Inactive Won't complete the boot

[Inactive] Won't complete the boot

Moral of the story is "No good deed goes unpunished ".

I have no HJT or DDS logs to post!
Computer specs: Dell Latitude C510/C610 model PP01L, Windows XP Home.

I was working on friends computer, that hasn't had a lot of attention.
I downloaded and installed new versions of AVG, Search Destroy & Ad-Aware.

Everything was going perfectly:
1) Ran full scan with AVG with latest pattern file.
2) Ran update on Search & Destroy and immunized but did not scan!
**SAVED RESTORE POINT per new version installation**
3) Ran "Smart-Scan" with Ad-Aware free edition.

I thought I'd do Microsoft updates next, this computer was still
using Internet Explorer 6.x.

When I pulled up the IE the home page was Comcast.net and the page just
didn't display correctly. Normally there is a button around the
"Email" in the upper left hand corner, no button but a link just
hanging there. No banner and no graphics that are normally displayed.

I should of run HiJackThis or DDS but that's hind sight, unfortunately.

I ran Search & Destroy it found 642 problems!
I choose to fix these and it was able to correct 629 problems.

Here's where I believe I made my mistake I had 12 to 15 pop up dialog boxes
asking permission to make a registry changes!
I choose "Yes" allow the change and I didn't save a copy of changes.

I thought because I was running Search & Destroy "it" needed to make
these changes, not the case at all.
At the end of the repair it needed to "Restart ".

Here's where my problems begin!

Now this computer boots perfectly and comes up to choose user screen
(there are two user's on this machine) every thing looks perfect
to this point in time. Once I choose a user I can see my wall paper
but shortly after that I have several dos command pop up boxes that
fill the upper right hand screen and then go away.
If I hit control C enough I can get them to stop but I
have no Start button or any desktop icons.
It's reduced to a nice paper weight at this point in time.

Resources I have at my disposal:
A second computer with Internet access & CD burning capability.
Dell "Operating System Reinstallation CD, XP Home.
Dell "Drivers, Utilities and Apps "

Thanks for your help in advance.

 

Hi Bill,

After logon, please press Ctrl+Alt+Del to see if the Task Manager will open. If it does, click File>New Task (Run) and type explorer then hit Enter. That should bring up the taskbar, Start button etc.

Let me know how that goes and we'll proceed from there.

 

Wow it's up! I had a ton more command.com pop ups to go through
but it's up and running, you are the man!

Windows explorer works so I can load software via a USB drive.

What do I do next?

Thanks again I can breath!

noahdfear did anyone ever tell you, you walk on water?
I know where you live and I know how cold it is!
I'm a state away, so to speak.

 

Hi Bill,

Glad to hear that worked. Please run DDS and post the logs here.

LOL - never been told I walk on water. What state are you in?

 

DDS (Ver_09-01-19.01) - NTFSx86
Run by Deb at 16:53:16.60 on Fri 01/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.156 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Antispyware\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
mSearchAssistant = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {35aad64a-3c20-4a8e-8161-5f8a195f68e2} - c:\windows\system32\ljJBsSMf.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {57A52E74-004C-464B-96CC-4DFE5366EA02} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {030cb670-add9-3258-27d4-0c8880d896f9}: {9f698d08-88c0-4d72-8523-9dda076bc030} - c:\windows\system32\juoqfnxr.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {7E66936C-FEA0-4984-AD26-7B6661AC5B2E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [wltray.exe] c:\windows\system32\wltray.exe
mRun: [SpamBlocker] c:\program files\spamblockerutility\bin\4.8.4.0\SbOEAddOn.exe
mRun: [Spam Blocker for Outlook Express] c:\progra~1\spambl~1\bin\484~1.0\SBInst.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WeatherOnTray] c:\program files\spamblockerutility\bin\4.8.4.0\SbWeatherOnTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [587483f6] rundll32.exe "c:\windows\system32\llluscox.dll ",b
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231649284033
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231662065049&h=5f97919ec0591169bb462748bc14444c/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: qoMgeEwW - qoMgeEwW.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJBsSMf

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deb\applic~1\mozilla\firefox\profiles\s06drre9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-10 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-10 107272]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-10 903960]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-10 298264]

