0

I have had a lot of trouble with spools.exe . I clean it off and it just keeps comming back. This computer, a Dell Dimension 3000, 1.5 GB RAM, sp2, had a lot of trogans and viruses and I was able to clean most of them with Spybot Search and Destroy, and HijackThis, but some seem to have the ability to keep showing up. I tried to install Superanti Spyware, but Windows Installer won't let me. Please look at this HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:42 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\DOCUME~1\SANTAN~1\LOCALS~1\Temp\Temporary Directory 3 for HiJackThis.zip\HijackThis.exe
C:\DOCUME~1\SANTAN~1\LOCALS~1\Temp\Temporary Directory 4 for HiJackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Santania Hone\cftmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Santania Hone\cftmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4212 bytes
Thank you for all your help !

3
Contributors
38
Replies
39
Views
9 Years
Discussion Span
Last Post by crunchie
Featured Replies
  • [QUOTE=Tumbleweedracef;618800]I did, but for some reason it didn't work right. [/QUOTE] Then you need to check your post after you have posted it :). You probably renamed the shortcut to it. Follow this folder path until you locate hijackthis.exe; C:\Program Files\Trend Micro\[b]HijackThis[/b] then right click on the file. Select [b]Rename[/b] … Read More

0

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

=================

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract
    All
    ,
  • Open the extracted folder and double click RunThis.bat to
    start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the
    registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool
    will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and
    display Finished, then press any key to end the script and load
    your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the
    contents of the results file Report.txt back onto the forum with
    a new HijackThis log
0

here are the logs ya wanted

**SDFix: Version 1.187 **
Run by Santania Hone on Sun 06/01/2008 at 10:52 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\SANTAN~1\Desktop\SDFix

**Checking Services **:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


**Checking Files **: 

Trojan Files Found:

C:\DOCUME~1\SANTAN~1\APPLIC~1\MICROS~1\WINDOWS\JIDUNJI.EXE - Deleted
C:\PROGRA~1\MSN\LAVUPA - Deleted
C:\Documents and Settings\Administrator\cftmon.exe - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\Santania Hone\cftmon.exe - Deleted
C:\WINDOWS\system32\config\systemprofile\cftmon.exe - Deleted
C:\Documents and Settings\Santania Hone\Application Data\Install.dat - Deleted
C:\PROGRA~1\OUTLOO~1\FOHESO~1.DLL - Deleted
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusIsolator.lnk  - Deleted
C:\WINDOWS\system32\drivers\spools.exe  - Deleted



Folder C:\Program Files\IE Extensions - Removed


Removing Temp Files

**ADS Check **:



                                 **Final Check **:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-06-01 11:02:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


**Remaining Services **:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\system32\\lxczcoms.exe"="C:\\WINDOWS\\system32\\lxczcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\GRISOFT\\AVG7\\avginet.exe"="C:\\Program Files\\GRISOFT\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\GRISOFT\\AVG7\\avgamsvr.exe"="C:\\Program Files\\GRISOFT\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\GRISOFT\\AVG7\\avgcc.exe"="C:\\Program Files\\GRISOFT\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\GRISOFT\\AVG7\\avgemc.exe"="C:\\Program Files\\GRISOFT\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

