Start a Conversation

Unsolved

This post is more than 5 years old

T

5959

December 3rd, 2008 18:00

I Need Help- My Computer has slow internet, little warning triangles are popping up in the lower right corner of the screeen occassionally, Safe Mode doesn't work, and I often get redirected to random advertising sites

I've tried running Kapersky's online scanner as well as Trend Micro's online scanner; I also have used Spybot to try and figure out what's wrong. The only major problem these seem to find appears to be the dmconfigk.dll file that is mentioned in part of the HijackThis log. But Nothing seems capable of getting rid of the dmconfigk.dll file. When I try and start my computer in safe mode now I just get a blue screen full of text once i select Safe Mode and then the whole thing just shuts down. I have no idea whether dmconfigk is part of the problem, the entire problem or nothing to do with the problem, but it's the only lead I have. I'd be eternally grateful to anyone who can help me try and fix my computer and get rid of all the bad things. Thanks!

Oh yeah I also have that free McAfee virus scanner that you can download via AOL, but it doesn't ever seem to find anything when I try adn scan my computer with it.

The HijackThis log is below.

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:21 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9BBCDEA8-6E27-4842-862E-CC739792746D} - C:\WINDOWS\system32\dmconfigk.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 3264 bytes

10.4K Posts

December 4th, 2008 06:00


TSignus

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop(How to extract (decompress) zipped or compressed files, help in the link here: )

2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Make sure the "Scan for Rootkits" box is checked
  • Select Execute
  • You will be prompted "No Script loaded, do ytou want to scan for rootkits."
  • Select Yes
  • Answer Yes When prompted to reboot

3. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

4. Please copy/paste the content of c:\avenger.txt into your reply.

16 Posts

December 4th, 2008 16:00

Looks as though Avenger didn't find anything.

 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished!  Terminate.

10.4K Posts

December 5th, 2008 06:00


TSignus

That Avenger found no rootkits is actually a good thing. But do not remove Avenger we are going to use it shortly

1. Go HERE and download File Lister.
  • Save it to your Desktop
    Rt Click ->> Extract all ->> And extract it to your Desktop
    Additional help on extracting zip files can be found HERE
    Open the File Lister Folder.
    Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
    As the program runs, it will appear that nothing is happening.
    When the program is fnished it will produce a log for you C:\Files.txt

Copy and paste the contents of that log in your reply.






16 Posts

December 5th, 2008 17:00


+++++++++++++++++++++++++++++++++
+
+ File Lister
+
+ Version 1.0.4
+
+  By bamajim / bamajim.com
+
+++++++++++++++++++++++++++++++++


Report ran on --->>>  12/5/2008 5:22:37 PM

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0\\AOL.EXE\" -b"