=============== Created Last 30 ================

2009-01-30 12:12 <DIR> --d----- C:\Antispyware
2009-01-11 10:01 60,982 a------- c:\windows\wininit.ini
2009-01-11 03:13 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-11 03:13 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-11 02:56 1,536 a------- c:\windows\system32\TrueSoft.dat
2009-01-11 02:54 <DIR> --d----- c:\windows\system32\URTTEMP
2009-01-11 02:33 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-11 02:33 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-11 02:33 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-11 02:33 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-11 02:33 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-11 02:33 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-11 02:33 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-11 02:33 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-11 02:33 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-11 00:10 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-11 00:09 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-11 00:08 138,368 -c------ c:\windows\system32\dllcache\afd.sys
2009-01-11 00:04 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-10 23:50 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-10 23:39 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-10 23:33 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-10 23:32 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-10 23:32 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-10 23:32 <DIR> --d----- c:\docume~1\deb\applic~1\AVGTOOLBAR
2009-01-10 23:32 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-10 23:32 <DIR> --d----- c:\program files\AVG
2009-01-10 23:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-10 22:51 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-10 21:54 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-10 21:54 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-10 21:54 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-10 21:54 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)

==================== Find3M ====================

2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2006-11-18 12:17 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT

============= FINISH: 16:54:33.44 ===============

 

noahdfear

I'm a little embarassed because I think what was wrong was I didn't allow
the computer to completely boot after I ran Search & Destroy scan, remember
it found 642 problems that's going to take a while to repair.

On my second boot Search & Destroy came up and did a scan and only found
one problem "Zango.AntiSpamBar" with 8 incidents.

Now about all the dos boxes pop open and closing.
I found a 20 or 30 registry changes that looked some thing like these:
====================================================
Category: Change: Entry: Old data:
System Startup user entry Value deleted SpybotDeletingD5486 cmd /c del C:\Documents and Settings\Deb
System Startup user entry Value deleted SpybotDeletingB4299 cmd /c del C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\V3.0\HostOL\static\1\060104_ema19_prv.gif
System Startup user entry Value deleted SpybotDeletingD650 cmd /c del C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\V3.0\HostOL\static\1\060104_ema19_prv.gif
System Startup user entry Value deleted SpybotDeletingB4937 cmd /c del C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\V3.0\HostOL\static\1\060104_ema20_prv.gif
System Startup user entry Value deleted SpybotDeletingB6624 cmd /c del C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\V3.0\HostOL\static\1\060104_ema20_prv.gif

As you can see there are a lot of "cmd /c del....gif" and I'll beat that's what most of
those pop ups were.

Now for the good news, I've booted the computer about 6 time and it actually boots
pretty darn quick. No more pop up, dos boxes! It connects to the internet on it own.

The only problem I'm seeing is the graphics in the browser, both Firefox and IE just don't display the html correctly. Believe it not the jpegs and gif's seem to display perfectly.

I live in Indianapolis and love to come visit Wright Patterson AFB museum.

 

There remains a bit of cleanup to do. Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.



I grew up 100 miles north of you, just south of South Bend. Only 3 1/2 yrs in OH, and never have visited Wright Patterson - may add that to my todo list.

 

I don't believe I'm about to post this!

I fixed my own problem with the browsers! How? I can't believe this!

I wanted you to see what I thought was a problem so I was going
to do a quick screen capture with Shift, Alt & Print Screen

When what should pop up but "High Contrast "
If you hold down the Shift key and the Left Alt key with Print Screen
you can enable or disable "High Contrast ".

This computer was in "High Contrast" mode and that really screws up
the "normal" display of html!!!

I love to say this but I think all my problems are solved!
I would of never of guessed some built in uitility could ***** up how normal html is displayed! Live and Learn.... Never to old to learn!

Thank you noahdfear! I guess never over look the really simple things!
Keep up the great work!

 

I'm happy to hear you've resolved the contrast issue, however, there does remain some cleanup to do and I still recommend you proceed with ComboFix as previously instructed.

 