**Remaining Files **:


File Backups: - C:\DOCUME~1\SANTAN~1\Desktop\SDFix\backups\backups.zip

**Files with Hidden Attributes **:

Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 16 Jul 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Jul 2005         4,348 ...H. --- "C:\Documents and Settings\Santania Hone\My Documents\My Music\License Backup\drmv1key.bak"
Sun 15 Jan 2006            20 A..H. --- "C:\Documents and Settings\Santania Hone\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 16 Jul 2005           400 A.SH. --- "C:\Documents and Settings\Santania Hone\My Documents\My Music\License Backup\drmv2key.bak"
Sun 30 Mar 2008             8 A..H. --- "C:\Documents and Settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 30 Mar 2008             8 A..H. --- "C:\Documents and Settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 30 Mar 2008             8 A..H. --- "C:\Documents and Settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 30 Mar 2008             8 A..H. --- "C:\Documents and Settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Wed 11 Apr 2007             8 A..H. --- "C:\Documents and Settings\Santania Hone\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007             8 A..H. --- "C:\Documents and Settings\Santania Hone\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007             8 A..H. --- "C:\Documents and Settings\Santania Hone\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 11 Apr 2007             8 A..H. --- "C:\Documents and Settings\Santania Hone\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 10 Sep 2007             8 A..H. --- "C:\Documents and Settings\S. Hone\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 10 Sep 2007             8 A..H. --- "C:\Documents and Settings\S. Hone\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 10 Sep 2007             8 A..H. --- "C:\Documents and Settings\S. Hone\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 10 Sep 2007             8 A..H. --- "C:\Documents and Settings\S. Hone\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon  6 Aug 2007             8 A..H. --- "C:\Documents and Settings\Tania\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon  6 Aug 2007             8 A..H. --- "C:\Documents and Settings\Tania\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon  6 Aug 2007             8 A..H. --- "C:\Documents and Settings\Tania\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon  6 Aug 2007             8 A..H. --- "C:\Documents and Settings\Tania\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

**Finished!**

------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:10 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3666 bytes

Thanks for all your help !! Let me know what else I need to do, please.

Edited by Reverend Jim: Fixed formatting

0

Just to be sure, can you right click on hijackthis.exe and rename it to analysethis, do another scan and post the log.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:44 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3731 bytes

0

Just to be sure, can you right click on hijackthis.exe and rename it to analysethis, do another scan and post the log.

You never renamed it.

0

You never renamed it.

I did, but for some reason it didn't work right. I renamed the hijackthis.exe file......' analysethis.exe ". Then I ran a scan. So how do I do it different ? Let me know and I will do it right away !

1

I did, but for some reason it didn't work right.

Then you need to check your post after you have posted it :).

You probably renamed the shortcut to it. Follow this folder path until you locate hijackthis.exe; C:\Program Files\Trend Micro\HijackThis then right click on the file. Select Rename and enter analysethis and hit the enter key.
Rescan and post the log.

Votes + Comments
crunchie is one in a million !!! He has shown great patience when I had multiple problems and his wisdom is much needed on this site !!!! I appreciate him and his help and I hope one day to be able to help others as he has helped me !!!!!!!!
0

Then you need to check your post after you have posted it :).

You probably renamed the shortcut to it. Follow this folder path until you locate hijackthis.exe; C:\Program Files\Trend Micro\HijackThis then right click on the file. Select Rename and enter analysethis and hit the enter key.
Rescan and post the log.

Ooooooops, something went wrong ! In the midst of all this, ZoneAlarm and AVG quit comming up at startup. I found wear ZoneAlarm , for some reason, had been checked to not start when the computer comes on. I didn't do that ! AVG wouldn't start at startup either and I noticed that it was version 7 so I took out my thumb drive that had AVG 8 , on it and downloaded it . It finished installing but it won't start and none of the .exe programs on the computer will run. Not HijackThis either. I can't get into Add/Remove Programs or Internet Options. I can't start CCleaner, Spybot Search and Destroy, ETC...
Now what ?
Should I remove the new AVG 8.0 ?

0

Ooooooops, something went wrong ! In the midst of all this, ZoneAlarm and AVG quit comming up at startup. I found wear ZoneAlarm , for some reason, had been checked to not start when the computer comes on. I didn't do that ! AVG wouldn't start at startup either and I noticed that it was version 7 so I took out my thumb drive that had AVG 8 , on it and downloaded it . It finished installing but it won't start and none of the .exe programs on the computer will run. Not HijackThis either. I can't get into Add/Remove Programs or Internet Options. I can't start CCleaner, Spybot Search and Destroy, ETC...
Now what ?
Should I remove the new AVG 8.0 ?

I get this message when trying to open the above said programs.....
" Windows cannot access the specified device,path,or file. You may not have the appropriate permissions to access the item.

