[JSntgRvr]

Do you have the XP CD handy?

[Advertisements]

Yes, Windows XP Pro SP2

[Linda68]

Yes, Windows XP Pro SP2

[JSntgRvr]

Go to Start ->Run, copy and paste the entire command line below and click OK

[codebox]rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\Inf\ie.inf[/codebox]

You will be asked for the Iexplore.exe file. Insert the XP CD and redirect the installation wizard to the i386 folder in the installation CD. Select the Iexplore.exe file and click on Next.

Follow the prompts.. Restart the computer and retry.

[Linda68]

Well, I followed the directions, rebooted the computer and the icon still went into the Property page. So then I just went to Run and typed iexplore. The box about default browser is on the screen and it is just hanging on the screen.

[Linda68]

Update...it made it past the default browser screen and quickly went to my homepage.
I went to grayinstitute.com and tried to start a webcast and I have the webcast white window of death. In other words, it's not starting up like it did with Mozilla.

[Linda68]

DOH, I returned to the Mozilla browser and started to view the same webcast while dictating it into MS Word because the webcast wouldn't open with IE. Now Dragon Dictate is back to being slow again ever since IE was installed It sure appears that the IE install spawned something again... HHHHEEEEELLLLLLPPPPPP

IE 6 was installed on the computer after reinstalled (if I didn't mention it earlier.)

[JSntgRvr]

Hi, Linda68

Run Mypoppy.exe and post its report.

[Linda68]

Mypoppy.exe is running, if we can't finish this tonight, I want you to know that I work 10 hour days Monday through Thursday, so I won't be available until at least 7:00 pm CDT on these days. I am so backlogged on my continuing education class that I'd be overjoyed to get it running like it was with Mozilla and then make contact again next weekend.

Let me know what is best though, I know we are EVER so close and can't thank you enough for how far it has come already! This site will be my first donation of 2008! The report is coming in a few minutes.

[Linda68]

Attached ...

Attached Files

•  ComboFix.txt   8.96KB   186 downloads

[JSntgRvr]

I am here until 10PM EDT most of the time, and I am not going any where. I usually come in 4 to 6 times during the day. It is almost like a full time job. It doesn't matter how log it takes, as long as we keep those replies coming at least once a day. Missing a day wont make a difference.

[JSntgRvr]

It is definitely Trojan Bagel, and it seems is activated somehow when you run Internet Explorer.

