XP shuts down. No error codes. No blue screen.

Re: XP shuts down. No error codes. No blue screen.
by flyinskwurl Yesterday at 7:53 am

.Sorry I gave misleading info. The problem I am having is with my desk top computer. I have opened the case and cleaned out the air intakes, fans and processor. That didn't change anything. Ventilation seems good.
I have discovered that I can boot up in Safe Mode and it keeps running...but as soon as I boot up in normal mode it will let me sign in and then shuts down to just a black screen. The HD seems to keep running.. seems like only the os is shutting down..
I have been able to run Malwarebytes and Ad-Aware(Safe Mode) and found nothing. I have ESET 4 installed as well as Spy Sweeper.
flyinskwurl

Newbie Surfer




Posts: 12
Joined: 2009-09-22
Operating System: windows xp home sp3

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

I can't make this work. I think the problem lies with the part about renaming the ComboFix before I place it on my desktop. I have an icon there that reads "Shortcut to commy.exe" but when I do the Start>Run paste in the link and click OK I get a warning that says Windows can't find it. If I browse for it I get a warning that tells me "The Above file name is invalid".
I can only get windows to come up in SafeMode. I have disabled my security software.
Can you give me instructions as to how to rename the ComboFix before I place it on my desktop?

I tried running ComboFix from the desktop icon and it ran. But when it tried to reboot... it started up in normal mode and was starting to cerate a log file when the machine shut down just like it has been doing. I tried to restart but it let me log in and it populated the desktop icons and shut down.

