[rmessick]

OH sorry I missed that.

Can you get into normal mode at all?

No problem!

Nope, I can't. It still freezes up when the error messages pops up.

[Advertisements]

That was vital information that we missed.

We're back to where we started.

How do you transfer the files (tools) to and logs from your infected computer?

[heir]

That was vital information that we missed.

We're back to where we started.

How do you transfer the files (tools) to and logs from your infected computer?

[rmessick]

Uh-oh... I'm sorry! I didn't realize it was that important. I should have been more clear!

To transfer the files and logs I use a flash drive.

[heir]

Uh-oh... I'm sorry! I didn't realize it was that important. I should have been more clear!

To transfer the files and logs I use a flash drive.

Done is done. I missed it too, so it's my fault too.

We need to secure that flashdirive


Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

The computer you've used to download tools and post logs needs to be checked also -- Start a new topic when this one is finished.

We need to get into normal mode. Let's start with this tool and we'll see.




Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC. (Let the computer restart into normal mode)
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum

Did the computer restart into normal mode?

[rmessick]

The computer started in normal mode, but I still can't do anything. When I try to use the toolbar the cursor changes to the timer.

Here's the log:

SDFix: Version 1.240
Run by Abby on Sun 04/19/2009 at 04:33 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 16:44:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:1b,a9,ae,17,db,ea,34,9b,86,50,a9,47,68,cd,88,a3,e5,b6,a3,eb,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d3,45,93,50,b9,02,ac,e5,c7,22,31,65,e5,dd,ad,ce,55,..
"khjeh"=hex:5f,a8,cb,1d,8c,ed,5e,73,19,9c,ec,a0,2f,43,d2,12,94,a8,c6,8e,25,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d6,f8,be,63,d8,0b,89,2a,f7,82,67,2f,48,e5,05,6d,6c,93,fb,4e,c2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:1b,a9,ae,17,db,ea,34,9b,86,50,a9,47,68,cd,88,a3,e5,b6,a3,eb,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d3,45,93,50,b9,02,ac,e5,c7,22,31,65,e5,dd,ad,ce,55,..
"khjeh"=hex:5f,a8,cb,1d,8c,ed,5e,73,19,9c,ec,a0,2f,43,d2,12,94,a8,c6,8e,25,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d6,f8,be,63,d8,0b,89,2a,f7,82,67,2f,48,e5,05,6d,6c,93,fb,4e,c2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:1b,a9,ae,17,db,ea,34,9b,86,50,a9,47,68,cd,88,a3,e5,b6,a3,eb,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,d3,45,93,50,b9,02,ac,e5,c7,22,31,65,e5,dd,ad,ce,55,..
"khjeh"=hex:5f,a8,cb,1d,8c,ed,5e,73,19,9c,ec,a0,2f,43,d2,12,94,a8,c6,8e,25,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:d6,f8,be,63,d8,0b,89,2a,f7,82,67,2f,48,e5,05,6d,6c,93,fb,4e,c2,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :



Files with Hidden Attributes :

Tue 13 Sep 2005 1,847,296 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE"
Sat 25 Jun 2005 62,464 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL"
Fri 22 Apr 2005 95,232 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE"
Thu 18 Aug 2005 36,864 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL"
Wed 5 Jan 2005 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Documents and Settings\Abby\Desktop\Mmm\SB\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Documents and Settings\Abby\Desktop\Mmm\SB\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Documents and Settings\Abby\Desktop\Mmm\SB\TeaTimer.exe"
Thu 19 Jul 2007 11,320 A.SH. --- "C:\Documents and Settings\Abby\My Documents\Copy of My Music\License Backup\drmv2key.bak"
Thu 19 Jul 2007 11,320 A.SH. --- "C:\Documents and Settings\Abby\My Documents\My Music\License Backup\drmv2key.bak"
Wed 4 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 4 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 4 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 4 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 4 Jul 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!