0

Download and run the following file;
http://www.mvps.org/sramesh2k/exefile.htm

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Here are the logs you wanted, let me know what else I need to do.
ComboFix 08-06-01.6 - Santania Hone 2008-06-03 1:11:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1136 [GMT -5:00]
Running from: C:\Documents and Settings\Santania Hone\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\S. Hone\err.log
C:\Documents and Settings\S. Hone\ResErrors.log
C:\Documents and Settings\Santania Hone\cftmon.exe
C:\Documents and Settings\Santania Hone\err.log
C:\Documents and Settings\Santania Hone\ResErrors.log
C:\Documents and Settings\Tania\err.log
C:\Documents and Settings\Tania\ResErrors.log
C:\WINDOWS\system32\__c007F18E.exe
C:\WINDOWS\system32\__c0097885.exe
C:\WINDOWS\system32\__c00D64C3.exe
C:\WINDOWS\system32\drivers\notepad.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\fufnegud.dll
C:\WINDOWS\system32\slbvucyp.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-02 00:20 . 2008-06-02 00:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-02 00:20 . 2008-06-02 00:20 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-02 00:20 . 2008-06-02 00:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Program Files\AVG
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 10:37 . 2008-06-01 10:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-01 09:46 . 2008-06-01 09:46 812,344 --a------ C:\analysethis.exe
2008-05-28 01:08 . 2008-05-28 01:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 01:08 . 2008-05-28 01:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 12:11 . 2008-05-26 12:11 <DIR> d-------- C:\Deckard
2008-05-26 12:09 . 2008-06-02 00:09 5,120 --a------ C:\WINDOWS\system32\ftp34.dll
2008-05-26 12:09 . 2008-06-02 00:14 5,120 --a------ C:\Documents and Settings\Santania Hone\ftp34.dll
2008-05-26 09:44 . 2008-05-26 09:44 5,120 --a------ C:\WINDOWS\system32\config\systemprofile\ftp34.dll
2008-05-25 10:48 . 2008-05-25 10:49 <DIR> d-------- C:\backups
2008-05-24 21:36 . 2008-05-24 21:36 0 --a------ C:\WINDOWS\system32\drivers\New Shortcut
2008-05-23 10:43 . 2008-05-23 10:43 <DIR> d-------- C:\Documents and Settings\Santania Hone\Application Data\GlarySoft
2008-05-23 10:41 . 2008-05-23 10:41 <DIR> d-------- C:\Program Files\Registry Repair
2008-05-23 09:11 . 2008-05-24 21:43 5,120 --a------ C:\Documents and Settings\Administrator\ftp34.dll
2008-05-23 01:04 . 2008-05-23 01:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-23 01:04 . 2008-05-23 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-21 11:16 . 2005-06-30 07:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-21 11:16 . 2008-06-02 00:20 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-21 10:21 . 2008-06-02 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-20 11:07 . 2008-05-20 11:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-20 11:07 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-20 11:07 . 2008-05-20 11:10 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-20 11:06 . 2008-05-20 11:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-20 11:05 . 2008-06-03 00:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-20 10:28 . 2008-05-20 10:28 2 --a------ C:\WINDOWS\msoffice.ini
2008-05-20 10:11 . 2008-05-20 10:11 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 10:01 . 2008-05-23 02:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:42 . 2008-05-20 09:42 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-13 00:50 . 2008-05-13 00:54 144 --a------ C:\clean.bat
2008-05-13 00:41 . 2008-05-13 00:41 <DIR> d-------- C:\iSecurity
2008-05-13 00:20 . 2008-05-22 23:58 1,490,564 ---hs---- C:\WINDOWS\system32\2364800c__.ini
2008-05-03 07:43 . 2008-05-04 22:33 1,402,395 --ahs---- C:\WINDOWS\system32\3E1BC00c__.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 05:19 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-28 06:09 --------- d-----w C:\Documents and Settings\Santania Hone\Application Data\Apple Computer
2008-05-23 17:15 --------- d-----w C:\Program Files\BFG
2008-05-21 06:06 --------- d-----w C:\Program Files\Common Files\mwfo
2008-05-20 15:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-20 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-09 23:05 0 --sha-w C:\Documents and Settings\Santania Hone\Application Data\0000000000t.dat
2008-04-30 16:49 --------- d-----w C:\Program Files\iVideo
2008-04-21 04:52 13,824 ----a-w C:\Documents and Settings\Santania Hone\Application Data\haigc.exe
2008-04-17 05:35 --------- d-----w C:\Documents and Settings\Santania Hone\Application Data\Skype
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-02 00:19 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 17:46 190072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-07-05 20:23:04 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Santania Hone^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\948a3b90]
C:\WINDOWS\system32\__c0084632.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Santania Hone\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
--a------ 2007-11-13 16:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Adapter 5.1.3214]
--a------ 2008-04-20 23:52 13824 C:\Documents and Settings\Santania Hone\Application Data\haigc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwfo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-07 02:33 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedRunner]
C:\Documents and Settings\Santania Hone\Application Data\SpeedRunner\SpeedRunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svconr]
C:\Program Files\Svconr\Svconr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Schedule"=2 (0x2)
"lxcz_device"=2 (0x2)
"DSBrokerService"=3 (0x3)
"cmdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-02 00:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-02 00:19]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-02 00:19]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-02 00:20]
S4 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 17:50]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{702fe55c-267d-11dd-9e9d-d844b196e38d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db92399c-2747-11dd-9ea7-0013205ae6b3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 00:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (HONE-Tania).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 01:16:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-03 1:26:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 06:26:03
ComboFix2.txt 2008-05-26 15:50:27