ComboFix 09-12-07.01 - Eddie 12/07/2009 18:13.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1633 [GMT -5:00]
Running from: c:\documents and settings\Eddie\My Documents\Netscape files\commy.exe.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-12-07 18:05 . 2009-12-07 18:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-12-07 18:00 . 2009-12-07 18:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-12-07 17:55 . 2009-12-07 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-12-07 17:46 . 2009-12-07 17:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Netscape
2009-12-07 17:46 . 2009-12-07 17:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Netscape
2009-12-05 16:15 . 2009-12-05 16:15 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-05 16:09 . 2009-12-05 16:09 -------- d-----r- C:\MSOCache
2009-11-30 03:11 . 2009-11-30 03:11 160032 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-30 03:10 . 2009-11-30 03:11 -------- d-----w- C:\d0d483da9881451b34
2009-11-28 15:31 . 2009-11-28 15:31 -------- d-----w- c:\program files\Handmark
2009-11-27 01:35 . 2004-03-29 20:23 90112 ----a-w- c:\windows\unvise32.exe
2009-11-24 00:10 . 2009-11-24 00:10 -------- d-----w- c:\documents and settings\Eddie\Local Settings\Application Data\LogMeIn
2009-11-24 00:10 . 2009-11-24 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\LogMeIn
2009-11-24 00:10 . 2009-11-24 00:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-11-24 00:09 . 2009-09-29 00:34 47416 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2009-11-24 00:09 . 2009-09-29 00:34 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-24 00:09 . 2009-09-29 00:34 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-24 00:09 . 2008-08-11 17:41 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2009-11-24 00:09 . 2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-24 00:09 . 2009-12-07 18:06 -------- d-----w- c:\program files\LogMeIn
2009-11-24 00:06 . 2009-11-24 00:08 -------- d-----w- c:\documents and settings\Eddie\Local Settings\Application Data\Deployment
2009-11-22 13:13 . 2006-08-31 21:03 182272 ------w- c:\windows\system32\drivers\CLBUDF.sys
2009-11-22 13:13 . 2006-08-31 21:21 131072 ----a-w- c:\windows\IBUnInst.exe
2009-11-18 02:55 . 2009-11-18 03:11 -------- d-----w- c:\windows\system32\Temp
2009-11-15 23:31 . 2009-11-15 23:32 -------- d-----w- c:\documents and settings\Eddie\Application Data\vlc
2009-11-15 18:39 . 2009-11-15 18:39 -------- d-----w- c:\program files\VideoLAN
2009-11-15 18:39 . 2009-11-15 18:39 -------- d-----w- c:\program files\Sopcast_plugin
2009-11-15 18:36 . 2009-11-15 18:36 -------- d-----w- c:\program files\LIVE TV
2009-11-14 21:44 . 2009-11-14 21:44 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 19:29 . 2009-04-11 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-05 16:27 . 2007-11-04 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-05 16:13 . 2009-06-06 19:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 16:12 . 2007-11-05 00:34 -------- d-----w- c:\program files\Microsoft Works
2009-12-05 16:08 . 2009-10-26 16:44 -------- d-----w- c:\program files\Microsoft.NET
2009-12-04 19:00 . 2009-10-26 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-04 02:42 . 2007-11-05 00:37 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-12-02 12:00 . 2007-10-22 20:46 70872 ----a-w- c:\documents and settings\Eddie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:42 . 2007-11-04 20:10 -------- d-----w- c:\documents and settings\Eddie\Application Data\U3
2009-11-30 00:13 . 2007-10-22 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-25 20:18 . 2007-11-04 21:46 -------- d-----w- c:\program files\Lx_cats
2009-11-24 16:26 . 2008-04-13 22:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-24 16:24 . 2007-12-02 23:27 -------- d-----w- c:\program files\SpywareBlaster
2009-11-18 22:20 . 2009-05-21 11:13 -------- d-----w- c:\program files\Media Key
2009-11-14 21:45 . 2007-11-05 00:49 8296 ----a-w- c:\documents and settings\Eddie\Application Data\wklnhst.dat
2009-11-14 18:12 . 2009-03-21 14:39 164 ----a-w- c:\windows\install.dat
2009-11-06 20:19 . 2008-02-02 20:56 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-06 17:00 . 2008-02-02 20:56 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00 . 2008-02-02 20:56 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00 . 2008-08-09 18:42 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-04 03:12 . 2007-11-04 22:09 -------- d-----w- c:\documents and settings\Eddie\Application Data\.purple
2009-11-03 22:53 . 2008-09-20 19:25 -------- d-----w- c:\program files\AVS4YOU
2009-11-03 22:52 . 2008-09-20 19:32 -------- d-----w- c:\documents and settings\Eddie\Application Data\AVS4YOU
2009-11-03 01:42 . 2009-10-05 00:39 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 00:44 . 2009-10-27 17:41 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-27 19:43 . 2009-10-27 19:43 -------- d-----w- c:\documents and settings\Eddie\Application Data\Windows Search
2009-10-27 17:42 . 2009-10-27 17:42 -------- d-----w- c:\documents and settings\Eddie\Application Data\Windows Desktop Search
2009-10-22 11:33 . 2007-10-29 15:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 20:26 . 2009-10-18 20:26 -------- dc----w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-18 20:08 . 2009-02-22 17:33 -------- d-----w- c:\program files\Lavasoft
2009-10-16 21:10 . 2009-10-16 21:10 64056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-10 12:04 . 2009-06-25 21:43 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-03 18:00 . 2003-02-21 12:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-03 17:57 . 2009-10-03 17:57 452104 ----a-w- c:\documents and settings\Eddie\Application Data\Real\RealPlayer\setup\AU_setup9.exe
2009-09-23 02:28 . 2009-06-19 12:52 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-09-23 02:28 . 2009-06-19 12:52 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-09-23 02:28 . 2009-06-19 12:52 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-09-23 02:28 . 2009-06-09 21:46 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-23 02:28 . 2009-06-05 12:52 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-09-23 02:28 . 2009-09-23 02:28 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-09-23 02:28 . 2009-06-19 12:52 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-09-23 02:28 . 2009-06-19 12:52 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-09-23 02:28 . 2009-06-05 12:51 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-09-23 02:20 . 2009-09-21 01:21 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-09-23 02:20 . 2009-09-21 01:21 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 00:35 . 2009-09-11 00:35 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-09-10 18:54 . 2009-06-06 19:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-06 19:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-02-23 12:16 . 2007-12-02 22:08 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 12:16 . 2007-12-02 22:08 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-02-23 12:16 . 2008-09-07 18:02 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2006-02-23 12:16 . 2008-09-07 18:02 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2006-02-28 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-05 21:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Power2GoExpress"="c:\program files\NOVA Development\MediaNow CD & DVD Burning Suite\Power2Go\Power2GoExpress.exe" [2006-09-13 2441216]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-11-04 2334856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-05-04 312240]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-03 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"RemoteControl"="c:\program files\NOVA Development\MediaNow CD & DVD Burning Suite\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"InstantBurn"="c:\progra~1\NOVADE~1\MEDIAN~1\INSTAN~1\Win2K\IBurn.exe" [2006-08-31 733184]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

