. Please highlight and copy the contents of the code box below.

Code:

@echo off
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /s >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select Paste.
The command window will close and a log will open in notepad upon completion.
Please post the contents of that log.

 

Having awful problems right now. I've tried to post several times, especially with the log from Combofix, but the computer is horribly slow. Will try to do some stuff now and get to the bottom of this. It's been horrible all afternoon.

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
PingID REG_BINARY F670BA9688A74944AF94A1BFA2E4467B
SusClientIdValidation REG_BINARY 04012801350047004300300057005800530054002000200020002000200020002000200020002000200020000600402B38A7E1
SusClientId REG_SZ 69727600-944d-4848-8a65-85fcdd15d44a

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions REG_DWORD 0x3
DetectionStartTime REG_SZ 2008.08.06 17:52:07
ConfigVer REG_DWORD 0x1
NextDetectionTime REG_SZ 2008-08-24 23:54:59

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\IUControl
SelfUpdateStatus REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OemInfo
Mask REG_DWORD 0x13
OemInfoVersion REG_DWORD 0x2
AcpiOem REG_SZ INTEL
AcpiProduct REG_SZ Brkdle_G
IniOem REG_SZ hp
WbemOem REG_SZ HP Pavilion 05
WbemProduct REG_SZ DA179A-ABA 743g
OemSupportURL REG_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting
BatchFlushAge REG_DWORD 0x7ce2
SamplingValue2 REG_DWORD 0x3bb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\Sus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\WU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending
ValidatedPreWsus3RegistrationRequests REG_DWORD 0x1

 

ComboFix 08-08-23.03 - Owner 2008-08-24 21:47:25.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\owner@contextweb[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[1].txt
C:\Documents and Settings\Owner\Cookies\owner@wat.contextweb[2].txt