ComboFix 09-01-21.04 - Deb 2009-01-30 19:35:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.283 [GMT -5:00]
Running from: c:\documents and settings\Deb\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\spamblockerutility
c:\program files\spamblockerutility\bin\4.7.1.0\1_Trash.wav
c:\program files\spamblockerutility\bin\4.7.1.0\2_Balloon.wav
c:\program files\spamblockerutility\bin\4.7.1.0\3_Shot Gun.wav
c:\program files\spamblockerutility\bin\4.7.1.0\ASAPCom.dll
c:\program files\spamblockerutility\bin\4.7.1.0\dBenderC.dll
c:\program files\spamblockerutility\bin\4.7.1.0\Redemption.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBClientSinkPS.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBInst.exe
c:\program files\spamblockerutility\bin\4.7.1.0\SBOLExp.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBOLExt.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SbSrv.exe
c:\program files\spamblockerutility\bin\4.7.1.0\SBSrvPS.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBTrayAppPS.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBUIRes.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SBUISkin.dll
c:\program files\spamblockerutility\bin\4.7.1.0\SpamBlocker.exe
c:\program files\spamblockerutility\bin\4.8.0.0\1_Trash.wav
c:\program files\spamblockerutility\bin\4.8.0.0\2_Balloon.wav
c:\program files\spamblockerutility\bin\4.8.0.0\3_Shot Gun.wav
c:\program files\spamblockerutility\bin\4.8.0.0\ASAPCom.dll
c:\program files\spamblockerutility\bin\4.8.0.0\Contact.dll
c:\program files\spamblockerutility\bin\4.8.0.0\dBenderC.dll
c:\program files\spamblockerutility\bin\4.8.0.0\Redemption.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBClientSinkPS.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SbCoreSrv.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBInst.exe
c:\program files\spamblockerutility\bin\4.8.0.0\SBOLExp.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBOLExt.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SbSrv.exe
c:\program files\spamblockerutility\bin\4.8.0.0\SBSrvPS.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SbToolbar.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBTrayAppPS.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBUIRes.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SBUISkin.dll
c:\program files\spamblockerutility\bin\4.8.0.0\sbWallpaper.dll
c:\program files\spamblockerutility\bin\4.8.0.0\SpamBlocker.exe
c:\program files\spamblockerutility\bin\4.8.4.0\1_Trash.wav
c:\program files\spamblockerutility\bin\4.8.4.0\2_Balloon.wav
c:\program files\spamblockerutility\SBTV\sbtv_kyf.dat
c:\program files\spamblockerutility\SBTV\sbtvau.dat
c:\windows\cookies.ini
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-30 18:18 . 2009-01-30 18:18 <DIR> d-------- c:\program files\Synaptics
2009-01-30 18:18 . 2004-02-05 16:03 178,496 --a------ c:\windows\system32\drivers\SynTP.sys
2009-01-30 18:18 . 2004-02-05 16:04 110,592 --a------ c:\windows\system32\SynCtrl.dll
2009-01-30 18:18 . 2004-02-05 16:04 90,112 --a------ c:\windows\system32\SynTPAPI.dll
2009-01-30 18:18 . 2004-02-05 16:09 77,824 --a------ c:\windows\system32\SynTPCoI.dll
2009-01-30 18:18 . 2004-02-06 10:30 77,824 --a------ c:\windows\system32\SynCOM.dll
2009-01-30 18:18 . 2004-02-05 16:07 65,536 --a------ c:\windows\system32\SynTPFcs.dll
2009-01-30 18:17 . 2009-01-30 18:17 <DIR> d-------- C:\dell
2009-01-30 18:05 . 2009-01-30 18:05 <DIR> d-------- c:\windows\system32\Dell
2009-01-30 18:05 . 2009-01-30 18:05 <DIR> d-------- c:\program files\Dell
2009-01-30 17:05 . 2000-03-23 13:50 446,464 -r------- c:\windows\system32\hhactivex.dll
2009-01-30 17:05 . 1999-05-07 14:24 414,944 --------- c:\windows\system32\COMCT332.OCX
2009-01-30 17:05 . 1998-11-10 11:46 328,480 --------- c:\windows\system32\ssa3d30.ocx
2009-01-30 17:05 . 2001-08-23 11:53 176,128 --------- c:\windows\system32\RcdScan.dll
2009-01-30 17:05 . 1998-09-24 13:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2009-01-30 17:05 . 1998-06-18 00:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2009-01-30 17:05 . 2001-08-15 13:06 12,992 --------- c:\windows\system32\drivers\omci.sys
2009-01-30 17:05 . 1998-09-24 13:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt
2009-01-30 12:12 . 2009-01-30 19:20 <DIR> d-------- C:\Antispyware
2009-01-11 10:01 . 2009-01-11 10:06 60,982 --a------ c:\windows\wininit.ini
2009-01-11 03:14 . 2009-01-11 03:14 <DIR> d-------- c:\windows\Sun
2009-01-11 03:13 . 2009-01-11 03:12 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-11 03:13 . 2009-01-11 03:12 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-11 03:12 . 2009-01-11 03:12 <DIR> d-------- c:\program files\Java
2009-01-11 02:56 . 2009-01-11 02:56 1,536 --a------ c:\windows\system32\TrueSoft.dat
2009-01-11 02:54 . 2009-01-11 02:54 <DIR> d-------- c:\windows\system32\URTTEMP
2009-01-11 02:33 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-11 02:33 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-11 02:33 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-11 02:33 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-11 02:33 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-11 02:33 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-11 02:33 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-11 02:33 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-11 02:33 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-11 00:10 . 2009-01-11 02:00 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-11 00:09 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-11 00:08 . 2008-08-14 04:51 138,368 -----c--- c:\windows\system32\dllcache\afd.sys
2009-01-11 00:04 . 2008-05-01 09:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-01-10 23:50 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-01-10 23:39 . 2009-01-11 08:16 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-10 23:33 . 2009-01-30 15:58 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-10 23:32 . 2009-01-30 14:37 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-10 23:32 . 2009-01-10 23:32 <DIR> d-------- c:\program files\AVG
2009-01-10 23:32 . 2009-01-11 01:57 <DIR> d-------- c:\documents and settings\Deb\Application Data\AVGTOOLBAR
2009-01-10 23:32 . 2009-01-30 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-10 23:32 . 2009-01-30 15:58 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-10 23:32 . 2009-01-30 15:58 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-10 22:52 . 2009-01-10 22:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-10 22:51 . 2009-01-10 22:51 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-10 21:54 . 2009-01-10 21:54 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-10 21:54 . 2009-01-10 21:54 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-10 21:54 . 2009-01-10 21:54 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-10 21:54 . 2009-01-10 21:54 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 22:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 22:05 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-30 22:02 --------- d-----w c:\program files\IncrediMail
2009-01-11 14:59 --------- d-----w c:\documents and settings\Deb\Application Data\SpamBlockerUtility
2009-01-11 03:52 --------- d-----w c:\program files\Lavasoft
2009-01-11 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-11 03:21 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-11 03:19 --------- d-----w c:\program files\Yahoo!
2009-01-11 00:19 --------- d-----w c:\program files\Lx_cats
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2006-11-18 17:17 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-08-09 18:08 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wltray.exe "= "c:\windows\System32\wltray.exe" [2005-03-10 778348]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"LXCFCATS "= "c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"SynTPLpr "= "c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-02-05 98304]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-02-05 495616]
"PCTVOICE "= "pctspk.exe" [2003-02-24 c:\windows\system32\pctspk.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 15:58 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\ljJBsSMf

