Hi and welcome to Daniweb forums :).

Let's see what we can come up with.

Please download this file - combofix.exe by sUBs

  • Save it to your Desktop
  • Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
  • Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.


  • Click OK and this will start ComboFix.
  • When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:


  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.

-----------------------------------------------------------------------------------------------------
Greetings,
I'm having the same problem as SilentLuna8 (Fake Security warning and can't access Control Panel). I've installed HiJackThis and ComboFix and run them as detailed in the instructions posted. I now have access to the Control Panel (Yippee!), but need someone with expertise to look at my logs to see what I should have HiJack "fix". Can someone help me with this?

ComboFix Log 07-12-05.2 - Command switches used :: /KillAll
(((((((((((((((((((( Other deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Gregg\Start Menu\Programs\Startup\infos.exe
C:\Program Files\spysheriff
C:\Program Files\spysheriff\base.avd
C:\Program Files\spysheriff\base001.avd
C:\Program Files\spysheriff\base002.avd
C:\Program Files\spysheriff\found.wav
C:\Program Files\spysheriff\heur000.dll
C:\Program Files\spysheriff\heur001.dll
C:\Program Files\spysheriff\heur003.dll
C:\Program Files\spysheriff\notfound.wav
C:\Program Files\spysheriff\removed.wav
C:\Program Files\spysheriff\SpySheriff.dvm
C:\Program Files\spysheriff\SpySheriff.exe
C:\Program Files\spysheriff\Uninstall.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\G42A.tmp.exe
C:\WINDOWS\system32\G43E2.tmp.exe
C:\WINDOWS\system32\G52B0.tmp.exe
C:\WINDOWS\system32\G61B0.tmp.exe
C:\WINDOWS\system32\G631D.tmp.exe
C:\WINDOWS\system32\G662A.tmp.exe
C:\WINDOWS\system32\G750.tmp.exe
C:\WINDOWS\system32\G8289.tmp.exe
C:\WINDOWS\system32\G8BAE.tmp.exe
C:\WINDOWS\system32\G9F07.tmp.exe
C:\WINDOWS\system32\GBEFF.tmp.exe
C:\WINDOWS\system32\GCCFB.tmp.exe
C:\WINDOWS\system32\GD1B7.tmp.exe
C:\WINDOWS\system32\GD81C.tmp.exe
C:\WINDOWS\system32\GEE05.tmp.exe
C:\WINDOWS\system32\GF180.tmp.exe
C:\WINDOWS\system32\GF2A8.tmp.exe
C:\WINDOWS\system32\GFA67.tmp.exe
C:\WINDOWS\system32\msdtexch.dll
C:\WINDOWS\system32\msftedswc.dll
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\winter.exe
C:\winstall.exe

(((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSUPDATE
-------\Driver
-------\msupdate


(((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-03 14:44 . 2007-12-03 14:44 2,852 --a------ C:\WINDOWS\SYSTEM32\AcroIEHelper.xml
2007-12-03 07:41 . 2007-12-03 10:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-02 16:31 . 2007-12-02 21:21 22,696 --a------ C:\Documents and Settings\Gregg Stucki\Application Data\info.dat
2007-11-29 16:59 . 2007-11-29 18:25 70,772,734 --a------ C:\SYM_REGISTRY_BACKUP.reg
2007-11-29 16:59 . 2007-11-29 18:22 70,769,134 --a------ C:\SYM_REGISTRY_BACKUP.old
2007-11-29 15:16 . 2007-11-29 15:16 291,328 --a------ C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-28 13:29 . 2007-11-29 15:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-28 07:31 . 2007-11-28 07:31 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-11-28 07:01 . 2007-11-28 07:01 <DIR> d-------- C:\Documents and Settings\Gregg\Application Data\WholeSecurity
2007-11-27 05:56 . 2007-11-27 05:56 294,560 --ahs---- C:\WINDOWS\SYSTEM32\G32B1.tmp.exe~
2007-11-26 16:08 . 2007-11-26 16:08 12,783 --a------ C:\WINDOWS\SYSTEM32\comdl32.exe
2007-11-26 15:29 . 2007-11-26 15:29 28,929 --a------ C:\Documents and Settings\Gregg\wn852.exe

.
((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 04:09 --------- d-----w C:\Program Files\QuickBooks Online Backup
2007-12-03 17:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-03 17:29 --------- d-----w C:\Program Files\Symantec
2007-12-03 17:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-03 17:22 --------- d-----w C:\Documents and Settings\Gregg\Application Data\Symantec
.

