Jump to content


Photo

boot mode functions are not visible


  • This topic is locked This topic is locked
51 replies to this topic

#1 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 21 February 2009 - 09:41 PM

Hello! I just recently realized that when I want to run a boot-time function (boot-time defragmentation, check disk, or avast boot time scan) I cannot view the actual progress of the functions ( the blue screen while running chkdsk). I don't know if any installation or uninstallation of a product caused this because when i recently changed from AVG free to Avast, I wanted to take advantage of Avast's boot-time scan. When my computer restarted and booted up, after the Windows XP Screen ( I was waiting for the usual blue looking screen that appears when performing boot-time functions) but then i can't see anything. The screen is blank or more literally black (as if the monitor is turned off). The cpu is still functioning and i can see it's performing something by the flickering of the green light but then I don't see anything. It doesn't go directly to Windows XP greeting screen so that eliminates the question if the boot-time function was skipped. I don't think it skips it, I just can't see any boot-time functions.

I tried performing a chkdsk or a boot-time defragmentation with pagedfrg but still the same, can't view actual boot-time functions. It was working back in Dec, but that was the last time I performed a boot-time function, which was with pagedfrg.

Just in case, here's a Hijackthis Logfile....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:47, on 22/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\System32\TUProgSt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab48295.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124461868708
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1231039853665
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINNT\System32\TUProgSt.exe

--
End of file - 8378 bytes

Hope you can help me fix this. SWI has been a very reliable forum in the past. I appreciate all the help. Thanks!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 24 February 2009 - 09:44 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 04 March 2009 - 07:42 AM

Hi,

Sorry for this long delay.

I'm sure if a helper had a clue as to what to suggest it would have been posted.

I tried to find a possible answer to your problem on Google but was not able to find any viable solution.

It may be that your boot-time defrag is possibly to early in the process and the required driver is not loaded.

Make sure that your Java is enable.

Make sure you have the latest RunTime library.
http://www.microsoft...;displaylang=en

Hope this will help.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 05 March 2009 - 02:35 PM

Hey Nasdaq!

So this is some really mysterious problem I have huh? Glad it was you that replied, I remember back in 2006 when you helped me out with a tough trojan using dr webcureit and combofix. Thanks by the way for the help back then.

Well, I downloaded the latest Visual Basic Runtime library. Tried to run Chkdsk and the same thing, I can't see the actual Chkdsk performing (the usual blue type screen that's shown), the screen just goes black. I tried waiting for an hour to see if maybe Chkdsk was running and it will finish and then boot into windows but it never did. I can see the green light seeing the cpu is processing something. Well, since windows does not boot after the black screen boot up function, I end up turning off my pc manually. When I turn it back on it loads, and after the Windows XP screen with the green bars going back and forth it directs me to the screen where it says safe mode, last known configs, start normally, etc. So I just click on start normal and it goes to windows. I only experience this problem when I want to run a boot function like Chkdsk, Boot-time defrag, or Avast boot-time scan.

This is complete baffling because everything else runs find. No problem with windows, and I just encountered this very recently (boot time operations were working back in Dec).

I appreciate the response and all the help since SWI is always willing to help. Oh, I have a question and this might sound stupid but how do I know if my Java is enabled or not?

Thanks for all the help nasdaq!

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 06 March 2009 - 08:36 AM

I have a question and this might sound stupid but how do I know if my Java is enabled or not?

In Internet explorer > menu > Tools > Internet Options > advanced tab:
Look at the Sun Java section.
Let me know what version you currently have.
===

Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
BootExecute

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 08 March 2009 - 02:59 AM

Hi Nasdaq,

The version of Java I have is - Java Plug-in 1.6.0_11

Followed your instructions with the Registry search tool but when I unzip and double click on regsrch.vbs I get an error message:

'Windows Script Host access is disabled on this machine. Contact your administrator for details'

How do I enable Windows Script Host?

Thanks for the help!

#7 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 08 March 2009 - 03:52 AM

Hey!

Was able to fix the problem with regards to the previous post.

Here's the result from the BootExecute wordpad:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "bootexecute" 08/03/2009 17:32:28

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2f,\

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\105\Rules\3\Allowed\6]
"Filename"="HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute"

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\105\Rules\3\Allowed\6]
"DeviceName"="HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2f,\

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 08 March 2009 - 08:43 AM

; Purpose: correct the BootExecute key in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,\
00,20,00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,\
00,00



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.
You can delete the Fix.reg file when completed.

How is it now?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 08 March 2009 - 09:15 PM

Hi Nasdaq!

I followed your instructions and I tried to run an avast boot scan. Unfortunately, I still can't see the actual boot function.

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 09 March 2009 - 08:19 AM

I'm realy out of ideas.

Close all windows and running programs.

Repeat these instructions. Make sure you restart the computer.

http://www.digitalre...t-boot-time.php

Work with the computer one day and restart it.
How is it now?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 10 March 2009 - 10:28 PM

Hi Nasdaq!

I followed your instructions again. Before I double clicked the Fix.reg i disabled my tea timer in spybot because sometimes it confuses with all the value deleted/value added and I end up not knowing what to allow or deny. I booted also into safe mode, and double clicked the Fix.reg and allowed to merge with my registry.

I then booted back into normal windows and tried to run a chkdsk boot time. I restarted my computer and it's the same, I really can't view boot time functions anymore. It's just a black screen.

I'm sorry if I took up your time with this mysterious error. I will try and do some research on my own and find a solution for this.

Thanks again for the help Nasdaq!

#12 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 11 March 2009 - 02:12 AM

Hey Nasdaq!

I know this isn't related to my original thread of not being able to view boot-time function but I've encountered another problem.
I tried to run my system restore to choose a restore point back in December when I wasn't encountering any boot function issues.

When I tried to run System Restore, I got this message:

System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again.


I found this to be somewhat odd. I don't know what caused this. So i went to the Services thru the Run function and found out that my System Restore was not running. It gave me the option to Start the service so I selected start and then I got this error message:

Could not start the System Restore Service service on Local Computer
Error 126: The specified module could not be found


Now I'm really worried since I can't even use my system restore.