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-23 11:36 . 2008-08-24 21:34 250 --a------ C:\WINDOWS\gmer.ini
2008-08-20 14:20 . 2008-08-20 14:20 66,156 --a------ C:\SeasonSchedulePA1881638831912.pdf
2008-08-20 00:50 . 2008-08-20 00:50 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-08-17 22:48 . 2008-08-17 22:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-17 16:06 . 2008-08-17 16:06 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-17 14:08 . 2008-08-24 15:05 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-16 09:30 . 2008-08-23 08:43 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-15 21:29 . 2008-08-15 21:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-15 21:17 . 2001-08-17 22:36 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-08-15 21:17 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-08-15 21:17 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-08-15 21:17 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-08-15 21:17 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-08-15 21:17 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-08-15 21:17 . 2001-08-17 13:58 8,064 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-08-15 21:17 . 2001-08-17 22:36 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-08-15 21:17 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-08-15 21:15 . 2001-08-18 08:00 843,832 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-08-15 21:14 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-15 21:13 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-15 21:12 . 2001-08-18 08:00 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-08-15 21:11 . 2001-08-18 08:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-15 21:10 . 2001-08-18 08:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-08-15 21:09 . 2001-08-18 08:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-15 21:08 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-15 21:07 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-08-15 21:06 . 2001-08-18 08:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-15 21:05 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-08-15 21:04 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-08-14 23:31 . 2008-08-14 23:31 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2008-08-14 12:49 . 2008-08-14 12:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-08-14 12:10 . 2001-08-18 08:00 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-08-14 09:09 . 2008-08-14 09:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-08-14 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-14 09:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 09:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-14 09:05 . 2008-08-14 09:07 <DIR> d-------- C:\Program Files\Malwarebytes
2008-08-08 22:41 . 2008-08-08 22:42 382,352 --a------ C:\Program Files\jre-6u7-windows-i586-p-iftw.exe
2008-08-08 07:23 . 2008-08-08 07:23 42,496 --a------ C:\Fixing computer instructions.doc
2008-08-08 07:12 . 2008-08-08 07:12 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-08-06 20:52 . 2008-08-06 20:52 15,083,520 --a------ C:\Program Files\spybotsd160.exe
2008-08-06 17:43 . 2008-08-18 20:21 1,527,193 --a------ C:\WINDOWS\setupapi.log.6.old
2008-08-06 07:48 . 2008-08-14 21:37 7 --a------ C:\WINDOWS\system32\ngxt.bin
2008-08-05 22:10 . 2008-08-18 20:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-08-05 20:30 . 2008-08-05 20:30 8,560 --a------ C:\WINDOWS\system32\core3.sys
2008-08-04 21:23 . 2008-08-04 21:23 <DIR> d-------- C:\Program Files\New Folder
2008-07-31 11:03 . 2008-07-31 11:03 <DIR> d-------- C:\Program Files\Disney
2008-07-29 23:01 . 2008-07-29 23:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-07-27 17:36 . 2004-08-03 14:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-07-27 17:26 . 2008-07-27 17:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-07-25 23:31 . 2008-07-25 23:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-18 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-16 13:11 --------- d-----w C:\Program Files\AIM95
2008-08-16 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-08-08 02:36 --------- d---a-w C:\Program Files\WildTangent
2008-08-07 23:26 --------- d-----w C:\Program Files\Spyware Terminator
2008-08-07 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-06 00:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-05 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 21:40 --------- d-----w C:\Program Files\PicturesToExe
2008-07-31 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-29 23:51 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-07-29 23:48 --------- d-----w C:\Program Files\ACD Systems
2008-07-28 11:45 73,728 ----a-w C:\WINDOWS\system32\CavEmLSP.dll
2008-07-28 11:45 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-28 11:45 434,252 ----a-w C:\WINDOWS\system32\MSVCRTD.DLL
2008-07-28 11:45 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-28 11:45 216,576 ----a-w C:\WINDOWS\system32\monln.dll
2008-07-28 11:45 102,400 ----a-w C:\WINDOWS\system32\drivers\cavasm.sys
2008-07-28 11:45 1,060,864 ----a-w C:\WINDOWS\system32\MFC71.dll
2008-07-27 21:25 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-23 00:55 --------- d-----w C:\Program Files\FinePixViewer
2008-07-23 00:55 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\FUJIFILM
2008-07-22 01:15 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\VERITAS
2008-07-22 00:47 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\ACD Systems
2008-07-21 20:40 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Spyware Terminator
2008-07-21 12:27 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV.000\Application Data\Microsoft Web Folders
2008-07-21 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC426
2008-07-21 03:38 --------- d-----w C:\Program Files\SymNetDrv
2008-07-20 02:07 --------- d-----w C:\Program Files\Crawler
2008-07-20 02:01 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Spyware Terminator
2008-07-19 22:34 --------- d-----w C:\Program Files\FileSubmit
2008-07-19 21:55 --------- d-----w C:\Program Files\Viewpoint
2008-07-19 21:55 --------- d-----w C:\Program Files\Lycos
2008-07-19 21:49 141,312 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-07-19 21:46 8,160,016 ----a-w C:\Program Files\SpywareTerminatorSetup.exe
2008-07-18 01:55 2,369,474 ----a-w C:\Project1.exe
2008-07-14 15:56 --------- d-----w C:\Program Files\WildGames
2008-07-12 20:38 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Viewpoint
2008-07-11 01:25 --------- d-----w C:\Program Files\Coupons
2008-07-11 01:23 1,277,680 ----a-w C:\Program Files\CouponPrinter.exe
2008-07-10 01:57 --------- d-----w C:\Program Files\AIM6
2008-07-10 01:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-10 01:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-07-10 01:47 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\acccore
2008-07-08 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-08 11:21 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-08 11:13 --------- d-----w C:\Program Files\NOS
2008-07-06 21:06 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Corel
2008-07-01 02:44 --------- d-----w C:\Documents and Settings\Owner\Application Data\ACD Systems
2008-07-01 02:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-30 14:05 --------- d-----w C:\Program Files\Comodo
2008-06-30 11:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Snapfish
2008-06-30 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2008-06-30 00:30 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\Microsoft Web Folders
2008-06-30 00:27 --------- d-----w C:\Program Files\OpenOffice
2008-06-30 00:16 --------- d-----w C:\Program Files\Comodo Free
2008-06-29 22:05 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\VERITAS
2008-06-29 03:33 --------- d-----w C:\Documents and Settings\Betsy.YOUR-US67PI6LUV\Application Data\MSN6
2008-06-28 12:41 --------- d-----w C:\Program Files\CCleaner
2008-06-28 11:14 --------- d-----w C:\Program Files\Java
2008-06-26 21:26 --------- d-----w C:\Documents and Settings\Craig\Application Data\WeatherBug
2008-06-26 03:05 --------- d-----w C:\Documents and Settings\Betsy\Application Data\WeatherBug
2008-05-26 10:58 1,470,464 ----a-w C:\Program Files\clipart.exe
2008-04-26 11:06 2,751,368 ----a-w C:\Program Files\ccsetup206.exe
2008-01-21 23:55 119,992 ----a-w C:\Documents and Settings\Betsy\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 03:04 16,291,424 ----a-w C:\Program Files\Java.exe
2005-01-15 11:13 9,893,152 ----a-w C:\Program Files\PatternViewerInst.exe
2004-07-22 10:39 2,150,574 ----a-w C:\Program Files\Ad-aware.exe
2004-05-23 19:26 2,403,357 ----a-w C:\Program Files\Reg Mechanic Install.exe
2004-05-02 20:17 10,241,609 ----a-w C:\Program Files\Vendio-SMPro.exe
2003-08-13 10:30 1,291,040 ----a-w C:\Program Files\WindowsXP-KB823980-x86-ENU.exe
2003-07-28 11:16 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2003-07-28 11:16 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2003-07-28 11:01 36,207 ----a-w C:\WINDOWS\inf\i386\9320FW.bin
2003-07-28 11:01 274,432 ----a-w C:\WINDOWS\inf\i386\9320LLD.dll
2003-07-28 11:01 155,648 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2003-05-07 01:53 0 ----a-w C:\Program Files\Gevalia.jsp
2003-02-09 22:36 78,516 ----a-w C:\Program Files\AuctionManagerPro.exe
2002-11-30 21:16 1,803,464 ----a-w C:\Program Files\winzip81.exe
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((( snapshot_2008-08-24_15.05.55.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-23 15:58:46 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-24 21:44:50 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-23 15:58:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-24 21:44:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-23 15:58:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-24 21:44:50 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 17:14 1077277]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11 69632]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56 61440]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01 155648]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [2002-07-16 11:03 106549]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 02:39 212992]
"IgfxTray "= "C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 06:29 155648]
"HotKeysCmds "= "C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 06:20 114688]
"PS2 "= "C:\WINDOWS\system32\ps2.exe" [2002-06-14 19:39 81920]
"HP Software Update "= "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 07:42 176128]
"DeviceDiscovery "= "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 18:37 229437]
"cnfgCav "= "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2008-07-28 07:45 110592]
"nwiz "= "nwiz.exe" [2002-05-03 20:06 364544 C:\WINDOWS\system32\nwiz.exe]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Administrator.YOUR-US67PI6LUV\Start Menu\Programs\Startup\
AutoTBar.exe [2002-05-30 05:58:02 40960]

