[sheba123]

Shoot - don't know how that happened !!!

[Advertisements]

Shoot - don't know how that happened !!!


any way part2 seems to still be too big to go through the system on the BB so I'll be rightr back with 2 & 3

[sheba123]

Shoot - don't know how that happened !!!


any way part2 seems to still be too big to go through the system on the BB so I'll be rightr back with 2 & 3

[sheba123]

Pt 2a

okay what's the limit on file size?

this is 679kb and it won't go through

Edited by sheba123, 12 November 2006 - 02:10 PM.

[Wizard]

Just email them to filesubmitATcharter.net

AT = @


Attach the logs to the email

[sheba123]

I dont' know what the problem is with files 2 & 3 but it's starting to p.o. me. I tried e-mailing and Outlook Express told me there was an error and it could not be sent.

However in the mean time - here are the next two logs from the scans

Catchme=

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


GMER =

GMER 1.0.12.11889 - http://www.gmer.net
Autostart scan 2006-11-12 16:28:48
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bfc42u@DLLName = bfc42u.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
McDetect.exe /*McAfee WSC Integration*/@ = c:\program files\mcafee.com\agent\mcdetect.exe
McShield /*McAfee.com McShield*/@ = c:\PROGRA~1\mcafee.com\vso\mcshield.exe
McTskshd.exe /*McAfee Task Scheduler*/@ = c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\System32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MCUpdateExec:\PROGRA~1\mcafee.com\agent\mcupdate.exe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
@MCAgentExec:\PROGRA~1\mcafee.com\agent\mcagent.exe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
@VSOCheckTask"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
@VirusScan OnlineC:\Program Files\McAfee.com\VSO\mcvsshld.exe = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
@iexplore.exeC:\Program Files\Internet Explorer\iexplore.exe = C:\Program Files\Internet Explorer\iexplore.exe
@OASClntC:\Program Files\McAfee.com\VSO\oasclnt.exe = C:\Program Files\McAfee.com\VSO\oasclnt.exe
@Zone Labs ClientC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
@UserFaultCheck%systemroot%\system32\dumprep 0 -u = %systemroot%\system32\dumprep 0 -u

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@MoneyStartUpC:\Program Files\Microsoft Money\System\Money Startup.exe = C:\Program Files\Microsoft Money\System\Money Startup.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Share-to-Web Upload Folder*/C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
@{A2569D1F-4E06-43EC-9825-0088B471BE47} /*IntelliType Pro Wireless Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"
@{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB} /*IntelliType Pro Scrolling Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"
@{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2} /*IntelliType Pro Key Settings Control Panel Property Page*/"C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll" = "C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"
@{20082881-FC36-4E47-9A7A-644C95FF749F} /*IntelliPoint Wireless Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"
@{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE} /*IntelliPoint Wheel Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"
@{653DCCC2-13DB-45B2-A389-427885776CFE} /*IntelliPoint Activities Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplact.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"
@{124597D8-850A-41AE-849C-017A4FA99CA2} /*IntelliPoint Buttons Control Panel Property Page*/"C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll" = "C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{3c249f62-e26e-11d4-97f0-009027769c61} /*Format Shell*/C:\WINDOWS\System32\SMSHELL.DLL = C:\WINDOWS\System32\SMSHELL.DLL
@{03FF3962-D823-11D4-97F0-009027769C61} /*Data Caching Shell Extension*/C:\WINDOWS\System32\FlashShl.dll = C:\WINDOWS\System32\FlashShl.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\Convert@{9f95ca1a-e80e-4c0f-acd1-4c9b7900b982} = C:\Program Files\Microsoft DirectX 9.0 SDK (August 2005)\Utilities\Bin\x86\TxView.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{8c33d0d0-5261-4591-8a52-f8a6371b5553}C:\WINDOWS\System32\bfc42u.dll = C:\WINDOWS\System32\bfc42u.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar3.dll = c:\program files\google\googletoolbar3.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Start Pageabout:blank = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagefile:///C:/HP/REGION/start.html = file:///C:/HP/REGION/start.html
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
copernicagent@CLSID = C:\PROGRA~1\COPERN~1\COPERN~1.DLL
copernicagentcache@CLSID = C:\PROGRA~1\COPERN~1\COPERN~1.DLL
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup = AutoPlay.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Quicken Startup.lnk = Quicken Startup.lnk

---- EOF - GMER 1.0.12 ----

[Wizard]

One last scanner before we get ready to try rebooting to normal mode and running the Panda Scan.


Please download Combofix to your Root Drive C:\
http://download.blee...Bs/combofix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

[sheba123]

okay- combofix was loaded to c:\ BUT.......

Nothing happened - a black screen came up (like dos) and then a blue screen and then nothing....no propts nothing. The screens went very fast and there were no words on them that I could see.

[sheba123]

One other thing - the other parts of the sysclean log were e-mailed to you successfully! Finally!

[Wizard]

Try launching the program again and be sure your pointer isnt inside the dos box.

[sheba123]

Nada Zip Zilch Big Goose Egg

In other words - nothing happened - again.

[sheba123]

When you use run as - you get the error message " A device attached to the system is not functioning"

[Wizard]

OK,lets find out how we did.

First thing is to use link below and download Killbox to disc and transfer.
http://www.killbox.n...ads/KillBox.exe

Ill post the instructions for usage.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {8c33d0d0-5261-4591-8a52-f8a6371b5553} - C:\WINDOWS\System32\bfc42u.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {A40D9D65-5C09-421A-AFF8-2160D7ABD4E7} - (no file)

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O20 - AppInit_DLLs:

O20 - Winlogon Notify: bfc42u - C:\WINDOWS\SYSTEM32\bfc42u.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Open Killbox and Click Tools--> Delete Temp Files

From the drop down menu in the middle of the Killbox window,clean all temp files for every group listed.

• Please double-click Killbox.exe to run it.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\SYSTEM32\bfc42u.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Select Delete on Reboot and Unregister .dll before Deleting
• then Click on the All Files button.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Restart Normal and Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
• Post the contents of the ActiveScan report along with a fresh HijackThis log.

[sheba123]

This is not a good thing....

I followed the directions thru the killbox and I thought I did everything right except...I forgot the delete temp files part. I rebooted into normal and nothing has changed - the userinit logon failed, dr watson is everywhere and the only way I can get into anything is thru the task manager.


I went back into safe mode and ran killbox again and deleted the temp files as instructed and now when I try to delete I get the PendingFileRenameOperations prompt when I hit the delete key.

I have not yet connected back to the internet to try to get to panda.

Where do we go from here? Because now safe mode is doing the same thing as normal - no user init logon.

[sheba123]

And you can add this to the mix

I got this error message when doing the HJT fix.


An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at [email protected], reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

[Wizard]

I had a feeling this would happen,I believe there are many applications without thier proper files.


See if you can generate a fresh HijackThis log and post that.


As well,I need you to run the tool below and post its log.

Please download the following file to your desktop:
http://noahdfear.gee...com/FindAWF.exe

Run the file and copy and paste the output text here.