Just in case: Here is a fresh Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:43, on 11/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINNT\System32\TUProgSt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page

=

http://us.rd.yahoo.c...msgr8/*http://w

ww.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar

=

http://us.rd.yahoo.c...msgr8/*http://w

ww.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page

= http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.c...msgr8/*http://w

ww.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page

=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page

=
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO -

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} -

c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) -

{E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar -

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -

c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program

Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program

Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [DadApp] C:\Program

Files\Dell\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User

'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program

Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User

'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program

Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

(User 'Default user')
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network

Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI

Object) -

http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess

Object) -

http://zone.msn.com/...rp.cab48295.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy

Class) -

http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat

Object) -

http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.micros...ontrols/en/x86/

client/wuweb_site.cab?1124461868708
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616}

(DivXBrowserPlugin Object) -

http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl

Class) -

http://update.micros...5Controls/en/x8

6/client/muweb_site.cab?1231039853665
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro

Class) -

http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy

Class) -

http://zone.msn.com/...xy.cab41227.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5}

- c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL

Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software -

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service

(cmdAgent) - Unknown owner - C:\Program

Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program

Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) -

Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner -

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) -

TuneUp Software - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service

(TuneUp.ProgramStatisticsSvc) - TuneUp Software -

C:\WINNT\System32\TUProgSt.exe

--
End of file - 7885 bytes


Sorry for the inconvenience, hope you can help me out with this.

Thanks

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 11 March 2009 - 07:37 AM

A system restore point is important.

Read this page and reinstall the function.

http://bertk.mvps.or.../reinstall.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 12 March 2009 - 09:25 PM

Thanks again Nasdaq! My System Restore is working again. I was just wondering, if i can reinstall my system restore, is there some way i can reinstall or fix the boot.ini part of windows?

I was just thinking if having tea timer on with spybot could have anything to do with this, because at times its really confusing (well for me) when all those notifications coming out when a value or registry entry is added/altered/BHO added/removed. So I click on allow or if I don't want a BHO entry I deny.

Well, hopefully, I can find some solution for this. Oh, I also don't have A windows xp cd since my laptop did not come with a cd. I wasa able to install recovery console with the help of Rocket Grannie a few months back when I had a trojan issue. Do you think there's a way to fix my boot problem with the recovery console? Sorry, but I don't really know how to use the recovery console.

I appreciate all the help!

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 13 March 2009 - 08:35 AM

Read this tutorial on Spybot and Destroy.
http://www.bleepingc...tutorial43.html
===

I was just wondering, if i can reinstall my system restore,

Not any of the previous ones.


is there some way i can reinstall or fix the boot.ini part of windows?


Why do you ask this?

Run NotePad and open your boot.ini file in your C:\ drive.

Copy and paste the contents in your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 13 March 2009 - 04:08 PM

Well, I was just wondering if maybe there's an error with boot.ini that's causing this problem where I can't see the boot functions like chkdsk.

I went to the drivers folder and I could not find a boot.ini file. I also set the folder options to show all hidden files and folders and there was nothing in my drivers folder. I attempted to search for boot.ini and I couldn't find the file.

#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 14 March 2009 - 08:28 AM

The boot.ini file is always in the root folder c:\

Look to see if you have a boot.bak file ( a backup. )
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 March 2009 - 02:00 AM

Hey Nasdaq!

I was able to find the boot.ini.backup file. Had to look for it using the search function. You said in an earlier post:

'Run NotePad and open your boot.ini file in your C:\ drive.

Copy and paste the contents in your next reply.'

I tried to open the boot.ini.backup but I can't open it because it says 'Unknown Program.' There's no specific program assigned to open it which I find odd.

[attachment=2174:boot.bak.png]

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 15 March 2009 - 08:35 AM

Use NotePad.

Run NotePad browser to the folder and open the Boot.ini
Copy the contents and post it back here.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 15 March 2009 - 10:18 PM

Hey!

Sorry I misunderstood your post earlier about using notepad and opening boot.ini. Anyway, here are the contents of the boot.ini.backup.

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Thanks for the help!

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 16 March 2009 - 11:10 AM

I see two entries

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

and

multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1

How many hard disks do you have.

If you have only one is the drive partitionned.

That is do you have a C:\ and a D:\ drive?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 16 March 2009 - 11:36 PM

I actually only have one drive C:. I did not partition my drive.

This here below was accidentally created when I was trying to see if I can fix my boot problem with the system recovery console by using the bootcfg /rebuild command.

multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1

Is there any way I can remove this entry from my bootup? This was a stupid mistake created by my limited knowledge of the recovery console.

#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 17 March 2009 - 11:46 AM

Run this tool.
It will install or reinstall your Recovery console and create a boot.ini file.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Let me know if the problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 18 March 2009 - 02:41 AM

Hey Nasdaq!

Here are the results of the combofix scan:

ComboFix 09-03-15.01 - New User 2009-03-18 16:16:33.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.288 [GMT 8:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-03-18 12:08 . 2009-03-18 12:08 <DIR> d----c--- c:\winnt\LastGood
2009-03-17 12:49 . 2009-03-17 12:49 <DIR> d----c--- c:\program files\FirefoxPreloader
2009-03-17 12:49 . 2005-01-19 10:15 28,672 --a--c--- c:\winnt\system32\regclass.dll
2009-03-13 15:36 . 2009-03-13 15:36 <DIR> d-a--c--- C:\death-vs-monstars
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\New User\Application Data\r2 Studios
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\All Users\Application Data\r2 Studios
2009-03-12 14:13 . 2009-03-12 14:37 <DIR> d----c--- c:\program files\Common Files\DivX Shared
2009-03-10 14:18 . 2009-03-10 14:17 73,728 --a--c--- c:\winnt\system32\javacpl.cpl
2009-03-06 19:12 . 2009-03-06 19:12 <DIR> d----c--- c:\program files\TechSmith
2009-03-06 18:50 . 2009-01-10 03:19 1,089,593 -----c--- c:\winnt\system32\dllcache\ntprint.cat
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\winnt\system32\XPSViewer
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\program files\MSBuild
2009-03-06 18:13 . 2009-03-06 18:13 <DIR> d----c--- c:\program files\Reference Assemblies
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\dllcache\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 18:50 597,504 -----c--- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 117,760 -----c--- c:\winnt\system32\prntvpt.dll
2009-03-06 18:12 . 2008-07-06 20:06 89,088 -----c--- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-03-06 18:11 . 2009-03-06 18:13 <DIR> d----c--- C:\16ab3e61d8965de7f871c1849c5e8c
2009-03-06 17:28 . 2009-03-06 17:28 <DIR> d----c--- c:\program files\Microsoft
2009-03-06 15:45 . 2009-03-06 15:46 <DIR> d----c--- C:\wf
2009-03-05 16:17 . 2008-04-14 08:12 1,384,479 --a--c--- c:\winnt\system32\MSVBVM60.DLL
2009-03-05 16:17 . 2008-04-14 08:12 84,992 --a--c--- c:\winnt\system32\OLEPRO32.DLL
2009-03-05 16:17 . 2008-04-14 08:11 65,024 --a--c--- c:\winnt\system32\ASYCFILT.DLL
2009-03-05 16:17 . 2008-04-13 23:42 16,896 --a--c--- c:\winnt\system32\STDOLE2.TLB
2009-03-05 16:17 . 2004-08-04 09:07 3,584 --a--c--- c:\winnt\system32\COMCAT.DLL
2009-03-05 16:16 . 2008-04-14 08:12 551,936 --a--c--- c:\winnt\system32\OLEAUT32.DLL
2009-02-28 15:30 . 2009-02-28 15:31 <DIR> d----c--- c:\program files\Recuva
2009-02-26 14:49 . 2009-02-26 14:49 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-26 14:47 . 2009-02-26 14:47 <DIR> d----c--- c:\program files\SUPERAntiSpyware
2009-02-26 14:47 . 2009-02-26 14:47 <DIR> d----c--- c:\documents and settings\New User\Application Data\SUPERAntiSpyware.com
2009-02-26 13:28 . 2009-02-26 13:28 <DIR> d----c--- c:\program files\xp-AntiSpy
2009-02-25 15:51 . 2009-02-25 15:51 <DIR> d----c--- c:\program files\GNU
2009-02-21 16:51 . 2009-02-21 16:51 <DIR> d----c--- c:\program files\Common Files\Adobe AIR
2009-02-19 13:39 . 2009-02-19 13:39 <DIR> d----c--- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 09:47 --------- dc----w c:\program files\uTorrent
2009-03-17 03:29 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-03-14 05:07 --------- dc----w c:\documents and settings\NetworkService\Application Data\SACore
2009-03-14 03:07 --------- dc----w c:\program files\TuneUp Utilities 2009
2009-03-14 03:02 --------- dc----w c:\program files\Common Files\Adobe
2009-03-13 05:05 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 06:38 --------- dc----w c:\program files\DivX
2009-03-12 05:12 --------- dc----w c:\program files\Spybot - Search & Destroy
2009-03-12 04:40 --------- dc----w c:\program files\SpywareBlaster
2009-03-11 04:53 --------- dc----w c:\documents and settings\New User\Application Data\uTorrent
2009-03-10 06:17 410,984 -c--a-w c:\winnt\system32\deploytk.dll
2009-03-02 02:59 155,384 -c--a-w c:\winnt\system32\guard32.dll
2009-03-02 02:59 110,992 -c--a-w c:\winnt\system32\drivers\cmdguard.sys
2009-02-24 06:17 --------- dc----w c:\documents and settings\All Users\Application Data\Skype
2009-02-20 10:22 --------- dc----w c:\documents and settings\All Users\Application Data\comodo
2009-02-20 10:16 24,336 -c--a-w c:\winnt\system32\drivers\cmdhlp.sys
2009-02-19 05:27 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-19 05:18 --------- dc----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-16 06:40 --------- dc----w c:\documents and settings\New User\Application Data\Orbit
2009-02-12 05:54 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 02:19 38,496 -c--a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 -c--a-w c:\winnt\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 -c--a-w c:\winnt\system32\win32k.sys
2009-02-05 05:47 --------- dc----w c:\documents and settings\New User\Application Data\skypePM
2009-01-30 07:25 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 07:42 --------- dc----w c:\program files\EULAlyzer
2009-01-27 01:34 90,112 -c--a-w c:\winnt\system32\dpl100.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx07.dll
2009-01-27 01:34 815,104 -c--a-w c:\winnt\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 -c--a-w c:\winnt\system32\divx_xx11.dll
2009-01-27 01:34 684,032 -c--a-w c:\winnt\system32\DivX.dll
2009-01-25 06:10 --------- dc----w c:\documents and settings\New User\Application Data\Azureus
2009-01-25 03:40 --------- dc----w c:\documents and settings\All Users\Application Data\Azureus
2009-01-25 01:16 --------- dc----w c:\program files\Yahoo!
2009-01-25 00:57 --------- dc----w c:\documents and settings\New User\Application Data\GRETECH
2009-01-25 00:56 --------- dc----w c:\program files\GRETECH
2009-01-23 21:48 --------- dc----w c:\program files\QuickTime Alternative
2009-01-23 20:59 --------- dc----w c:\program files\IObit
2009-01-23 20:59 --------- dc----w c:\documents and settings\New User\Application Data\IObit
2009-01-23 07:26 --------- dc----w c:\program files\Java
2009-01-23 04:06 --------- dc----w c:\program files\VS Revo Group
2009-01-21 04:12 --------- dc----w c:\program files\Lavasoft
2009-01-21 04:12 --------- dc----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-28 09:13 603,904 ----a-w c:\winnt\system32\TUProgSt.exe
2008-12-28 09:13 360,192 -c--a-w c:\winnt\system32\TuneUpDefragService.exe
2005-07-28 11:46 271 --sh--w c:\program files\desktop.ini
2005-07-28 11:46 21,952 -c-ha-w c:\program files\folder.htt
2003-03-21 05:37 16,056 -c--a-w c:\program files\owcstp16.dll
2009-01-27 01:34 1,044,480 -c--a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 -c--a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [1999-12-07 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-03-17 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\winnt\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-02-19 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\winnt\system32\drivers\cmdguard.sys [2009-01-11 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\winnt\system32\drivers\cmdhlp.sys [2009-01-11 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-02-19 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-08-20 206096]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\winnt\system32\TUProgSt.exe [2008-12-28 603904]
S2 0081011237349528mcinstcleanup;McAfee Application Installer Cleanup (0081011237349528);c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service --> c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service [?]
S3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\winnt\system32\drivers\vch.sys [2005-07-28 20533]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90Xbc5.SYS [2005-07-28 73827]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5baf4d70-3605-11da-aab9-000bdb092597}]
\Shell\AutoRun\command - New Document.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-02-23 17:38]

2009-03-17 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-14 05:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\ihc3yk9o.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 16:21:05
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(436)
c:\winnt\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(496)
c:\winnt\system32\guard32.dll
.
Completion time: 2009-03-18 16:24:49
ComboFix-quarantined-files.txt 2009-03-18 08:24:43

Pre-Run: 21,990,707,200 bytes free
Post-Run: 21,992,136,704 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=1 Sets=1,2,3,4,5,6
206 --- E O F --- 2009-03-14 03:18:53

#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 18 March 2009 - 08:33 AM

Looks like your recovery console is installed since I did not see any other signal to that effect.
===

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5baf4d70-3605-11da-aab9-000bdb092597}]


Save this as CFScript on your desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Question do you have a boot.ini file or just boot.ini.backup?