[heir]

Let's give it another approach

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

[rmessick]

Here you go:

ComboFix 09-04-20.02 - Abby 04/19/2009 18:50.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1751 [GMT -4:00]
Running from: c:\documents and settings\Abby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Abby\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 20:27 . 2009-04-19 20:28 -------- d-----w c:\windows\ERUNT
2009-04-19 20:26 . 2009-04-19 20:53 -------- d-----w C:\SDFix
2009-04-19 20:23 . 2009-04-19 20:23 -------- d-sha-r C:\autorun.inf
2009-04-19 18:14 . 2009-04-19 18:19 -------- d-----w C:\Lop SD
2009-04-19 18:02 . 2009-04-19 18:02 -------- d-----w C:\_OTListIt
2009-04-19 15:42 . 2009-04-19 17:08 -------- d-----w C:\Rooter$
2009-03-21 15:28 . 2009-04-16 18:21 -------- d-----w c:\documents and settings\Abby\Tracing

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 19:13 . 2008-12-18 01:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 18:19 . 2009-04-19 18:15 20119 ----a-w C:\lopR.txt
2009-04-19 18:01 . 2007-01-22 19:53 15914 ----a-w c:\documents and settings\Abby\Application Data\wklnhst.dat
2009-04-19 17:08 . 2009-04-19 17:03 1322 ----a-w C:\Rooter.txt
2009-04-11 02:28 . 2008-08-16 17:59 -------- d-----w c:\documents and settings\Abby\Application Data\Orbit
2009-04-06 19:32 . 2008-12-20 18:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-20 18:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-21 15:27 . 2007-01-16 02:49 68376 -c--a-w c:\documents and settings\Abby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 15:25 . 2009-03-21 15:25 -------- d-----w c:\program files\Microsoft
2009-03-21 15:25 . 2009-03-21 15:25 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-21 15:24 . 2008-03-02 01:05 -------- d-----w c:\program files\Windows Live
2009-03-21 15:22 . 2009-03-21 15:22 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-14 03:00 . 2009-02-22 01:35 -------- d-----w c:\program files\GIZMO2
2009-03-06 14:00 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 21:26 . 2009-03-04 21:26 -------- d-----w c:\documents and settings\Abby\Application Data\Moyea
2009-03-04 21:26 . 2009-03-04 21:26 -------- d-----w c:\program files\Moyea
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 15:06 . 2009-03-01 15:04 -------- d-----w c:\documents and settings\Abby\Application Data\GeoVid
2009-03-01 15:03 . 2009-03-01 15:03 -------- d-----w c:\program files\Common Files\GeoVid
2009-03-01 02:48 . 2009-03-01 02:46 -------- d-----w c:\program files\Swf2Avi
2009-02-23 02:15 . 2007-06-26 01:12 -------- d-----w c:\documents and settings\Abby\Application Data\gtk-2.0
2009-02-22 01:36 . 2009-02-22 01:36 -------- d-----w c:\documents and settings\Abby\Application Data\GIZMO2
2009-02-20 18:09 . 2008-11-22 18:12 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2004-08-10 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2004-08-10 11:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2004-08-10 11:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2004-08-10 11:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:29 . 2005-03-30 01:21 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2004-08-10 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2005-03-30 01:01 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-10 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-03-04 19:32 . 2008-03-04 19:32 94602871 ----a-w c:\program files\14601180EN.zip
2008-01-19 17:23 . 2008-01-19 17:23 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-01-16 02:37 . 2007-01-16 02:37 127 -c--a-w c:\documents and settings\Abby\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\Abby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-22 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"SpybotSD TeaTimer"="c:\documents and settings\Abby\Desktop\Mmm\SB\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-10 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-23 823362]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader

R1 nmconpid;nmconpid; [x]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2008-11-26 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-23 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-04-25 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2008-11-26 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
R3 XDva190;XDva190; [x]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\DRIVERS\C-itnt.sys [2002-03-13 899884]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1004336348-839522115-1003.job
- c:\documents and settings\Abby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 18:32]

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Abby\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://blueroof.servehttp.com:83/kxhcm10.ocx
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://85.235.16.148/activex/AMC.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://193.138.213.169/JpegInst.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-04-19 18:59
ComboFix-quarantined-files.txt 2009-04-19 22:58
ComboFix2.txt 2008-12-21 18:36

Pre-Run: 49,589,567,488 bytes free
Post-Run: 49,574,674,432 bytes free

151 --- E O F --- 2009-04-16 03:08

[heir]

What error-message are you getting when it freezes in normal mode?



