[Essexboy]

OK next stage is to check the veracity of your system files and then run a further deep scan

From the Start menu, select Run. (or in your case start task manager - new task)
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.


Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - BotCheck
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - File Associations
  • File - Additional Folder Scans
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Advertisements]

 OTScanIt.Txt   153.58KB   146 downloads

[DarkKnight82]

 OTScanIt.Txt   153.58KB   146 downloads

[Essexboy]

Looks like mainly repairs, but you appear to be a few files missing. Did you do an SFC /scannow ?

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Additional Scans - Non-Microsoft Only]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .bat [@ = batfile] -> 
YN -> .cmd [@ = cmdfile] -> 
YN -> .com [@ = comfile] -> 
YN -> .exe [@ = exefile] -> 
YN -> .pif [@ = piffile] -> 
YN -> .scr [@ = scrfile] -> 
[Files/Folders - Created Within 90 days]
NY -> svchost -> %SystemRoot%\System32\svchost
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[DarkKnight82]

Ok, before I post the log results, I figured I would tell you that I still cannot Copy & Paste. For example: The code mentioned above? I can copy it, but when i tried to Paste it in the area in OTScan it, it would not let me. But, i can Copy/Paste a log result to this forum just fine. Also, I cannot drag any of my icons on my desktop(ie. An empty folder to the Recycle Bin), my Taskbar/Start Menu button did not re-appear when I ran the fixshell program you sugested. I also still have no audio. I hope this is part of the infection and NOT something else, lol! Anyway, here is the OTScanIt and HijackThis results. Oh, and I did do the SFC/scannow when you told me to.

OTScanIt Log

[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pif\\'' updated successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.scr\\'' updated successfully.
[Files/Folders - Created Within 90 days]
C:\WINDOWS\System32\svchost moved successfully.
[Empty Temp Folders]
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.6.0 fix logfile created on 03232008_195603


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:51 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 1160 bytes

Edited by DarkKnight82, 23 March 2008 - 08:01 PM.

[Essexboy]

Unfortunately this is starting to look like you will need to do a repair install as too many files are not being started with your system

A repair install will keep all your settings, documents and files

Follow the directions on this page for the procedure

On completion please repost a new Hijackthis log so that I can see the progress

[DarkKnight82]

Maybe not. I woke up this morning and turned my comp on. After I had gotten out of the shower, I came into the living room. My Taskbar/Start Menu was back! Also, I could move my icons on my desktop! AND MY AUDIO RETURNED!! So, something must have been done correctly! What should I do to confirm that everything is legit?

[Essexboy]

A delayed reaction to fix shell, sfc scan ? Is this the first reboot since you did either of those ? Maybe pigs will fly , who knows

OK in that case I will go for a new DSS run please. Just the main text

[DarkKnight82]

No, there has been many a reboot. This is just the first time it worked! Here is the log results you asked for, mate.


DSS Result Log

Deckard's System Scanner v20071014.68
Run by Seph2501 on 2008-03-24 19:36:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).
System Drive C: has 2.12 GiB (less than 15%) free.


-- HijackThis (run as Seph2501.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:15 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Last.fm\LastFmHelper.exe
C:\Documents and Settings\Seph2501\Desktop\Virus Killers\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Seph2501.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 1624 bytes

-- Files created between 2008-02-24 and 2008-03-24 -----------------------------

2008-03-24 12:48:37 0 d-------- C:\WINDOWS\LastGood
2008-03-22 12:05:21 0 d-------- C:\Documents and Settings\Seph2501\DoctorWeb
2008-03-21 22:44:41 0 dr-h----- C:\Documents and Settings\Seph2501\Recent
2008-03-21 17:57:04 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-21 17:57:04 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-21 17:57:04 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-21 17:57:04 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-21 17:14:11 0 d-------- C:\Program Files\Trend Micro
2008-03-20 03:26:20 0 d-------- C:\Program Files\Meido
2008-02-29 13:46:27 0 d-------- C:\Program Files\Apple Software Update


