[Resolved] Error messages when starting up (XP)
-
re: [Resolved] Error messages when starting up (XP)
Hi Broni,
Here is the ComboFix log:
ComboFix 09-06-26.02 - Kelsey Saar 28/06/2009 18:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.627 [GMT 8:00]
Running from: c:\documents and settings\Kelsey Saar\Desktop\ComboFix.exe
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\dc.exe
c:\windows\help\Other.exe
c:\windows\inf\Other.exe
c:\windows\sviq.exe
c:\windows\system\Fun.exe
c:\windows\system32\config\Win.exe
c:\windows\system32\WinSit.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.
2009-06-12 09:59 . 2009-06-12 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-05 10:06 . 2005-11-23 02:10 163840 ----a-w- c:\windows\system32\WlanApp.dll
2009-06-05 10:06 . 2005-11-22 12:56 630784 ----a-w- c:\windows\system32\ANIWZCS2.dll
2009-06-05 10:06 . 2005-10-27 00:55 49152 ----a-w- c:\windows\system32\JJAKEn.dll
2009-06-05 10:06 . 2005-10-19 10:19 57407 ----a-w- c:\windows\system32\ANICtl.dll
2009-06-05 10:06 . 2005-10-19 10:19 49152 ----a-w- c:\windows\system32\AQCKGen.dll
2009-06-05 10:06 . 2005-10-19 10:19 204800 ----a-w- c:\windows\system32\aIPH.dll
2009-06-05 10:06 . 2005-10-19 10:19 1327189 ----a-w- c:\windows\system32\odSupp_M.dll
2009-06-05 10:06 . 2009-06-05 10:06 -------- d-----w- c:\program files\ANI
2009-06-05 10:06 . 2005-11-09 23:13 50176 ----a-w- c:\windows\system32\ANIO64.sys
2009-06-05 10:06 . 2005-11-09 07:44 24288 ----a-w- c:\windows\system32\ANIO.sys
2009-06-05 10:06 . 2005-10-21 07:56 36864 ----a-w- c:\windows\system32\ANIOApi.dll
2009-06-05 10:06 . 2004-10-14 02:29 11904 ----a-w- c:\windows\system32\anio4.sys
2009-06-05 09:47 . 2009-06-05 09:48 -------- d-----w- c:\program files\MSECache
2009-06-05 09:42 . 2009-06-05 09:42 -------- d-----w- C:\Downloads
2009-05-31 08:46 . 2009-05-31 08:46 -------- d-----w- c:\documents and settings\Kelsey Saar\Application Data\Ahead
2009-05-31 08:16 . 2009-05-31 08:16 -------- d-----w- c:\program files\Software Informer
2009-05-31 08:15 . 2009-06-05 09:55 -------- d-----w- c:\documents and settings\Kelsey Saar\Application Data\Free Download Manager
2009-05-31 08:15 . 2009-05-31 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-05-31 08:15 . 2009-05-31 08:16 -------- d-----w- c:\program files\Free Download Manager
2009-05-31 07:37 . 2009-05-31 07:36 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-31 07:36 . 2009-05-31 07:36 -------- d-----w- c:\program files\Java
2009-05-31 07:36 . 2009-05-31 07:36 152576 ----a-w- c:\documents and settings\Kelsey Saar\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-29 11:57 . 2009-05-29 11:57 -------- d-----w- c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-28 10:07 . 2009-04-03 10:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-28 10:06 . 2009-04-03 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-05 10:07 . 2009-03-29 10:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-05 10:06 . 2009-03-29 10:23 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-05 09:38 . 2009-04-03 10:03 69232 ----a-w- c:\documents and settings\Kelsey Saar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 09:08 . 2009-04-03 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-31 09:02 . 2009-04-03 11:11 -------- d-----w- c:\program files\Microsoft Works
2009-05-20 13:50 . 2009-04-03 10:04 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-20 13:50 . 2009-04-03 10:04 82080 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-20 13:50 . 2009-04-03 10:04 24096 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-20 13:49 . 2009-04-03 10:04 132640 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-04-03 10:34 . 2009-04-03 10:24 117644 ----a-w- c:\windows\hpoins11.dat
2009-04-03 10:13 . 2009-04-03 10:13 2906215 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-03 09:55 . 2009-04-03 09:55 0 ----a-w- c:\windows\nsreg.dat
2009-03-31 13:31 . 2009-03-29 10:16 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-08-14 352256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-20 1794320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-31 148888]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 1544192]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 49152]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2006-07-10 176128]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Kelsey Saar\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [29/03/2009 6:24 PM 11264]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [3/04/2009 6:04 PM 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/04/2009 6:04 PM 24096]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm. sys [29/03/2009 6:25 PM 659456]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-fsm - (no file)
HKLM-Run-NWEReboot - (no file)
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-28 18:13
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(892)
c:\windows\system32\guard32.dll
.