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
nmconpid

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by heir, 20 April 2009 - 09:52 AM.

[rmessick]

The error says "DrWatson Postmortem Debugger has encountered an error and needs to close", along with the 'send error report' buttons. If I click "send" or "Don't send", the computer freezes.


And the log, of course:

ComboFix 09-04-20.02 - Abby 04/20/2009 18:22.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1750 [GMT -4:00]
Running from: c:\documents and settings\Abby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Abby\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NMCONPID
-------\Service_nmconpid



((((((((((((((((((((((((((((( SnapShot@2009-04-19_22.55.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-10 11:00 . 2009-04-19 22:47 63528 c:\windows\system32\perfc009.dat
+ 2004-08-10 11:00 . 2009-04-20 22:21 63528 c:\windows\system32\perfc009.dat
+ 2004-08-10 11:00 . 2009-04-20 22:21 406328 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2009-04-19 22:47 406328 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-14 68856]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"Google Update"="c:\documents and settings\Abby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-22 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"SpybotSD TeaTimer"="c:\documents and settings\Abby\Desktop\Mmm\SB\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-10 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-23 823362]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2008-11-26 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-23 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-04-25 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2008-11-26 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-04-25 262215]
R3 XDva190;XDva190; [x]
R3 XIRLINK;IBM PC Camera;c:\windows\system32\DRIVERS\C-itnt.sys [2002-03-13 899884]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1004336348-839522115-1003.job
- c:\documents and settings\Abby\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-22 18:32]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Abby\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://blueroof.servehttp.com:83/kxhcm10.ocx
DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} - hxxp://www.programchecker.com/dll/nixon.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://85.235.16.148/activex/AMC.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://193.138.213.169/JpegInst.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 18:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\nmconpid]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(464)
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-04-20 18:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 22:36
ComboFix2.txt 2009-04-19 22:59
ComboFix3.txt 2008-12-21 18:36

Pre-Run: 49,585,950,720 bytes free
Post-Run: 49,533,681,664 bytes free

128 --- E O F --- 2009-04-16 03:08

[heir]

Let's run chkdsk on your computer


Goto Start -> Run...

Copy this line into the textbox beside Open:

chkdsk /r

Click OK

Follow the prompts and let the computer boot into normal mode and do the check.


Any luck?

[rmessick]

I ran chkdsk and tried to use the computer in normal mode. I don't get the DrWatson error message anymore, but I still can't access the tray or toolbar. Nothing seems to be loading.

[heir]

How long have you waited after you've logged in to normal mode to get access to the menus/toolbar/tray ?
Sometimes it takes very long time if something has gone wrong earlier- has happened to me at least.
Leave it overnight and check the next day.

Do you remember what you were doing on your computer prior to that this freezing thing happened?
Do you have any system restore points from before this issue happened?

[rmessick]

I've left it on for most of the day, and I still can't use the taskbar or any of the desktop icons. I can still get to the Windows Task Manager by using ctl alt del, though.

I turned it off the night before and it said that it was installing updates for Windows. I'm not sure about the system restore points, either... I probably have at least one.

Edited by rmessick, 23 April 2009 - 10:37 AM.

[heir]

I don't think this is malware-related.
Due to that I think your in better and more hands if you post in the Operating Systems section of this board.

Please make a new topic there stating your problem and also give a link to this topic.

Sorry that I couldn't help you.
regards
heir