ComboFix 08-04-11.8 - Linda Kristina 2008-04-13 19:53:30.13 - NTFSx86
Running from: C:\Documents and Settings\Linda Kristina\Desktop\MyPoppy.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\downld
C:\WINDOWS\system32\drivers\downld\126642.exe
C:\WINDOWS\system32\drivers\downld\272341.exe
C:\WINDOWS\system32\drivers\downld\291278.exe
C:\WINDOWS\system32\drivers\downld\364904.exe
C:\WINDOWS\system32\drivers\downld\368850.exe
C:\WINDOWS\system32\drivers\downld\397341.exe
C:\WINDOWS\system32\drivers\downld\419913.exe
C:\WINDOWS\system32\drivers\downld\438260.exe
C:\WINDOWS\system32\drivers\downld\454443.exe
C:\WINDOWS\system32\drivers\downld\461844.exe
C:\WINDOWS\system32\drivers\downld\98521.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-13 17:17 . 2008-04-13 17:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-13 17:16 . 2008-04-13 17:16 6,039,144 --a------ C:\Firefox Setup 2.0.0.13.exe
2008-04-12 21:02 . 2008-04-12 21:02 <DIR> d-------- C:\Deckard
2008-04-12 13:50 . 2008-04-12 13:50 139,406 --a------ C:\BagleFix.zip
2008-04-12 11:40 . 2008-04-12 11:42 <DIR> d-------- C:\Combo-Fix
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Malwarebytes
2008-04-11 13:43 . 2008-04-11 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-11 10:20 . 2008-04-11 20:54 <DIR> d-------- C:\Geeks_New
2008-04-10 20:36 . 2008-04-13 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-04-09 21:51 . 2008-04-09 21:51 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\Thinstall
2008-04-09 20:11 . 2008-04-09 21:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 20:11 . 2008-04-09 21:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-09 19:53 . 2008-04-09 19:53 <DIR> d-------- C:\Program Files\CCleaner
2008-04-05 17:10 . 2008-04-05 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\U3
2008-04-05 17:04 . 2008-04-05 18:12 <DIR> d-------- C:\Documents and Settings\Linda Kristina\Application Data\U3
2008-04-05 17:03 . 2004-08-04 00:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\WINDOWS\system32\windows media
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-04-05 10:10 . 2008-04-05 10:10 <DIR> d-------- C:\Program Files\Windows Media Components
2008-04-05 10:09 . 2008-04-05 15:21 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-04-04 22:40 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-04 22:36 . 2008-04-04 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 14:18 . 2008-03-21 14:18 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-03-21 14:17 . 2007-10-22 19:58 1,721,712 --------- C:\WINDOWS\system32\InetClnt.dll
2008-03-16 19:58 . 2008-03-16 19:58 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 23:48 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\ComcastToolbar
2008-04-12 21:50 --------- d-----w C:\Documents and Settings\Linda Kristina\Application Data\Intuit
2008-04-10 00:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 19:17 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-20 12:03 --------- d-----w C:\Program Files\CrossTrainerII
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_15.18.02.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-11 04:08:54 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-13 19:54:57 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 04:08:54 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-13 19:54:57 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series (Copy 1) on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto EPSON Stylus CX3800 Series on LMK-XP]
--a------ 2005-02-07 22:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2007-04-19 15:21 198184 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-03-10 16:16 204800 E:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
--a------ 2006-11-15 22:01 244512 C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-06 18:33 282624 E:\Program Files\QuickTime_4\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 E:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2006-08-07 02:04 688128 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\dnloads\\eMule\\eMule.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"E:\\EMule Extracts\\EMule.46c\\emule.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"D:\\dnloads\\eMule\\eMule_II\\eMule.exe"=
"D:\\Program Files\\EMule\\emule.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 hpt3xx;hpt3xx;C:\WINDOWS\system32\drivers\hpt3xx.sys [2004-01-05 04:10]
R0 hptpro;hptpro;C:\WINDOWS\system32\drivers\hptpro.sys [2003-01-27 10:12]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17282e89-0346-11dd-a3b2-000103c623f3}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 20:00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-04-13 20:02:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 01:02:15
ComboFix2.txt 2008-04-13 18:42:49
ComboFix3.txt 2008-04-13 16:34:21
ComboFix4.txt 2008-04-13 15:51:28
ComboFix5.txt 2008-04-13 01:58:24
Pre-Run: 1,282,174,976 bytes free
Post-Run: 1,326,813,184 bytes free

Using Firefox, Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

[Linda68]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:21 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Linda Kristina\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.grayinstitute.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1183756517259
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1183756423524
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash...geUploader4.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 4063 bytes

[JSntgRvr]

Attempt to perform an online scan at kaspersky:

http://www.kaspersky.com/virusscanner

Save the report as text on your desktop and post its contents.

[Linda68]

...it appears to be hung on the Accept / Decline screen when I select Accept. It isn't doing anything, but the computer is not hung up either.
If I click on Decline, the computer responds back to the Kaspersly homepage.

[JSntgRvr]

...it appears to be hung on the Accept / Decline screen when I select Accept. It isn't doing anything, but the computer is not hung up either.
If I click on Decline, the computer responds back to the Kaspersly homepage.

Sorry. Last night my ISP went Offline.

Perhaps the problems with kaspersky, is the ActiveX, and that will require IE. That is a big no no at this time. Most of these scanners require Microsoft ActiveX Technology, thus Internet Explorer

Lets try others

Trend Micro

Make sure you save the log in text and post it.

Download OTScanit.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanit on your desktop.

• Close any open browsers.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  
• Place a checkmark on Scan All User Accounts
• In the Processes group click All
• In the Services group click All
• In the Drivers group click All
• In the Registry group click All
• In the Additional scans sections please press select the following:
  
• IE CMDMapping
• IE Zones and Templates Policies Details
• Event Viewer errors

[*]Now click the Run Scan button on the toolbar.
[*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Save that notepad file
[/list]Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).