c:\documents and settings\Eddie\Start Menu\Programs\Startup\
Desktop Alert.lnk - c:\program files\Desktop Alert\desktopalert_3264673.exe [2008-8-28 327680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eddie^Start Menu^Programs^Startup^wkcalrem.LNK]
path=c:\documents and settings\Eddie\Start Menu\Programs\Startup\wkcalrem.LNK
backup=c:\windows\pss\wkcalrem.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2006-05-04 20:26 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 21:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 23:41 163840 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-02 23:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-06-15 21:20 6803456 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-06-15 21:20 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-06-15 21:20 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-07-21 20:14 86016 ----a-w- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-21 15:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-11 18:51 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-03 18:00 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\app4r.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [6/29/2009 05:56 PM 10368]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/5/2009 07:52 AM 64160]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 01:42 PM 29808]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 10:58 AM 93336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 06:19 PM 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [10/26/2008 07:26 AM 1201640]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 10:56 AM 106208]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [11/22/2009 08:13 AM 182272]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 10:57 AM 727720]
S2 gupdate1c9bad68d111286;Google Update Service (gupdate1c9bad68d111286);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2009 01:51 PM 133104]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe --> c:\program files\IObit\IObit Security 360\IS360srv.exe [?]
S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\Drivers\JeppD.sys --> c:\windows\system32\Drivers\JeppD.sys [?]
S2 JEPPDRIVEG2;Smart Modular JeppDrive USB G2 Driver;c:\windows\system32\drivers\JeppDG2.sys [7/11/2009 02:22 PM 18384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 02:06 PM 1028432]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [11/23/2009 07:09 PM 47640]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [1/31/2008 08:50 PM 99248]
S2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [11/10/2008 01:10 PM 598856]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [5/11/2009 01:20 PM 54272]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\system32\drivers\V0400Afx.sys [6/22/2008 05:29 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\system32\drivers\V0400Vfx.sys [6/22/2008 05:29 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\system32\drivers\V0400Vid.sys [6/22/2008 05:29 PM 166720]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
DPF: {4D21BDFC-A621-4DE6-87DA-7C952D0ADF7E} - hxxp://www.lorexglobal.com/see/push03.cab
FF - ProfilePath - c:\documents and settings\Eddie\Application Data\Mozilla\Firefox\Profiles\hqxo7hd2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - (no file)
AddRemove-GARMIN 400 Series Trainer - c:\windows\IsUninst.exe -fc:\program files\GARMIN\GARMIN 400 Series Trainer\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 18:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-606747145-725345543-1004_Classes\Software\CLASSES\CLSID\{4D37D85E-E8B0-0BAE-7454-7DBD549A050A}*\InprocServer32]
"{4D37D85E-E8B0-0BAE-7454-7DBD549A050A}"=hex:80,57,94,bd,86,d3,c3,bc,23,17,ad,
51,03,c5,ec,63,d8,68,77,8c,61,a2,f2,a5,80,57,94,bd,86,d3,c3,bc,80,57,94,bd,\