Pre-Run: 60,405,018,624 bytes free
Post-Run: 60,455,628,800 bytes free

207 --- E O F --- 2008-05-22 16:28:01
------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:01 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3823 bytes

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\ftp34.dll
C:\Documents and Settings\Santania Hone\ftp34.dll
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\Documents and Settings\Administrator\ftp34.dll
C:\Windows\xpupdate.exe
C:\Program Files\Svconr\Svconr.exe
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe

========================

A. Please RUN HijackThis Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



KillAll::

File::
C:\WINDOWS\system32\__c0084632.dat



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), pleasere-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:Combofix.txt
A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

====

Go into msconfig before scanning with hijackthis and enable all startups and apply settings. Do NOT reboot. Scan with hijackthis and save the log. Change the startups back again in msconfig and apply again.

Attachments CFScript.gif 27.09 KB
0

I have to go into work early today. I will do everything you've suggested tomorrow. Thanks a million for working with me so long !!!!!!!!!!

0

Mr Crunchie Sir..... I have to work 12 hours a day for 3 days in a row. I will be able to do the things that you requested me to do on Friday. Thank you again for working with me and being very patient !!!!!!!

0

No problem. I would advise not using the pc online too much as the infection could possibly multiply.

0

No problem. I would advise not using the pc online too much as the infection could possibly multiply.

Ok....I went to Jotti"s and started checking those " ftp34.dll files and every time I sent one to be checked, my AVG alarm went off and said that they were TROUBLE and I moved them to the vault. The rest of them said...." 0 bytes recieved.
I went to Virustotal and all the files I sent , I got back the repky...." zero bytes recievevd".
The computer that all these problems is on, is next to this computer that I'm sending you all this info on.
I have done everything UP TO enabeling all startups in MSCONFIG. In the startups list I see things like spools.exe and xpupdate, and jidunji. Do you really want me to enable them to startup ?
I already have run Combofix with the script you sent me.
Please let me know befoe I do this.
Thank you !

0

For all the files I had you check at Jotti's, add them to the delete list for Combofix the same as in my last post.
Go ahead with the msconfig instructions. If you notice, I said not to reboot when you have done it :). All will be good as changes made in msconfig are only applied after a reboot.