If you only have a boot.ini.backup then this file is not used at startup.

Before we proceed further let me know if you have the XP Installation disk.
If we make a change to the boot.ini and an error occurs you may not be able to boot again.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#26 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 18 March 2009 - 10:29 PM

Question do you have a boot.ini file or just boot.ini.backup?

I just have the boot.ini.backup. I've searched for the boot.ini file but I can't find it. When I open msconfig, I have a boot.ini tab, but I'm sure that has nothing to do with the actual file. I only have the boot.ini.backup file for some odd reason.


Before we proceed further let me know if you have the XP Installation disk

Unfortunately, no. I don't have the XP Installation disk. The laptop came pre-installed with XP service pack 2 but did not come with an installation disk or Windows XP CD.

If we make a change to the boot.ini and an error occurs you may not be able to boot again.

I just want to be honest that after reading this I'm feeling pretty reluctant about doing this. Anyway, I also only installed the recovery console when Rocket Grannie helped me out here before with a malware problem. Oh, I hope you don't mind me asking but with the registry code that you posted, what will that exactly do? Is it a possible solution to fix my problem (cannot view boot functions)?

I appreciate all the help Nasdaq.

#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 19 March 2009 - 09:44 AM

After checking many logs with the boot.ini file [boot loader] section and knowing that your have installed the Recovery console as suggested by Rock Granny I feel confident that you can make a boot.ini file with these lines.


[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


Copy the bold text in NotePad and save the file as boot.ini, make sure the "Save as type:" is "All Files (*.*)" and save it to your c:\ folder.

Restart the computer normally.

====

Oh, I hope you don't mind me asking but with the registry code that you posted, what will that exactly do?


The .reg file will remove this registry entry.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5baf4d70-3605-11da-aab9-000bdb092597}]
\Shell\AutoRun\command - New Document.exe

Mountpoints2 are created when you used a USB key.
New Document.exe is considered unsafe.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#28 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 19 March 2009 - 05:24 PM

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


Copy the bold text in NotePad and save the file as boot.ini, make sure the "Save as type:" is "All Files (*.*)" and save it to your c:\ folder.

This appears when I try to do the above:

[attachment=2182:boot.png]

It's weird because I have done an extensive search and only have the boot.ini.backup but no boot.ini.

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5baf4d70-3605-11da-aab9-000bdb092597}]


Is it safe for me to do this now since you mentioned earlier that there is a possibility I might not be able to boot again.

#29 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 20 March 2009 - 07:58 AM

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5baf4d70-3605-11da-aab9-000bdb092597}]


Is it safe for me to do this now since you mentioned earlier that there is a possibility I might not be able to boot again.


This has nothing to do with your booting the computer.
It's just a bad entry in the registry.
===

So you do have a boot.ini file.

It may be hidden.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Can you now see the boot.ini file?

Post the contents back here for my review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#30 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 20 March 2009 - 04:16 PM

Yeah! You're right! I can see my boot.ini file now in C:\. I just don't know why it never showed up when i searched for with Windows Search. I even did an advanced searched to look for hidden files. Oh well, thanks for the tip. Don't have to worry now about my boot.ini.

I ran merged the CFScript with ComboFix as instructed and here is the log file:

ComboFix 09-03-15.01 - New User 2009-03-20 23:52:59.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.90 [GMT 8:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-17 12:49 . 2009-03-17 12:49 <DIR> d----c--- c:\program files\FirefoxPreloader
2009-03-17 12:49 . 2005-01-19 10:15 28,672 --a--c--- c:\winnt\system32\regclass.dll
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\New User\Application Data\r2 Studios
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\All Users\Application Data\r2 Studios
2009-03-12 14:13 . 2009-03-12 14:37 <DIR> d----c--- c:\program files\Common Files\DivX Shared
2009-03-10 14:18 . 2009-03-10 14:17 73,728 --a--c--- c:\winnt\system32\javacpl.cpl
2009-03-06 19:12 . 2009-03-06 19:12 <DIR> d----c--- c:\program files\TechSmith
2009-03-06 18:50 . 2009-01-10 03:19 1,089,593 -----c--- c:\winnt\system32\dllcache\ntprint.cat
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\winnt\system32\XPSViewer
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\program files\MSBuild
2009-03-06 18:13 . 2009-03-06 18:13 <DIR> d----c--- c:\program files\Reference Assemblies
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\dllcache\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 18:50 597,504 -----c--- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 117,760 -----c--- c:\winnt\system32\prntvpt.dll
2009-03-06 18:12 . 2008-07-06 20:06 89,088 -----c--- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-03-06 18:11 . 2009-03-06 18:13 <DIR> d----c--- C:\16ab3e61d8965de7f871c1849c5e8c
2009-03-06 17:28 . 2009-03-06 17:28 <DIR> d----c--- c:\program files\Microsoft
2009-03-06 15:45 . 2009-03-06 15:46 <DIR> d----c--- C:\wf
2009-03-05 16:17 . 2008-04-14 08:12 1,384,479 --a--c--- c:\winnt\system32\MSVBVM60.DLL
2009-03-05 16:17 . 2008-04-14 08:12 84,992 --a--c--- c:\winnt\system32\OLEPRO32.DLL
2009-03-05 16:17 . 2008-04-14 08:11 65,024 --a--c--- c:\winnt\system32\ASYCFILT.DLL
2009-03-05 16:17 . 2008-04-13 23:42 16,896 --a--c--- c:\winnt\system32\STDOLE2.TLB
2009-03-05 16:17 . 2004-08-04 09:07 3,584 --a--c--- c:\winnt\system32\COMCAT.DLL
2009-03-05 16:16 . 2008-04-14 08:12 551,936 --a--c--- c:\winnt\system32\OLEAUT32.DLL
2009-02-28 15:30 . 2009-02-28 15:31 <DIR> d----c--- c:\program files\Recuva
2009-02-26 14:49 . 2009-02-26 14:49 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-26 14:47 . 2009-02-26 14:47 <DIR> d----c--- c:\program files\SUPERAntiSpyware
2009-02-26 14:47 . 2009-02-26 14:47 <DIR> d----c--- c:\documents and settings\New User\Application Data\SUPERAntiSpyware.com
2009-02-26 13:28 . 2009-02-26 13:28 <DIR> d----c--- c:\program files\xp-AntiSpy
2009-02-25 15:51 . 2009-02-25 15:51 <DIR> d----c--- c:\program files\GNU
2009-02-21 16:51 . 2009-02-21 16:51 <DIR> d----c--- c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 05:54 --------- dc----w c:\program files\uTorrent
2009-03-19 21:22 --------- dc----w c:\program files\Common Files\Adobe
2009-03-18 09:01 --------- dc----w c:\program files\TuneUp Utilities 2009
2009-03-18 08:56 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-18 08:56 --------- dc----w c:\program files\SpywareBlaster
2009-03-17 03:29 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-03-14 05:07 --------- dc----w c:\documents and settings\NetworkService\Application Data\SACore
2009-03-12 06:38 --------- dc----w c:\program files\DivX
2009-03-12 05:12 --------- dc----w c:\program files\Spybot - Search & Destroy
2009-03-11 04:53 --------- dc----w c:\documents and settings\New User\Application Data\uTorrent
2009-03-10 06:17 410,984 -c--a-w c:\winnt\system32\deploytk.dll
2009-03-02 02:59 155,384 -c--a-w c:\winnt\system32\guard32.dll
2009-03-02 02:59 110,992 -c--a-w c:\winnt\system32\drivers\cmdguard.sys
2009-02-24 06:17 --------- dc----w c:\documents and settings\All Users\Application Data\Skype
2009-02-20 10:22 --------- dc----w c:\documents and settings\All Users\Application Data\comodo
2009-02-20 10:16 24,336 -c--a-w c:\winnt\system32\drivers\cmdhlp.sys
2009-02-19 05:39 --------- dc----w c:\program files\Alwil Software
2009-02-19 05:27 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-19 05:18 --------- dc----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-16 06:40 --------- dc----w c:\documents and settings\New User\Application Data\Orbit
2009-02-12 05:54 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 02:19 38,496 -c--a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 -c--a-w c:\winnt\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 -c--a-w c:\winnt\system32\win32k.sys
2009-02-05 05:47 --------- dc----w c:\documents and settings\New User\Application Data\skypePM
2009-01-30 07:25 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 07:42 --------- dc----w c:\program files\EULAlyzer
2009-01-27 01:34 90,112 -c--a-w c:\winnt\system32\dpl100.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx07.dll
2009-01-27 01:34 815,104 -c--a-w c:\winnt\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 -c--a-w c:\winnt\system32\divx_xx11.dll
2009-01-27 01:34 684,032 -c--a-w c:\winnt\system32\DivX.dll
2009-01-25 06:10 --------- dc----w c:\documents and settings\New User\Application Data\Azureus
2009-01-25 03:40 --------- dc----w c:\documents and settings\All Users\Application Data\Azureus
2009-01-25 01:16 --------- dc----w c:\program files\Yahoo!
2009-01-25 00:57 --------- dc----w c:\documents and settings\New User\Application Data\GRETECH
2009-01-25 00:56 --------- dc----w c:\program files\GRETECH
2009-01-23 21:48 --------- dc----w c:\program files\QuickTime Alternative
2009-01-23 20:59 --------- dc----w c:\program files\IObit
2009-01-23 20:59 --------- dc----w c:\documents and settings\New User\Application Data\IObit
2009-01-23 07:26 --------- dc----w c:\program files\Java
2009-01-23 04:06 --------- dc----w c:\program files\VS Revo Group
2009-01-21 04:12 --------- dc----w c:\program files\Lavasoft
2009-01-21 04:12 --------- dc----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-28 09:13 603,904 ----a-w c:\winnt\system32\TUProgSt.exe
2008-12-28 09:13 360,192 -c--a-w c:\winnt\system32\TuneUpDefragService.exe
2005-07-28 11:46 271 --sh--w c:\program files\desktop.ini
2005-07-28 11:46 21,952 -c-ha-w c:\program files\folder.htt
2003-03-21 05:37 16,056 -c--a-w c:\program files\owcstp16.dll
2009-01-27 01:34 1,044,480 -c--a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 -c--a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-18_16.21.51.94 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-19 03:21:29 16,384 -c--atw c:\winnt\Temp\Perflib_Perfdata_164.dat
+ 2009-03-19 03:21:26 16,384 -c--atw c:\winnt\Temp\Perflib_Perfdata_194.dat
+ 2009-03-19 03:21:11 16,384 -c--atw c:\winnt\Temp\Perflib_Perfdata_56c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [1999-12-07 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-03-17 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\winnt\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-02-19 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\winnt\system32\drivers\cmdguard.sys [2009-01-11 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\winnt\system32\drivers\cmdhlp.sys [2009-01-11 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-02-19 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-08-20 210216]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\winnt\system32\TUProgSt.exe [2008-12-28 603904]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S2 0081011237349528mcinstcleanup;McAfee Application Installer Cleanup (0081011237349528);c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service --> c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service [?]
S3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\winnt\system32\drivers\vch.sys [2005-07-28 20533]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90Xbc5.SYS [2005-07-28 73827]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-02-23 17:38]

2009-03-20 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-14 05:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\ihc3yk9o.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 23:57:39
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(436)
c:\winnt\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(496)
c:\winnt\system32\guard32.dll
.
Completion time: 2009-03-21 0:02:40
ComboFix-quarantined-files.txt 2009-03-20 16:02:32
ComboFix2.txt 2009-03-18 08:24:52

Pre-Run: 23,154,778,112 bytes free
Post-Run: 23,146,254,336 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=1 Sets=1,2,3,4,5,6
215 --- E O F --- 2009-03-14 03:18:53

I have a question. While I ran the second scan when I merged CFScript with ComboFix (also noticed this the first time I ran ComboFix when you instructed me) this appeared after 'Stage 20':

[attachment=2186:combowhat.png]

#31 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 21 March 2009 - 06:48 AM

Locate this file in your combofix folder bug.txt

Open it with NotePad and post the results here.
===

What is the contents of your boot.ini file?
Is your boot problem solved?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#32 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 21 March 2009 - 09:51 PM

Hey Nasdaq!

Nope, problem is still there. I still can't view any boot mode functions. Just tried to run chkdsk now, nothing, just a black screen.
Here are the contents of my boot.ini file:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

I was wondering if there is any way I can remove multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1 I created this accidentally when I was trying to find a way to fix my boot problem with the recovery console. Does this entry get removed if I just delete it from the boot.ini file and overwrite it?

Also, was trying to find the bug.txt but I can''t find the combofix folder in C:\. Tried checking program files it's not there either and tried searching for it. I do have a folder in C:\ labeled Qoobox. I tried checking that folder too but no bug.txt.

I'm guessing this problem I have where I can't view my boot functions must be some hardware issue. Just don't understand if it is an actual hardware issue, then why can I still log into windows and perform normally? Maybe sometime in December or January something important in my registry got altered.

#33 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 22 March 2009 - 06:54 AM

Open the Boot.ini file with NotePad and just place a semi-colon in front of this line.

multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1

See below.