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-10 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-10 107272]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-10 903960]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-10 298264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{138305d0-876a-11dd-aff4-00065be46225}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{35AAD64A-3C20-4A8E-8161-5F8A195F68E2} - c:\windows\system32\ljJBsSMf.dll
BHO-{9f698d08-88c0-4d72-8523-9dda076bc030} - c:\windows\system32\juoqfnxr.dll
HKLM-Run-SpamBlocker - c:\program files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
HKLM-Run-587483f6 - c:\windows\system32\llluscox.dll
Notify-qoMgeEwW - qoMgeEwW.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Deb\Application Data\Mozilla\Firefox\Profiles\s06drre9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 19:37:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-30 19:41:05
ComboFix-quarantined-files.txt 2009-01-31 00:40:46

Pre-Run: 11,439,808,512 bytes free
Post-Run: 11,759,599,616 bytes free

216 --- E O F --- 2009-01-30 18:07:47

 

Highlight and copy the contents of the code box below.

Code:

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v  "Authentication Packages" /t REG_MULTI_SZ /d msv1_0 /f
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa > "%userprofile%\desktop\lsa.txt "
start notepad  "%userprofile%\desktop\lsa.txt "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and lsa.txt.txt will open. Post it's contents here.

 

hehe

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Bounds REG_BINARY 0030000000200000
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
LsaPid REG_DWORD 0x2f8
SecureBoot REG_DWORD 0x1
auditbaseobjects REG_DWORD 0x0
crashonauditfail REG_DWORD 0x0
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x0
fipsalgorithmpolicy REG_DWORD 0x0
forceguest REG_DWORD 0x1
fullprivilegeauditing REG_BINARY 00
limitblankpassworduse REG_DWORD 0x1
lmcompatibilitylevel REG_DWORD 0x0
nodefaultadminowner REG_DWORD 0x1
nolmhash REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1
Notification Packages REG_MULTI_SZ scecli\0\0
ImpersonatePrivilegeUpgradeToolHasRun REG_DWORD 0x1
enabledcom REG_SZ y

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache

 

Now about the 100 miles north of me???
Argos? Rochester? Plymouth? Not Culver???