0

Alright, hopefuly we got it now ! :sweat: here is the two logs ya asked for....
ComboFix 08-06-04.5 - Santania Hone 2008-06-06 0:05:57.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1127 [GMT -5:00]
Running from: C:\Documents and Settings\Santania Hone\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Santania Hone\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\ftp34.dll
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe
C:\Documents and Settings\Santania Hone\ftp34.dll
C:\Program Files\Svconr\Svconr.exe
C:\WINDOWS\system32\config\systemprofile\ftp34.dll
C:\WINDOWS\system32\ftp34.dll
C:\Windows\xpupdate.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 23:54 . 2008-06-05 13:41 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-02 00:20 . 2008-06-02 00:20 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-02 00:20 . 2008-06-02 00:20 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-02 00:20 . 2008-06-02 00:20 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-02 00:19 . 2008-06-05 09:00 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Program Files\AVG
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-01 11:10 . 2008-06-01 11:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-01 10:37 . 2008-06-01 10:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-01 09:46 . 2008-06-01 09:46 812,344 --a------ C:\analysethis.exe
2008-05-28 01:08 . 2008-05-28 01:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 01:08 . 2008-05-28 01:08 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 12:11 . 2008-05-26 12:11 <DIR> d-------- C:\Deckard
2008-05-25 10:48 . 2008-05-25 10:49 <DIR> d-------- C:\backups
2008-05-24 21:36 . 2008-05-24 21:36 0 --a------ C:\WINDOWS\system32\drivers\New Shortcut
2008-05-23 10:43 . 2008-05-23 10:43 <DIR> d-------- C:\Documents and Settings\Santania Hone\Application Data\GlarySoft
2008-05-23 10:41 . 2008-05-23 10:41 <DIR> d-------- C:\Program Files\Registry Repair
2008-05-23 01:04 . 2008-05-23 01:04 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-23 01:04 . 2008-05-23 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-21 11:16 . 2005-06-30 07:09 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-21 11:16 . 2008-06-04 23:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-21 10:21 . 2008-06-02 00:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-20 11:07 . 2008-05-20 11:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-05-20 11:07 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-20 11:07 . 2008-05-20 11:10 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-20 11:06 . 2008-05-20 11:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-05-20 11:05 . 2008-06-06 00:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-20 10:28 . 2008-05-20 10:28 2 --a------ C:\WINDOWS\msoffice.ini
2008-05-20 10:11 . 2008-05-20 10:11 <DIR> d-------- C:\Program Files\CCleaner
2008-05-20 10:01 . 2008-05-23 02:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-20 09:42 . 2008-05-20 09:42 444 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-13 00:50 . 2008-05-13 00:54 144 --a------ C:\clean.bat
2008-05-13 00:41 . 2008-05-13 00:41 <DIR> d-------- C:\iSecurity
2008-05-13 00:20 . 2008-05-22 23:58 1,490,564 ---hs---- C:\WINDOWS\system32\2364800c__.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 05:19 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-05-28 06:09 --------- d-----w C:\Documents and Settings\Santania Hone\Application Data\Apple Computer
2008-05-26 15:39 706,194 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-23 17:15 --------- d-----w C:\Program Files\BFG
2008-05-21 06:06 --------- d-----w C:\Program Files\Common Files\mwfo
2008-05-21 05:28 1,307,648 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-05-20 15:29 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-20 15:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-09 23:05 0 --sha-w C:\Documents and Settings\Santania Hone\Application Data\0000000000t.dat
2008-04-30 16:49 --------- d-----w C:\Program Files\iVideo
2008-04-17 05:35 --------- d-----w C:\Documents and Settings\Santania Hone\Application Data\Skype
2004-08-04 10:00 4,096 --sha-w C:\WINDOWS\system32\1112.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-03_ 1.25.38.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 06:15:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 05:09:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-03-14 04:11:20 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-06-03 07:37:36 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-02 00:19 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 17:46 190072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-07-05 20:23:04 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Santania Hone^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\948a3b90]
C:\WINDOWS\system32\__c0084632.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\Santania Hone\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTransferAgent]
--a------ 2007-11-13 16:46 135168 C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Adapter 5.1.3214]
C:\Documents and Settings\Santania Hone\Application Data\haigc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwfo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-07 02:33 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoDNS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6wIP]
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedRunner]
C:\Documents and Settings\Santania Hone\Application Data\SpeedRunner\SpeedRunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Svconr]
C:\Program Files\Svconr\Svconr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"Schedule"=2 (0x2)
"lxcz_device"=2 (0x2)
"DSBrokerService"=3 (0x3)
"cmdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-02 00:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-02 00:19]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-02 00:19]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-02 00:20]
S4 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 17:50]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{702fe55c-267d-11dd-9e9d-d844b196e38d}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db92399c-2747-11dd-9ea7-0013205ae6b3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 00:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (HONE-Tania).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 00:09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-06 0:19:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 05:19:38
ComboFix2.txt 2008-06-05 14:33:17
ComboFix3.txt 2008-06-03 06:26:09
ComboFix4.txt 2008-05-26 15:50:27