This line will then be ignored at boot time.

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
;multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Save the file and restart the computer normally.

How is it now.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#34 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 22 March 2009 - 10:10 PM

Thanks for the tip Nasdaq! It works, it goes straight to Microsoft Windows XP Professional. If you don't mind me asking, is there a way to completely omit multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1? So I don't have to see a "1" option when booting up, or there's no way to remove it.

Also, can I delete combofix already? I forgot how to delete it. Rocket Grannie taught me before. I appreciate all the help Nasdaq! Maybe one day magically I'll be able to view my boot functions again.

#35 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 23 March 2009 - 08:39 AM

Yes delete this line from the boot.ini file ;multi(0)disk(0)rdisk(0)partition(1)\WINNT="1" 1
Make sure it's the only line removed and do not leave a blank line, save the file.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

I'm sorry it took me so long to delete that bad line from the boot.ini file but I did not what to make an error and be sorry.

Regards.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#36 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 24 March 2009 - 01:06 AM

That's ok! Thanks for all the help Nasdaq! I was able to remove the "1" option from my boot choices. Also was able to succesfully remove ComboFix. I'll cease my search for a way to fix my problem to see boot functions. I might end up doing more harm in the long run by accidentally messing something up in my registry or PC.

Oh, one last question. What's your personal preference in PC protection? As Rocket Grannie told me before her preference is
Firewall- Online Armor
Antivirus- Avast
Spyware- Malwarebytes/Spybot Search and Destroy w/ Tea timer/Spywareblaster

Mine is pretty much the same except for Online Armor, I have Comodo Firewall. I've also been hearing about the new Antivir and it looks like an improvement now since you don't have to pay for the full version to use their spyware protection (I hear AntiVir has the best detection rate when running a scan). It's just hard for me to switch from Avast since it has so many modes of real time protection and it's update function is simple and fast.

Lastly, I was wondering why a number of people at the place I work at suggest that typing: mystring=(80000000) in notepad and save as ram.vbe is supposed to make your PC faster. I honestly don't know what this is supposed to do exactly but it just looks like it will end up ruining your PC in the long run.

#37 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 24 March 2009 - 08:25 AM

Oh, one last question. What's your personal preference in PC protection?


It's all a matter of preference. Had been using Norton and ZoneAlarm on my previous PCs. Now I have Vista and only using Norton 360 Virus and Firewall. I like the combo since if something goes wrong I know who to blame.

If you are happy with what you have do not change it.

mystring=(80000000)

It would seem that this fix would free you RAM or grabage.

http://forums.speedg...ead.php?t=78825
Mind you it's dated 2002. That may have been a good fix in these days but with todays computer I do not know.
In any event each time you Power Down the computer the RAM is clear.

Does not work all the time.
http://www.gamespot....pic_id=26139416
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#38 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 26 March 2009 - 01:54 PM

Hey Nasdaq!

Tried the mystring with notepad and it pretty much works for me. I guess it works because believe it or not, my RAM is only 512.

Anyway, just for one last good measure and I hope you don't mind. I ran the RegSrch.vbs and typed in BootExecute again, just wondering if now there might be something different w/ the scan. Here are the results.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "BootExecute" 27/03/2009 03:37:09

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2f,\

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\133\Rules\3\Allowed\6]
"Filename"="HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute"

[HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\133\Rules\3\Allowed\6]
"DeviceName"="HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager\\BootExecute"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\

If there's nothing different that you see from the previous post when I ran it before, then I will just accept that this cannot be fixed. Hope you don't mind looking into it one last time. Thanks.

#39 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 27 March 2009 - 07:39 AM

I'm checking with the experts. Stay with me.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#40 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 28 March 2009 - 07:25 AM

Please run this directive with Combofix.

Open notepad and copy/paste the text in the quote box below into it:

FixCSet::


Save this as CFScript on your desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh copy of HijackThis.

Let me know if the problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#41 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 28 March 2009 - 10:55 PM

Hey Nasdaq!

I guess I have to stop pushing my luck, tried to run a Chkdsk and still can't see actual function. First time I ran ComboFix with the new CFScript code you posted, after ComboFix finished scanning it rebooted the computer and then when it logged back on to windows, it was creating the log file. It was taking like 30 mins or so and then my computer blue screened indicating a Stop error.

I restarted my computer and dragged the CfScript again, this time the computer rebooted and everything went smoothly.

Here's the log file from ComboFix
:

ComboFix 09-03-28.04 - New User 2009-03-29 12:16:54.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.249 [GMT 8:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090328-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-26 14:27 . 2009-03-26 14:26 73,728 --a--c--- c:\winnt\system32\javacpl.cpl
2009-03-25 16:01 . 2009-03-25 17:50 <DIR> d----c--- c:\documents and settings\New User\Application Data\vlc
2009-03-25 15:57 . 2009-03-25 15:57 <DIR> d----c--- c:\program files\VideoLAN
2009-03-19 11:36 . 2009-03-19 11:36 <DIR> d----c--- c:\winnt\system32\config\systemprofile\Application Data\SACore
2009-03-17 12:49 . 2005-01-19 10:15 28,672 --a--c--- c:\winnt\system32\regclass.dll
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\New User\Application Data\r2 Studios
2009-03-12 17:31 . 2009-03-12 17:31 <DIR> d----c--- c:\documents and settings\All Users\Application Data\r2 Studios
2009-03-12 14:13 . 2009-03-12 14:37 <DIR> d----c--- c:\program files\Common Files\DivX Shared
2009-03-06 19:12 . 2009-03-06 19:12 <DIR> d----c--- c:\program files\TechSmith
2009-03-06 18:50 . 2009-01-10 03:19 1,089,593 -----c--- c:\winnt\system32\dllcache\ntprint.cat
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\winnt\system32\XPSViewer
2009-03-06 18:14 . 2009-03-06 18:14 <DIR> d----c--- c:\program files\MSBuild
2009-03-06 18:13 . 2009-03-06 18:13 <DIR> d----c--- c:\program files\Reference Assemblies
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 20:06 1,676,288 -----c--- c:\winnt\system32\dllcache\xpssvcs.dll
2009-03-06 18:12 . 2008-07-06 18:50 597,504 -----c--- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 575,488 -----c--- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-03-06 18:12 . 2008-07-06 20:06 117,760 -----c--- c:\winnt\system32\prntvpt.dll
2009-03-06 18:12 . 2008-07-06 20:06 89,088 -----c--- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-03-06 18:11 . 2009-03-06 18:13 <DIR> d----c--- C:\16ab3e61d8965de7f871c1849c5e8c
2009-03-06 17:28 . 2009-03-06 17:28 <DIR> d----c--- c:\program files\Microsoft
2009-03-06 15:45 . 2009-03-06 15:46 <DIR> d----c--- C:\wf
2009-03-05 16:17 . 2008-04-14 08:12 1,384,479 --a--c--- c:\winnt\system32\MSVBVM60.DLL
2009-03-05 16:17 . 2008-04-14 08:12 84,992 --a--c--- c:\winnt\system32\OLEPRO32.DLL
2009-03-05 16:17 . 2008-04-14 08:11 65,024 --a--c--- c:\winnt\system32\dllcache\asycfilt.dll
2009-03-05 16:17 . 2008-04-14 08:11 65,024 --a--c--- c:\winnt\system32\ASYCFILT.DLL
2009-03-05 16:17 . 2008-04-13 23:42 16,896 --a--c--- c:\winnt\system32\STDOLE2.TLB
2009-03-05 16:17 . 2004-08-04 09:07 3,584 --a--c--- c:\winnt\system32\COMCAT.DLL
2009-03-05 16:16 . 2008-04-14 08:12 551,936 --a--c--- c:\winnt\system32\OLEAUT32.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 04:14 --------- dc----w c:\program files\uTorrent
2009-03-28 08:50 --------- dc----w c:\documents and settings\New User\Application Data\uTorrent
2009-03-26 18:17 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-26 18:17 --------- dc----w c:\program files\SpywareBlaster
2009-03-26 06:26 410,984 -c--a-w c:\winnt\system32\deploytk.dll
2009-03-25 07:43 --------- dc----w c:\program files\GRETECH
2009-03-24 08:34 361,600 -c--a-w c:\winnt\system32\drivers\tcpip.sys
2009-03-19 21:22 --------- dc----w c:\program files\Common Files\Adobe
2009-03-18 09:01 --------- dc----w c:\program files\TuneUp Utilities 2009
2009-03-17 03:29 --------- dc----w c:\program files\Common Files\Wise Installation Wizard
2009-03-14 05:07 --------- dc----w c:\documents and settings\NetworkService\Application Data\SACore
2009-03-12 06:38 --------- dc----w c:\program files\DivX
2009-03-12 05:12 --------- dc----w c:\program files\Spybot - Search & Destroy
2009-03-02 02:59 155,384 -c--a-w c:\winnt\system32\guard32.dll
2009-03-02 02:59 110,992 -c--a-w c:\winnt\system32\drivers\cmdguard.sys
2009-02-28 07:31 --------- dc----w c:\program files\Recuva
2009-02-26 06:49 --------- dc----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-26 06:47 --------- dc----w c:\program files\SUPERAntiSpyware
2009-02-26 06:47 --------- dc----w c:\documents and settings\New User\Application Data\SUPERAntiSpyware.com
2009-02-26 05:28 --------- dc----w c:\program files\xp-AntiSpy
2009-02-25 07:51 --------- dc----w c:\program files\GNU
2009-02-24 06:17 --------- dc----w c:\documents and settings\All Users\Application Data\Skype
2009-02-21 08:51 --------- dc----w c:\program files\Common Files\Adobe AIR
2009-02-20 10:22 --------- dc----w c:\documents and settings\All Users\Application Data\comodo
2009-02-20 10:16 24,336 -c--a-w c:\winnt\system32\drivers\cmdhlp.sys
2009-02-19 05:39 --------- dc----w c:\program files\Alwil Software
2009-02-19 05:27 --------- dc----w c:\documents and settings\All Users\Application Data\Avg8
2009-02-19 05:18 --------- dc----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-16 06:40 --------- dc----w c:\documents and settings\New User\Application Data\Orbit
2009-02-12 05:54 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 02:19 38,496 -c--a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 -c--a-w c:\winnt\system32\drivers\mbam.sys
2009-02-09 11:13 1,846,784 -c--a-w c:\winnt\system32\win32k.sys
2009-02-05 05:47 --------- dc----w c:\documents and settings\New User\Application Data\skypePM
2009-01-30 07:25 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-29 07:42 --------- dc----w c:\program files\EULAlyzer
2009-01-27 01:34 90,112 -c--a-w c:\winnt\system32\dpl100.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 -c--a-w c:\winnt\system32\divx_xx07.dll
2009-01-27 01:34 815,104 -c--a-w c:\winnt\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 -c--a-w c:\winnt\system32\divx_xx11.dll
2009-01-27 01:34 684,032 -c--a-w c:\winnt\system32\DivX.dll
2005-07-28 11:46 271 --sh--w c:\program files\desktop.ini
2005-07-28 11:46 21,952 -c-ha-w c:\program files\folder.htt
2003-03-21 05:37 16,056 -c--a-w c:\program files\owcstp16.dll
2009-01-27 01:34 1,044,480 -c--a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 200,704 -c--a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

2005-05-26 03:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\winnt\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-14 01:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\winnt\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 20:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\winnt\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2008-06-20 19:59 361600 ad978a1b783b5719720cff204b666c8e c:\winnt\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2009-03-24 16:34 361344 8e036eec565910417ea020ce0962aa24 c:\winnt\ServicePackFiles\i386\tcpip.sys
2009-03-24 16:34 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\winnt\system32\dllcache\tcpip.sys
2009-03-24 16:34 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\winnt\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-02 1851128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [1999-12-07 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\winnt\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahsc--- 2009-03-05 16:07 2260480 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2009-03-26 14:26 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2009-02-19 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\winnt\system32\drivers\cmdguard.sys [2009-01-11 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\winnt\system32\drivers\cmdhlp.sys [2009-01-11 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2009-02-19 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-08-20 210216]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\winnt\system32\TUProgSt.exe [2008-12-28 603904]
S2 0081011237349528mcinstcleanup;McAfee Application Installer Cleanup (0081011237349528);c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service --> c:\winnt\TEMP\008101~1.EXE c:\progra~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog -service [?]
S3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\winnt\system32\drivers\vch.sys [2005-07-28 20533]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90Xbc5.SYS [2005-07-28 73827]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-03-22 16:22]

2009-03-29 c:\winnt\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-03-22 16:37]

2009-03-21 c:\winnt\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-21 c:\winnt\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-04 15:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\ihc3yk9o.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 12:27:48
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(440)
c:\winnt\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(500)
c:\winnt\system32\guard32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-29 12:33:24 - machine was rebooted [New User]
ComboFix-quarantined-files.txt 2009-03-29 04:33:15
ComboFix2.txt 2009-03-20 16:02:46

Pre-Run: 16,843,767,808 bytes free
Post-Run: 16,749,674,496 bytes free

223 --- E O F --- 2009-03-14 03:18:53

Here's the Hijackthis log file
:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:46, on 29/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINNT\System32\TUProgSt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/...rp.cab48295.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124461868708
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1231039853665
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0081011237349528) (0081011237349528mcinstcleanup) - Unknown owner - C:\WINNT\TEMP\008101~1.EXE (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINNT\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINNT\System32\TUProgSt.exe

--
End of file - 7507 bytes

#42 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 29 March 2009 - 08:01 AM

Well my script worked. Your control set was reset.