(((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3CFA533-7680-4943-A863-B8216390E847}]
2007-11-05 07:03 528896 --a------ C:\WINDOWS\SYSTEM32\AcroIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 00:04]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 15:21]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows installer"="C:\winstall.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-07-06 14:24:36]
QuickBooks Online Backup TaskBar Icon.LNK - C:\Program Files\QuickBooks Online Backup\CBSysTray.exe [2006-07-17 10:28:05]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 01:09:14]
WinZip Quick Pick.lnk.disabled [2006-09-08 15:39:57]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"Sonic RecordNow!"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"StartUp"=C:\WINDOWS\trayicons.exe /optimize speed
"Undefined"=C:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Undefined"=C:\WINDOWS\system32\winter.exe


**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 12:49:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 12:50:56 - machine was rebooted --- E O F ---


and the HiJack Log...

Logfile of HijackThis v1.99.1
Scan saved at 1:02:08 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Gregg\Local Settings\Temp\wz2099\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.0.6.5.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163702102515
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you in advance for your help!

Recommended Answers

All 13 Replies

Hi. If you read the announcement at the head of this forum, you will notice that it says not to piggy back other members threads.
Combofix should only be run under direction.
There is another thread advising the use of the latest version of hijackthis. You are running an outdated version.
I have moved your post to your own thread.

==

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\SYSTEM32\comdl32.exe
C:\Documents and Settings\Gregg\wn852.exe
C:\WINDOWS\system32\spoolc.exe
C:\winstall.exe
C:\WINDOWS\system32\winter.exe

Thanks Crunchie,

Sorry. I noticed the "piggy back" announcement after I had posted and then realized I couldn't remove the post, so I created a new one (actually 2) because I am experiencing 2 issues; the Control Panel "Restrictions" message and "Application Failed/ATL.DLL" message. (I'm still in the low-end of the learning curve).

I've also downloaded the newer version of Hijack This (2.0.0.2). Thanks for pointing this out.

Here's the results of the scans of each of these files. I used VirusTotal site:

File comdl32.exe received on 12.04.2007 10:32:07 (CET)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - Win32:Kbot-D
AVG - - Downloader.Obfuskated
BitDefender - - Trojan.AVKiller.AS
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - Trojan.MulDrop.8347
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - Basine.C!tr
F-Prot - - -
F-Secure - - -
Ikarus - - Backdoor.Win32.Kbot.aq
Kaspersky - - -
McAfee - - Tcad-Crypted
Microsoft - - TrojanDownloader:Win32/Small.gen!AAM
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Downloader.Obfuskated
Rising - - Trojan.DL.Win32.Small.fyn
Sophos - - Mal/Basine-C
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - Trojan.DR.Dirat.Gen
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: a555e0dcff5c13254a8e41b19a66e2d3

File wn852.exe received on 12.07.2007 17:13:50 (CET)
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.ULPM.Gen
Authentium - - -
Avast - - -
AVG - - Downloader.Small.BBG
BitDefender - - -
CAT-QuickHeal - - Trojan.Agent.i
ClamAV - - -
DrWeb - - Trojan.Alert
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - Trojan-Downloader.Win32.Small.gye
Ikarus - - -
Kaspersky - - Trojan-Downloader.Win32.Small.gye
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - W32/DLoader.EMIH
Panda - - Adware/VirusAlert
Prevx1 - - Trojan.Gorhax
Rising - - -
Sophos - - Mal/Behav-119
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.ULPM.Gen
Additional information
MD5: c1a58be2fda60f72a41f687d6489e661

I can't seem to locate the other 3 files (spoolc, winstall, winter). Where are they hiding? I have file settings to show hidden and operating system files, but I can't locate them in order to scan them. What am I overlooking?

