[JSntgRvr]

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Collect::
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe
C:\WINDOWS\system32\sysinfo.exe
C:\Documents and Settings\Linda Kristina\Desktop\HJT.exe

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4


Please include a link to this topic in the message.

[Advertisements]

Combofix is attached...the zip file will be on bleeping in a minute.

Attached Files

•  ComboFix.txt   7.56KB   152 downloads

[Linda68]

Combofix is attached...the zip file will be on bleeping in a minute.

Attached Files

•  ComboFix.txt   7.56KB   152 downloads

[JSntgRvr]

Foer Better reading. (See at the end of post)

ComboFix 08-04-11.8 - Linda Kristina 2008-04-13 11:32:40.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.75 [GMT -5:00]
Running from: C:\Documents and Settings\Linda Kristina\Desktop\MyPoppy.exe
Command switches used :: C:\Documents and Settings\Linda Kristina\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Deckard
2008-04-12 13:50 . 2008-04-12 13:50 139,406 --a------ C:\BagleFix.zip
2008-04-12 11:40 . 2008-04-12 11:42 <DIR> d-------- C:\Combo-Fix
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 20:54 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-13 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 15:20 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-12 21:50 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 11:33:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-13 11:34:20
ComboFix-quarantined-files.txt 2008-04-13 16:34:03
ComboFix2.txt 2008-04-13 15:51:28
ComboFix3.txt 2008-04-13 01:58:24
ComboFix4.txt 2008-04-13 01:10:54
ComboFix5.txt 2008-04-12 20:19:00
Pre-Run: 1,420,185,600 bytes free
Post-Run: 1,409,265,664 bytes free

==========================================================

Antivirus programs play an important role in the protection of your system. Here are some options:

• Free Protection:
  
  
  • AVG FREE
  • AVIRA
  • AVAST
  • Activevirusshield
• Shareware:
  
  
  • Node32
• Reccomendation:
  
  • -> Node32

As a Firewall try COMODO.

Play around with the computer. Post a fresh MyPoppy.exe report tonight to confirm. Fingers crossed!

[Linda68]

Thanks so much for your help, I will definitely look into the software you mentioned.
The concerns I still have is that the webcasts I view on my desktop still are not coming up. I was never having a problem with this before this problem. I also checked Tools-Folder Options - View tab and the how hidden files and folder entry is still not visible. Any thoughts???

Thanks!

[JSntgRvr]

Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file. Once extracted doubleclick on the batch file and post its entire contents in a reply. No need to attach.

[Linda68]

Here it is ...

[codebox]

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun REG_DWORD 0x91

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ServerAdminUI REG_DWORD 0x0
Hidden REG_DWORD 0x2
ShowCompColor REG_DWORD 0x1
HideFileExt REG_DWORD 0x0
DontPrettyPath REG_DWORD 0x0
ShowInfoTip REG_DWORD 0x1
HideIcons REG_DWORD 0x0
MapNetDrvBtn REG_DWORD 0x0
WebView REG_DWORD 0x0
Filter REG_DWORD 0x0
SuperHidden REG_DWORD 0x0
SeparateProcess REG_DWORD 0x0
ListviewAlphaSelect REG_DWORD 0x1
ListviewShadow REG_DWORD 0x1
ListviewWatermark REG_DWORD 0x1
TaskbarAnimations REG_DWORD 0x1
StartMenuInit REG_DWORD 0x2
StartButtonBalloonTip REG_DWORD 0x2
NoNetCrawling REG_DWORD 0x0
FolderContentsInfoTip REG_DWORD 0x1
FriendlyTree REG_DWORD 0x1
WebViewBarricade REG_DWORD 0x1
DisableThumbnailCache REG_DWORD 0x0
ShowSuperHidden REG_DWORD 0x0
ClassicViewState REG_DWORD 0x0
PersistBrowsers REG_DWORD 0x0
TaskbarSizeMove REG_DWORD 0x1
TaskbarGlomming REG_DWORD 0x1
Start_ShowNetPlaces_ShouldShow REG_DWORD 0x41
[/codebox]

[Linda68]

After connecting to Internet, I quickly closed the window through Task Manager after the IE window did not respond quickly...CPU usage is also up to 100% with no open programs after I did this.

[JSntgRvr]

Same deal:

[Linda68]

[codebox]
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ServerAdminUI"=dword:00000000
"Hidden"=dword:00000002
"ShowCompColor"=dword:00000001
"HideFileExt"=dword:00000000
"DontPrettyPath"=dword:00000000
"ShowInfoTip"=dword:00000001
"HideIcons"=dword:00000000
"MapNetDrvBtn"=dword:00000000
"WebView"=dword:00000000
"Filter"=dword:00000000
"SuperHidden"=dword:00000000
"SeparateProcess"=dword:00000000
"ListviewAlphaSelect"=dword:00000001
"ListviewShadow"=dword:00000001
"ListviewWatermark"=dword:00000001
"TaskbarAnimations"=dword:00000001
"StartMenuInit"=dword:00000002
"StartButtonBalloonTip"=dword:00000002
"NoNetCrawling"=dword:00000000
"FolderContentsInfoTip"=dword:00000001
"FriendlyTree"=dword:00000001
"WebViewBarricade"=dword:00000001
"DisableThumbnailCache"=dword:00000000
"ShowSuperHidden"=dword:00000000
"ClassicViewState"=dword:00000000
"PersistBrowsers"=dword:00000000
"TaskbarSizeMove"=dword:00000001
"TaskbarGlomming"=dword:00000001
"Start_ShowNetPlaces_ShouldShow"=dword:00000041

[/codebox]

[JSntgRvr]

Take a screen shot of the Task Manager.

• You can do this by pressing the PrintScreen key.
• Then go to Start > All Programs > Accessories > Paint
• In Paint, go up to Edit > Paste
• Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it where you want.
• Then click Add Reply in this topic.
• Click the Browse button.
• Locate the file you just saved, click on it, then click Open.
• Click Add This Attachment.

[JSntgRvr]

Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Once extracted, double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

Restart the computer. Check the Folder Options.

[Linda68]

Let me know if it worked, I had to install winzip...haven't zipped for years.
The bmp was > 500k

Attached Files

•  Taskmgr.zip   21.64KB   149 downloads

[JSntgRvr]

Let me know if it worked, I had to install winzip...haven't zipped for years.
The bmp was > 500k

It is Bagle.. Run MyPoppy.exe and post its report. That happened after you clicked IE?

[Linda68]

When I initially opened IE after the "fingers crossed" post, it started quickr than it has since this problem began. When I went to the website that contains webcasts for my class, it popped up a white window but wouldn't begin playing the clip.

So, I had some saved webcasts on my hard drive and tried to play it and also had MS Word and Dragon dictate open to dictate the video clip into a Word document. The dictation was too slow for it to be effective, so I shut everything down.

I then proceeded to open up an IE window. This is when IE took awhile to open up, so I closed it immediately and it is when I noticed the 100% CPU usage.

Attached Files

•  ComboFix.txt   8.89KB   147 downloads

[JSntgRvr]

it started [b]quickr[/b] than it has

What does that term in red stands for?