Search and Destroy can't get rid of
Zango.AntiSpamBar 6 entries Adware
SBI $63827070
SBI $657F72A8
SBI $3A164920
SBI $62E0217B
SBI $4761BD65
SBI $28776434

What ever that mean, nothing after I typed it all in?
I'm joking, Burr Oak?

 

Argos is my hometown. Spent a few years living/working in Plymouth before moving to South Bend. All of the towns you mentioned are on a list of teenage stomping grounds.

Is that all that shows up for the Spybot detections? It doesn't list paths?

Reg export looks good. You can delete lsa.txt

Lets get an online scan now. Do a scan with Kaspersky WebScanner


Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 31, 2009 15:48:35
Records in database: 1732766
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 38350
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:14:36


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.7.1.0\SbSrv.exe.vir Infected: not-a-virus:AdWare.Win32.HotBar.bm 1
C:\Qoobox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.8.0.0\SbCoreSrv.dll.vir Infected: not-a-virus:AdWare.Win32.HotBar.bw 1
C:\Qoobox\Quarantine\C\Program Files\SpamBlockerUtility\bin\4.8.0.0\SbToolbar.dll.vir Infected: not-a-virus:AdWare.Win32.HotBar.bq 1

The selected area was scanned.

 

Well noahdfear does this mean I'm clean?
Search Destroy still shows Zango.AntiSpamBar but can't seem to clean it.
And no it does not tell me where it is, I'll look for log file.

Should I delete Qoobox\Quarantine\ below this?

Now I'm pretty sure this is true but John Kennedy Jr came to Augos Indiana to learn how to fly a powered para-sail and purchased it from company right there in Argos!
What do you know about this? So saying I want you to notice what city I had first!
Argos!

I've got a funny story about State Rd 10, I was told a bunch of UFO's were seen
by a little church along road to Argos. When I got there there must of been 30/40 cars
just hanging out waiting for UFO's to show up. Some nieghbor got all nasty and called
the cops on us! I never did see a UFO there. I heard that rumor at Max's Cafe in Culver.

Just another good example of just how small this world is!

 

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete dds.scr from the desktop.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.


The logs for Spybot can be accessed via the Advanced mode interface under Tools>View Report.


Yes, JFK Jr did go to Argos for exactly that. The company that builds those is owned by a long time friend. I don't recall the UFO story, but I sure don't doubt it either. I can think of 2 churches between Argos and Culver on SR 10 ... a brick building a couple miles outside of Argos and a big white one on a hill, cemetary along 3 sides, about midway between Argos and Culver. I grew up on SR 10 the opposite side of town.

 

--- Report generated: 2009-01-31 10:54 --- Search & Destroy

Hint of the Day: Click the bar at the right of this to see more information! ()

Zango.AntiSpamBar: [SBI $63827070] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\

Zango.AntiSpamBar: [SBI $657F72A8] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\v3.0\

Zango.AntiSpamBar: [SBI $3A164920] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\v3.0\HostOI\

Zango.AntiSpamBar: [SBI $62E0217B] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\v3.0\HostOI\static\

Zango.AntiSpamBar: [SBI $4761BD65] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\v3.0\HostOL\

Zango.AntiSpamBar: [SBI $28776434] Program directory (Directory, nothing done)
C:\Documents and Settings\Deb\Application Data\SpamBlockerUtility\v3.0\HostOL\static\
==============================================================
What I did was delete the whole directory tree starting with SpamBlockerUtility\

Hey noahdfear it's been a real pleasure working with you! Thanks for what you do!
It was the little white church next to the cemetary.
I'm still shaking my head over what a small world it is!

I deleted all the programs less HJT, kept the log files just incase.
Yes combofix /u uninstalled and deleted the quarentined files.

Just a note for farther messages:
1) the link to KASPERSKY ONLINE SCANNER 7 was broken.
2) ComboFix was too old and ran in some limited mode.
It show the correct date as January 30, 2009 but it had
expired it's timeline. You know I'm not sure that wasn't DDS,
I've slept since than

Thanks Again for all your help! WindowsBBS rocks! and that includes you!

 

Thanks for letting me know about the Kaspersky link. Don't know when they changed that, but I've updated my links now.

Good to see you removed the SpamBlocker folder. Odd that Spybot was unable to.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!


As a youngster, that church was one of the things that got us excited when we drove to Culver. It meant we were very close to the dips in the road that would give you that feeling of falling away from your stomach if you were going fast enough - fun for kids. The cemetary also had a stone that looked like an old tree trunk, which fascinated us.