"Application Failed/ATL.DLL" message.

That may not be spy/malware related. If removing the trash does not fix it, I would post in the XP forum :).

I can't seem to locate the other 3 files (spoolc, winstall, winter). Where are they hiding? I have file settings to show hidden and operating system files, but I can't locate them in order to scan them. What am I overlooking?

Try doing a system search for the files. They may not exist though as the log above may only be showing the registry entry.

==

A. Please RUN HijackThis

  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe

    O11 - Options group: [INTERNATIONAL] International*

  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\comdl32.exe
C:\Documents and Settings\Gregg\wn852.exe
C:\WINDOWS\system32\spoolc.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I'm not at the "problem" computer right now, but will follow the outlined steps this weekend and post the results. You have explained things clearly and I feel pretty confident I can follow each step.

Two questions:

1) What is the best method for carrying out a "system search" of those files? I tried navigating to them using "Explore", then I did a search using Start> Search (that didn't seem to work at all).

2) re: step B, 4. - Since I was already having problems with my Norton AV software I went ahead and uninstalled the whole thing (so that won't interfere with ComboFix). I will install a better AV product later. I have SbyBot, Ad-Aware and Spyware Blaster installed; do they need to be temporarily "turned off" and if so, how do I do this? I can't think of any other "guards" or "shields" installed on my computer. Is there some other commonly installed product I could be overlooking?

Thanks so much for your help!

With what you have installed I do not think Combofix will run into any problems.

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

* Click on FileFind.exe
* In the box labeled "Enter the directory to search"
o Enter Drive C:\
* In the box labeled "Enter the file to search"
o Enter the file You cannot locate
* Now click on the "Find" button
* Once the utility has found the files click on "Export"
* This will save a text file to your C:\ drive as "Export.txt"
* Double click on Export.txt, copy and paste this information in your next post

Do the above for each one. If Filefind does not find them, I think it is safe to assume they do not exist.

Installed and ran FileFind. The 3 "missing" files (spoolc.exe, winstall.exe, winter.exe) were not found.

A. First time I ran HijackThis, the 2 entries were no longer there (O4 HKLM... spoolc.exe and O11 Options group...international) so there wasn't anything to have it "Fix".

B. Ran ComboFix as outlined. (Note: When I submitted the previous log, I had deleted my last name from all the entires in the subfolder "Gregg" under "Documents and Settings". I made sure to add it back into the text of the codebox you had me paste into ComboFix.)

Things have definitely been running better. I still can't access "Internet Options" from "Tools" in IE, but since downloading and using FireFox this has been less of an issue. I have access to all the features in FireFox. Some of the other things that were happening have stopped; a 2nd browser window was opening every time I opened IE and that doesn't happen anymore. But, whenever I perform a search (Yahoo or Google) I get good search results but when I click on any of the links, I get redirected to a phony page (it shows "realsearch.cc/feed..." in the browser window). If I cut and paste the address into the browser then it takes me to the right page. This is only in IE, FireFox works fine. As long as I'm using FireFox I don't notice any problems. However, it would be good to get the spyware completely removed from my computer. It's primary impact seems to be affecting many of the settings relating to IE.

I still have the "ATL.DLL error" pop-up every time I restart my computer or download something, but I'll work on that under a separate thread later (on a different forum as you suggested). Everything I download still works so it doesn't seem to be affecting anything.

Here are the contents of the 2 logs:

ComboFix 07-12-05.2 - Gregg Stucki 2007-12-08 17:39:38.2 - NTFSx86
Running from: C:\Documents and Settings\Gregg Stucki\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gregg Stucki\Desktop\CFScript.txt

FILE
C:\Documents and Settings\Gregg Stucki\wn852.exe
C:\WINDOWS\SYSTEM32\comdl32.exe
C:\WINDOWS\system32\spoolc.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gregg Stucki\wn852.exe
C:\WINDOWS\SYSTEM32\comdl32.exe

.
(((((((((((((((((((((((((   Files Created from 2007-11-09 to 2007-12-09  )))))))))))))))))))))))))))))))
.