C:\Documents and Settings\Betsy\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [2007-06-04 21:33:41 325632]
PowerReg Scheduler V3.exe [2008-02-23 19:23:15 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-11-29 22:45:23 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
America Online 7.0 Tray Icon.lnk - C:\Program Files\America Online 7.0\aoltray.exe [2002-11-29 17:24:20 32839]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-06-22 21:51:56 282624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-30 13:03:47 156160]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 04:00:00 65588]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-11-30 15:02:16 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
2008-07-28 07:45 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV "= ACDV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\core3.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

R1 core3;HTCore Controller;C:\WINDOWS\System32\core3.sys [2008-08-05 20:30]
S3 FileObjInfo;STFileDriver;C:\Documents and Settings\All Users\Application Data\Spyware Terminator\FileObjInfo.sys [2008-07-19 17:49]
.
Contents of the 'Scheduled Tasks' folder

2002-07-27 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://srch-us6.hpwis.com/
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Search Bar = hxxp://srch-us6.hpwis.com/
R1 -: HKCU-Internet Settings,ProxyOverride = localhost

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll
.
.
------- File Associations (Beta) -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 21:55:13
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-08-24 22:00:15
ComboFix-quarantined-files.txt 2008-08-25 01:59:11
ComboFix2.txt 2008-08-24 19:06:29
ComboFix3.txt 2008-08-15 12:43:07

Pre-Run: 38,599,794,688 bytes free
Post-Run: 38,585,470,976 bytes free

247

 

Please upload the following files to my submission channel for analysis. You can just paste the path into the box then click Send File. Leave a link back to this topic.

C:\WINDOWS\system32\core3.sys

Thanks!

If you can, post the contents of C:\Qoobox\ComboFix2.txt

 

Posted the file

I followed your instructions exactly and posted the file in the other place.

I've been trying to paste the log you requested, but it keeps telling me that it's too long.

 

You will need to put half the log in 1 post, the rest in another.

Thanks for the upload! That file is infected. Lets nuke it.
Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
File::
C:\Project1.exe
Rootkit::
C:\WINDOWS\system32\core3.sys
Driver::
core3

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done.A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

I've attempted to do the Combo fix twice, and I've followed your directions exactly. After I drag the script thing to Combofix, it starts, but then the computer shuts off and on and I get that message about the computer recovering from a serious error. No log comes up.

As you can see by my name, I'm a teacher, and school has started again. I did it once this morning, but had to leave for school. I just tried it again when I got home from school, and the same thing happened.