-- Find3M Report ---------------------------------------------------------------

2008-03-23 21:54:14 4819614 --ah----- C:\Documents and Settings\Seph2501\Application Data\IconCache.db
2008-03-16 12:29:30 125952 --a------ C:\Documents and Settings\Seph2501\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-02-27 10:41:24 171128 --a------ C:\Documents and Settings\Seph2501\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 02:58:02 0 d-------- C:\Program Files\CCleaner


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]

C:\Documents and Settings\Seph2501\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [6/28/2007 4:38:26 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Seph2501^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Seph2501\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPP Auto Loader]
C:\WINDOWS\tppaldr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"=
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
"WeatherCast"="C:\Program Files\WeatherCast\Weather.exe" /q
"AIM"=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
"WildTangent CDA"=RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
"LoadQM"=loadqm.exe
"WhenUSave"="C:\Program Files\Save\Save.exe"
"BurnQuick Queue"=C:\Program Files\BurnQuick\BQTray.exe
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"CpqBootPerfDb"=C:\Cpqs\Scom\CpqBootPerfDb.exe
"ViewMgr"=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
"NAV DefAlert"=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
"Hidserv"=Hidserv.exe run
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"WCOLOREAL"=C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"ScardSvr"=C:\WINDOWS\SYSTEM32\SCARDSVR.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11B762AF-09CC-8DB8-0706-030102020402}]
C:\WINDOWS\system32\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl



-- End of Deckard's System Scanner: finished at 2008-03-24 19:38:11 ------------


So....is my comp working okay again? My Windows Live OneCare is pretty much dead, so I guess I'll just use good ol' fashioned Windows Firewall and AVG for my anti-virus program.

[Essexboy]

OK I can now see why your startup list is so small - did you run MSConfig to reduce the number of startup items and services ?

Also I noticed this reg key [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
I believe that the malware stopped these from starting

If you wish these will be the keys that I can restore

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"CPQEASYACC"=C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
"LoadQM"=loadqm.exe
"BurnQuick Queue"=C:\Program Files\BurnQuick\BQTray.exe
"Digital Dashboard"=C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
"EACLEAN"=C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
"CpqBootPerfDb"=C:\Cpqs\Scom\CpqBootPerfDb.exe
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"ScardSvr"=C:\WINDOWS\SYSTEM32\SCARDSVR.EXE

Basically these are programmes from your computer provider

One care stopped working due to the .Net files and services being corrupted, so you will need to reinstall .net

You will need to re-install AVG to get it to work properly


Is it still working ?

[Essexboy]

Stuttered post

Edited by Essexboy, 25 March 2008 - 03:43 PM.

[DarkKnight82]

I reduced the amount of start-up items through MSConfig, but I did that when I first got the computer. Secondly, I would like for you to help me restore everything including my Windows Live OneCare. I don't have AVG yet. I had planned on downloading it if I was unable to get Live OneCare to work. Ok. What should I do?

[Essexboy]

We will try to repair .net first

Double-click Add or Remove Programs.
Search the list of currently installed programs for Microsoft .NET Framework 2.0:
If the program appears in the list, repair it:
Select Microsoft .NET Framework 2.0, and then click Change/Remove.
Select Repair, and then click Next.
When prompted, restart your computer.


If that should fail then download a new version from here http://www.microsoft...;displaylang=en

On completion you will have to re-install one care ( I am not sure if it has a repair option, to find out follow the same procedure for .NET)

I will wait till this is cured before I give the clean up instructions

[DarkKnight82]

Sorry for not posting. I have a new job and that's been taking up some time. I downloaded and installed Microsoft .NET Framework 2.0 and upon restart, my OneCare started working again! So, that aside, what next?

Edited by DarkKnight82, 31 March 2008 - 12:48 PM.

[Essexboy]

Next must be an update on how your system is running and any problems still remaining

No problem on the time

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.