[HKEY_USERS\S-1-5-21-484763869-606747145-725345543-1004_Classes\Software\CLASSES\CLSID\{86A13BC9-D69F-E772-0B8D-ECF32E54C48E}*\InprocServer32]
"{86A13BC9-D69F-E772-0B8D-ECF32E54C48E}"=hex:6f,09,b0,88,50,cb,e4,97,fc,9e,69,
f3,be,58,93,e5,b5,19,71,dc,c5,cf,7d,a9,6f,09,b0,88,50,cb,e4,97,6f,09,b0,88,\

[HKEY_USERS\S-1-5-21-484763869-606747145-725345543-1004_Classes\Software\CLASSES\CLSID\{A9A012E2-7CEB-0C98-DE35-6178A2C4CD7D}*\InprocServer32]
"{A9A012E2-7CEB-0C98-DE35-6178A2C4CD7D}"=hex:0b,e6,91,e4,19,1d,1c,8e,e1,38,d3,
3b,7e,c9,01,6c,f4,14,ee,f8,52,3f,e4,74,0b,e6,91,e4,19,1d,1c,8e,0b,e6,91,e4,\

[HKEY_USERS\S-1-5-21-484763869-606747145-725345543-1004_Classes\Software\CLASSES\CLSID\{EF9E6836-C7D7-8A70-AF39-1ECE1CEA2C1F}*\InprocServer32]
"{EF9E6836-C7D7-8A70-AF39-1ECE1CEA2C1F}"=hex:29,88,23,ff,70,a5,97,36,19,5c,c2,
a6,6a,a8,1d,d6,be,81,69,33,54,14,a0,0c,29,88,23,ff,70,a5,97,36,29,88,23,ff,\

[HKEY_USERS\S-1-5-21-484763869-606747145-725345543-1004_Classes\Software\CLASSES\CLSID\{FA2E45C7-625D-AB4B-7F5D-D35256E4A1B8}*\InprocServer32]
"{FA2E45C7-625D-AB4B-7F5D-D35256E4A1B8}"=hex:94,fd,fd,80,88,13,2d,af,e8,13,76,
f7,2b,f4,8b,53,01,3a,64,40,aa,4c,4b,b9,94,fd,fd,80,88,13,2d,af,94,fd,fd,80,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WININET.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-12-07 18:23
ComboFix-quarantined-files.txt 2009-12-07 23:23

Pre-Run: 44,912,914,432 bytes free
Post-Run: 44,893,650,944 bytes free

- - End Of File - - C29560DA7DFE1863E5DA246B054729A7

I managed to get ComboFix to run in Safe Mode and got a log file...above.

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes' Anti-Malware 1.42
Database version: 3320
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/8/2009 08:37:52 AM
mbam-log-2009-12-08 (08-37-52).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 182250
Time elapsed: 27 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBAM didn't detect anything...

Please use Internet Explorer and run a BitDefender Online scan

• Please check I agree with the Terms and Conditions and click Start Here
  
• You will need to allow an Active X install for the scan to run.
  
• Leave the scanning options at default and click Start Scan
  

Please post the results in your next reply.

I can't get Bit Defender to install on my machine. I changed security settings and worked in Internet Options> Tools but something will not let it install. When I click the information bar to install the Active x, I get the install box but when I tell it to install it will not.
I don't know if it matters but I am having to work in Safe Mode.
I did manage to install a 60 Second Bit Defender Quick Scanner via FireFox. I ran it and it showed no infections. I know that's not what we are after but it is the best I can get.

Last edited by flyinskwurl on 9th December 2009, 1:23 am; edited 1 time in total (Reason for editing : more info.)

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

I had to use Netscape to do this scan IE would not let it install. I ran the ESET Online Scanner and it found nothing. I use ESET NOD32 Smart Security 4 as my primary security and had already run several sweeps with the software and ran a scan with an online ESET scanner. I ran the one from the link that you provided. I couldn't find the log file. If you need the log I will run the scan again.

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET NOD32 Antivirus
ESET Online Scanner v3
ESET Online Scanner
``````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
SpywareBlaster 4.2
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Windows Defender
HijackThis 2.0.2
CCleaner
WinCleaner OneClick Cleanup Version 10
Java(TM) 6 Update 16
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````