2007-12-08 16:03 . 2007-12-08 16:03 <DIR>    d--------   C:\WINDOWS\SYSTEM32\unicode
2007-12-08 15:31 . 2007-12-08 15:32 1,069,935   --a------   C:\WINDOWS\SYSTEM32\RegCure_Setup_15_RW.exe
2007-12-07 17:12 . 2007-12-07 17:12 <DIR>    d--------   C:\Documents and Settings\Gregg Stucki\Application Data\Uniblue
2007-12-07 17:05 . 2007-12-07 17:08 4,131,384   --a------   C:\WINDOWS\SYSTEM32\registryboosterdllfiles1.exe
2007-12-07 15:03 . 2007-12-07 15:03 7,680   --ahs----   C:\WINDOWS\Thumbs.db
2007-12-07 14:51 . 2007-12-07 14:51 3,584   --ahs----   C:\WINDOWS\SYSTEM32\Thumbs.db
2007-12-07 14:10 . 2007-12-07 14:25 <DIR>    d--------   C:\Program Files\VirusTotalUploader
2007-12-07 13:43 . 2007-12-07 14:25 <DIR>    d--------   C:\Program Files\Trend Micro
2007-12-06 16:47 . 2007-12-06 16:47 0   --a------   C:\WINDOWS\nsreg.dat
2007-12-06 16:24 . 2007-12-06 16:30 <DIR>    d--------   C:\Program Files\SpywareBlaster
2007-12-03 14:44 . 2007-12-03 14:44 2,852   --a------   C:\WINDOWS\SYSTEM32\AcroIEHelper.xml
2007-12-03 07:41 . 2007-12-03 10:14 <DIR>    d--------   C:\WINDOWS\SxsCaPendDel
2007-12-02 16:31 . 2007-12-02 21:21 22,696  --a------   C:\Documents and Settings\Gregg Stucki\Application Data\info.dat
2007-11-29 16:59 . 2007-11-29 18:25 70,772,734  --a------   C:\SYM_REGISTRY_BACKUP.reg
2007-11-29 16:59 . 2007-11-29 18:22 70,769,134  --a------   C:\SYM_REGISTRY_BACKUP.old
2007-11-29 15:16 . 2007-11-29 15:16 291,328 --a------   C:\WINDOWS\SYSTEM32\libcurl.dll
2007-11-28 13:29 . 2007-11-29 15:27 <DIR>    d--------   C:\Program Files\Enigma Software Group
2007-11-28 07:31 . 2007-11-28 07:31 28,672  --a------   C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-11-28 07:01 . 2007-11-28 07:01 <DIR>    d--------   C:\Documents and Settings\Gregg Stucki\Application Data\WholeSecurity
2007-11-27 05:56 . 2007-11-27 05:56 294,560 --ahs----   C:\WINDOWS\SYSTEM32\G32B1.tmp.exe~