Nice Work your logs are clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
===

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Somthing did happen when you changed your Virust protection software.

The defrag is now handled by SmartDefrag from IOBIT.
http://www.iobit.com...artdefrag.html#

On the link above you have a Support link to and FAQ and a Forum.

You may want to check it and see if any useful information can be found on this.

I'm realy out of suggestions.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#43 brunildo

brunildo

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 03 April 2009 - 01:57 PM

Hello tokenizer,

I found this thread because I'm having your exact same problem on a new system I'm trying to setup: I mean no visible output from any of the programs that should run as "BootExecute". In my case the problem does not seem related to any virus or malware, rather it seems a very strange incompatibility between the graphics card (or its driver) and something else. Indeed changing graphics card the problem disappears.
Could you try a different graphic card, or at least uninstall all its specific drivers, so that the system restart with a standard VGA driver, and see if the problem disappear?
Until now I haven't been able to exactly identify the reason of the incompatibility, so knowing what happens to you may be helpful to me as well.
Hope this is not too off topics here.

Bruno

#44 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 03 April 2009 - 08:20 PM

Hey Nasdaq!

I was just looking at the TeaTimer log in Spybot and I was examining all the bootexecute related logs. Might have either allowed or denied a specific request that may have altered something in the registry. Not really sure because don't really understand some of them. Do you think this could be the cause of my problem?

Here are the log entries in TeaTimer:

10/01/2009 22:36:06 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck AUTONTFS C: PAGE=MIN DIRS=NONE MFT=MIN
") changed in Session manager!

11/01/2009 03:43:30 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") changed in Session manager!

14/01/2009 14:10:06 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
pgdfgsvc C 1 -o
") changed in Session manager!

14/01/2009 14:12:22 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") changed in Session manager!

14/01/2009 14:14:04 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
*
") changed in Session manager!

2009-01-14 14:39:43 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
") changed in Session manager!

2009-01-14 14:39:44 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
") changed in Session manager!

2009-01-15 12:37:34 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
") changed in Session manager!

2009-01-15 12:37:36 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
") changed in Session manager!

20/01/2009 17:55:10 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
lsdelete
") changed in Session manager!

21/01/2009 12:05:07 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
autocheck lsdelete
") changed in Session manager!

21/01/2009 12:05:08 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
autocheck lsdelete
") changed in Session manager!

24/01/2009 08:38:18 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
autocheck lsdelete C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.exe "\??\C:\DOCUME~1\ALLUSE~1\APPLIC~1\SPYWAR~1\sp_rsdel.dat") changed in Session manager!

24/01/2009 08:38:32 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
autocheck *
autocheck lsdelete

") changed in Session manager!
09/02/2009 16:08:51 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\D:
autocheck autochk *
autocheck *
autocheck lsdelete
") changed in Session manager!
19/02/2009 14:38:21 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\D:
autocheck autochk *
autocheck *
autocheck lsdelete
aswBoot.exe /A:"*" /L:"English" /RA:delete /archives /KBD:2
") changed in Session manager!
19/02/2009 15:12:08 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\D:
autocheck autochk *
autocheck *
autocheck lsdelete
") changed in Session manager!

I hope you don't mind looking into these log entries. Thanks!

#45 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 04 April 2009 - 06:30 AM

The default for the "BootExecute" is usually autocheck autochk *. It appears that Lavasoft's Ad-Aware 2007 adds the extra parameter lsdelete (thatís LSDELETE not ISDELETE as you indicated).


I do not see any trace of Ad-Aware. Is it installed or was it previously installed.

What I would try is Remove Spybot via tha Add/Remove programs tool and reinstall it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#46 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 04 April 2009 - 09:36 PM

Hey Nasdaq!

Yes, I previously had Ad-Aware 2007 around January and wanted to try out their new Ad-Aware Anniversary Edition. It really wasn't to my liking so I uninstalled Ad-Aware (it's not how it used to be during it's glory days of Ad-Aware Personal SE). I'll try uninstalling Spybot and then reinstalling it and see if the trick works.

There was a post earlier in this thread from a user named Bruno. Do you think his suggestion might work?

Bruno wrote:
Indeed changing graphics card the problem disappears. Could you try a different graphic card, or at least uninstall all its specific drivers, so that the system restart with a standard VGA driver, and see if the problem disappear?

Also how do I do this exactly and is it safe? ------ Could you try a different graphic card, or at least uninstall all its specific drivers, so that the system restart with a standard VGA driver

Hopefully, uninstalling Spybot will fix the problem. Will update you with the results. Thanks!

#47 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 04 April 2009 - 10:35 PM

Well, I uninstalled and reinstalled Spybot and it's still the same.

#48 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 04 April 2009 - 11:10 PM

Hey! Bruno gave me an idea with his suggestion that the mproblem might have to with my graphics card. I was looking at my update history in windows update and I saw this (might be the cause of the problem).

[attachment=2197:update_driver.png]

How do I undo this change?

#49 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,276 posts

Posted 05 April 2009 - 07:28 AM

The update was installed on Jan 4, 2009.

Go to our Add/Remove programs list.

See if you have a Windows update on that date.

Make a note of it and post the exact name.

As for the Graphics card I would first try to see if new drivers are available on the supplier's site.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#50 tokenizer

tokenizer

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 06 April 2009 - 02:21 AM

Hi Nasdaq!

I just visited the Intel website and updated to the latest driver of Intel Graphics driver for 82830M. The last driver version I had which I downloaded thru the Windows Update site was released on 2/10/2004 and the one I downloaded now and installed was released in 8/20/2004. Apparently updating to the latest driver has not fixed my problem.

I tried checking the Add/Remove Programs looking for an update on that specific date mentioned in the earlier post but all I can find is a description that says Intel® Extreme Graphics Driver but there's no detail on the right indicating the date it was installed. Is there a way I can undo the changes I made to the driver and revert back to the driver I had installed before the driver update I showed in the earlier post?

Appreciate all the help.




Member of UNITE
Support SpywareInfo Forum - click the button