Completion time: 2009-06-28 18:15
ComboFix-quarantined-files.txt 2009-06-28 10:15
Pre-Run: 145,521,152,000 bytes free
Post-Run: 145,556,807,680 bytes free
149 --- E O F --- 2009-05-16 02:46
And here is the latest from HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:59 PM, on 28/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1239972553703
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6144 bytes
Look forward to what you can discern from all this.
Appreciate the help 
PS Is the Windows Error console an issue? After checking in with the Windows update site (Combofix asked if I wanted to download the error console) I found out that it is actually loaded from the XP installation disc, but it is also for experts so another thing I would need your guidance on.
No doubt you will let me know.
-
Why was Comodo enabled during Combofix scan, and why did you skip Recovery Console installation?
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
ANIWZCS2.dll
ANIOApi.dll
ANIWZCS2.dll
ANIO64.sys
odSupp_M.dll
aIPH.dll
AQCKGen.dll
ANICtl.dll
JJAKEn.dll
ANIWZCS2.dll
WlanApp.dll
...all located in c:\windows\system32
Post scan results (omit 0/40 results).
-
Hi Broni,
First of all, I did exit Comodo in the manner advised by the link in your post, but I did notice it enabled in the scan results.
As I said ComboFix noted the absence of recovery console, I only found out that it is on the installation disc afterwards, I said this in my post.
I have printed your instructions and will post again, I have just started the system and have to shut down due to multiple instances of W32.Imaut,AS.
Back soon.
-
-
Hi Broni,
It was my own computer I had to restart just now, not the one belonging to my friend. So a case of crossed threads. However the errors produced this morning, plus the fact I was not able to access the error console via the path described on Windows Updates site, AND when I tried to access it via the CD I was only able to type one character, either "R" or "E", I had to use reset to get out of the setup screen ...
I have had enough, this computer has some serious problems and after backing up a few things I am going for a clean install of Windows (I will let Neal know).
A few months ago I did a reinstall and Jephree advised, setup, drivers if needed, then Windows update. This is what I did this time, and whilst accessing Windows updates I got several warnings about no AV/firewall etc, that this time I am going to install Windows, instal drivers, then install security apps before going to Windows updates. I like Jephree's plan, avoids fragmentation, but after the last week I am not going online "undressed" you might say. I can defrag later.
Let me know what you think of this plan.
Cheers and thanks
-
Well, if you have your data backed up, fresh install will never hurt.
-
Back on the air again, I wonder if it possible to create a batch of Windows, all my apps and then check in with Windows updates. Probably would not even fit on a Blu Ray, and I am seriously OFF TOPIC 
To get back to the compuer in question, I have looked at the list of items you want me to submit to VirusTotal, I gotta say I am a little reluctant. It would mean copying all those files to my thumb drive, loading them on my now clean computer at risk of polluting it and then uploading them.
Guess I will give it a try.
-
Install Panda USB Vaccine: http://research.pandasecurity.com/ar...n-Vaccine.aspx on good computer.
It'll prevent any files from USB stick to run automatically.
-
Hi Broni,
Downloaded Panda, will report after I have fetched and tested the list of files. 
-