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 21:36    ---------   d-----w C:\Program Files\QuickBooks Online Backup
2007-12-07 23:53    ---------   d-----w C:\Program Files\Symantec
2007-12-07 23:53    ---------   d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-07 23:53    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-07 23:52    ---------   d-----w C:\Program Files\Hewlett-Packard
2007-12-07 23:48    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 23:48    ---------   d-----w C:\Program Files\Jasc Software Inc
2007-12-07 23:48    ---------   d-----w C:\Program Files\eMusic Download Manager
2007-12-03 17:22    ---------   d-----w C:\Documents and Settings\Gregg Stucki\Application Data\Symantec
2007-11-05 14:03    528,896 ----a-w C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
2007-10-26 03:34    8,460,288   ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-12-06_12.50.03.67   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-05-13 21:51:06   74,810  ----a-w C:\WINDOWS\SYSTEM32\unicode\ATL.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3CFA533-7680-4943-A863-B8216390E847}]
2007-11-05 07:03    528896  --a------   C:\WINDOWS\SYSTEM32\AcroIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 00:04]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-10-07 15:21]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows installer"="C:\winstall.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-07-06 14:24:36] 
QuickBooks Online Backup TaskBar Icon.LNK - C:\Program Files\QuickBooks Online Backup\CBSysTray.exe [2006-07-17 10:28:05]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-06-10 01:09:14]
WinZip Quick Pick.lnk.disabled [2006-09-08 15:39:57] 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
"Sonic RecordNow!"=
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"StartUp"=C:\WINDOWS\trayicons.exe /optimize speed
"Undefined"=C:\WINDOWS\system32\winter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
"OrderReminder"=C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Undefined"=C:\WINDOWS\system32\winter.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 23:28:30 C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-12-08 17:41:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-08 17:42:39
C:\ComboFix2.txt ... 2007-12-06 12:50
.
    --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:59 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEHelper - {F3CFA533-7680-4943-A863-B8216390E847} - C:\WINDOWS\SYSTEM32\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4226933070-409106339-3193534870-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Windows installer] C:\winstall.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows installer] C:\winstall.exe (User 'Default user')
O4 - S-1-5-21-4226933070-409106339-3193534870-1008 Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe (User '?')
O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - [url]http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.0.6.5.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163702102515[/url]
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - [url]https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab[/url]
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5652 bytes

Thanks for all your help!!

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

==

Download the HostsXpert.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it.

==

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O4 - HKUS\S-1-5-18\..\Run: [Windows installer] C:\winstall.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Windows installer] C:\winstall.exe (User 'Default user')


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

-

Reboot.

===============

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

I was able to download and run ATF Cleaner, HostsXpert and HijackThis as outlined above.

Having some trouble running Silent Runner. I get a message telling me, "This script requires Windows Management Instrumentation to run" then it shows me how to start WMI in the "Services" folder under Admin Tools. When I click on "Services" another message appears:

Microsoft Management Console
Snap-in failed to initialize
Name: Services
CLSID:{58221C66-EA27-11CF-ADCF-00AA00A80033

What to do next?

Thank you for your help!!

I ran Scannow and although it took a while, it completed (no message requesting the Windows CD). But when I tried running Silent Runners I got the same error message telling me to start the WMI service. Still can't open "Services".

Next, I did as shown in udatexp.com/scannow-sfc.html and copied the I386 file from my Windows XP installation CD to drive C (the I386 folder already existed so I overwrite all files with same name) then rebooted. Ran Scannow once again, rebooted, but still can't run Silent Runners or access the "Services" to start WMI.

Sorry this is proving to be such a pesky problem. I really appreciate the help and am learning tons!

I don't know why yours is not working, but I have found someone with the same problem Try the suggestions here;
http://www.mcse.ms/message579903.html and let us know how you go. You may end up having to do a system repair.

There were a ton of links in the discussion link you provided [mcse.ms/message579903]. I've been going through all of them, researching and trying numerous solutions.

One I found on MS Help [Article ID: 912651] had some strong similarities (missing ATL.DLL file), but when I tried to type in the "solution text" it gives me an error that it can't find a file.

I tried everything explained in the mcse discussion (with the same negative results) except the very last item:

If you have a real XP CD, find services.msc & fsmgmt.msc,
they live in: C:\WINDOWS\system32. rename 'em to:
services.old & fsmgmt.old. Reboot.

It sounds like I would be renaming these 2 files on my hard drive (not on the XP CD) but this wasn't clear to me exactly what to do. If you think this is something I should try, perhaps you could give me some more clarity on exactly what I need to do.

Anyway, I've spent so many hours on this problem that I'm ready to try something more drastic if necessary.

What is a "system repair" and what does it involve, is that the next step?

Thanks for your help!

If I were you now, I would be doing a system repair job. There is an excellent tutorial here http://www.michaelstevenstech.com/XPrepairinstall.htm so rather than explain it all here (not that I could :)), it is probably better that you go there.
Take note that you will have to get all your M$ updates again.
The good thing about a system repair is that you do not lose any of your programs/files.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.