Pre-Run: 60,350,275,584 bytes free
Post-Run: 60,328,120,320 bytes free

204 --- E O F --- 2008-05-22 16:28:01

-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:15 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Santania Hone\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Santania Hone\Application Data\haigc.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Santania Hone\cftmon.exe
O4 - HKCU\..\Run: [948a3b90] rundll32.exe "C:\WINDOWS\system32\__c0084632.dat",b
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5130 bytes
----------------------------------------------------------------------------------------------------
Just let me know what else may need done :icon_smile:

0

Comodo!

====

Do you know what these are;

C:\Documents and Settings\Santania Hone\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Santania Hone\Application Data\haigc.exe

====

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Santania Hone\cftmon.exe
O4 - HKCU\..\Run: [948a3b90] rundll32.exe "C:\WINDOWS\system32\__c0084632.dat",b


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Svconr
C:\Program Files\\JavaCore

files...

C:\Windows\xpupdate.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\Santania Hone\Application Data\Microsoft\Windows\jidunji.exe
C:\Documents and Settings\Santania Hone\cftmon.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

for some reason I didn't get an email notification that you had replied. I will get right on this and get back to you ASAP !

0

I looked for EVERYTHING tha you wanted me to. I didn't find NONE of them. All the "hidden files and folders and system folders are enabled to be viewed. I'm confused. After enabeling all files and folders I did find a Zango Toolbar folder in program files. I deleted that folder before I went searching for all tha ya wanted me to. Maybe all that bad stuff was in it ??? Here is a new HijackThis log....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:05 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3531 bytes

Let me know what ya think, please.

0

I looked up speedrunner.exe on Google and many websites said bad things about it bein a Trogan. As for haigc.exe, I found only yours and mine threads on Google that talked about it.

0

Delete those two (speedrunner folder and haigc.exe) and let me know how your pc is. Your log looks clean.

0

Delete those two (speedrunner folder and haigc.exe) and let me know how your pc is. Your log looks clean.

It seems to be running fine ! Are there any more tests I can run just to see if anything will pop up ?
What is the advantage of Comodo , vrs. Zonealarm ? One more question,please.......Should I run Spyware Blaster and AVG Antivirus and Comodo Firewall, all at the same time ?
I appreciate ALL your help and guidance !!!!!!!!!!!!!!!!!!!!!!! I hope to get to where I can help others one day as you have me !!!!!!

0

It seems to be running fine ! Are there any more tests I can run just to see if anything will pop up ?
What is the advantage of Comodo , vrs. Zonealarm ? One more question,please.......Should I run Spyware Blaster and AVG Antivirus and Comodo Firewall, all at the same time ?
I appreciate ALL your help and guidance !!!!!!!!!!!!!!!!!!!!!!! I hope to get to where I can help others one day as you have me !!!!!!

How do you know weather to use ComboFix or this program or that program to do "cleaning ?

0

I have used ZA before and found it to be too annoying with it's pop ups. It was also very difficult to remove. Comodo has great reviews also.
Certain entries in the log, or symptoms on the pc tell which tool to run. Something which one (hopefully) gets to recognise over time :D.
Spyware blaster is only run in order to update. It adds entries to the registry to prevent certain unwelcome visitors from entering. Once updated and you have enabled all protection, you simply shut it down.

==

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Attachments th_CF_Cleanup.png 9.98 KB
0

My bad ! I had already started cleaning up the programs and logs that we have run here lately. I had already drug the Combofix program, over to my recycle bin and emptied the bin. Do I need to reinstall Combofix and then follow your advice listed above ?
Thanks a million for all your help and wisdom !!!!!!!!!!!!!!!!!! I may look for some schooling to learn more about " fighting the bad guys " !

0

Redownload combofix and follow my last instructions. It made some changes that it will change back when uninstalled.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.