====== Folders and Files from "%\" and "%\Windows" Created Last 30 Days ======

12/4/2008 4:35:55 PM    627    C:\Avenger
12/3/2008 2:19:13 AM    8121103    C:\cmdcons
12/3/2008 2:19:17 AM    860672    C:\cmdcons\SYSTEM32
12/3/2008 2:16:51 AM    2544157    C:\Qoobox
12/3/2008 2:16:51 AM    19901    C:\Qoobox\BackEnv
12/3/2008 2:16:51 AM    497063    C:\Qoobox\Quarantine
12/3/2008 2:22:24 AM    478003    C:\Qoobox\Quarantine\C
12/3/2008 2:22:38 AM    283625    C:\Qoobox\Quarantine\C\WINDOWS
12/3/2008 2:22:38 AM    135680    C:\Qoobox\Quarantine\C\WINDOWS\system32
12/3/2008 2:16:51 AM    18890    C:\Qoobox\Quarantine\Registry_backups
12/3/2008 6:22:55 AM    85    C:\RECYCLER
12/3/2008 6:22:55 AM    85    C:\RECYCLER\S-1-5-21-823518204-839522115-1060284298-1003
12/4/2008 4:35:55 PM    886    32    C:\avenger.txt
12/3/2008 2:19:25 AM    211    32    C:\Boot.bak
12/3/2008 2:19:19 AM    260272    32    C:\cmldr
12/3/2008 3:47:37 AM    12859    32    C:\ComboFix.txt
12/5/2008 5:22:41 PM    999    32    C:\Files.txt
12/3/2008 3:35:00 AM    792723456    38    C:\pagefile.sys
11/12/2008 3:02:25 AM    1929487    C:\WINDOWS\$NtUninstallKB954459$
11/12/2008 3:02:25 AM    622863    C:\WINDOWS\$NtUninstallKB954459$\spuninst
11/12/2008 3:02:02 AM    1727641    C:\WINDOWS\$NtUninstallKB955069$
11/12/2008 3:02:02 AM    622745    C:\WINDOWS\$NtUninstallKB955069$\spuninst
11/12/2008 3:02:38 AM    1079811    C:\WINDOWS\$NtUninstallKB957097$
11/12/2008 3:02:38 AM    623235    C:\WINDOWS\$NtUninstallKB957097$\spuninst
12/3/2008 2:16:51 AM    57523516    C:\WINDOWS\ERDNT
12/3/2008 2:16:51 AM    57523516    C:\WINDOWS\ERDNT\Hiv-backup
12/3/2008 3:39:49 AM    13320192    C:\WINDOWS\ERDNT\Hiv-backup\Users
12/3/2008 3:39:49 AM    233472    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001
12/3/2008 3:39:49 AM    8192    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002
12/3/2008 3:39:49 AM    233472    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003
12/3/2008 3:39:49 AM    8192    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004
12/3/2008 3:39:49 AM    12513280    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005
12/3/2008 3:39:51 AM    323584    C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006
12/3/2008 2:16:57 AM    89504    32    C:\WINDOWS\fdsv.exe
12/3/2008 2:16:57 AM    80412    32    C:\WINDOWS\grep.exe
11/11/2008 10:05:20 PM    12888    32    C:\WINDOWS\KB954459.log
11/12/2008 3:01:09 AM    8381    32    C:\WINDOWS\KB955069.log
11/12/2008 3:02:34 AM    8035    32    C:\WINDOWS\KB957097.log
11/12/2008 3:00:48 AM    309188    32    C:\WINDOWS\msxml4-KB954430-enu.LOG
12/3/2008 2:16:57 AM    28672    32    C:\WINDOWS\NIRCMD.exe
12/3/2008 2:16:57 AM    98816    32    C:\WINDOWS\sed.exe
12/3/2008 2:16:57 AM    161792    32    C:\WINDOWS\SWREG.exe
12/3/2008 2:16:57 AM    136704    32    C:\WINDOWS\SWSC.exe
12/3/2008 2:16:57 AM    212480    32    C:\WINDOWS\SWXCACLS.exe
12/3/2008 2:16:57 AM    49152    32    C:\WINDOWS\VFIND.exe
12/3/2008 2:16:57 AM    68096    32    C:\WINDOWS\zip.exe
11/25/2008 5:12:46 PM    99840    32    C:\WINDOWS\system32\dmconfigk.dll

====== Files under "\Administrator\Startup" Last 30 Days======

 

====== Files under "\All Users\Startup" Last 30 Days======


====== Folders under "\Program Files" Last 30 Days======

11/20/2008 8:04:42 PM    949072    C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
11/20/2008 8:04:42 PM    962896    C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
11/20/2008 8:04:42 PM    3125920    C:\Program Files\SDHelper (Spybot - Search & Destroy)
11/20/2008 8:04:42 PM    3666592    C:\Program Files\TeaTimer (Spybot - Search & Destroy)
12/3/2008 6:39:18 PM    399553    C:\Program Files\Trend Micro
12/3/2008 6:39:18 PM    399553    C:\Program Files\Trend Micro\HijackThis

====== Files under "\System32\Drivers" Last 30 Days======

12/1/2008 8:00:02 PM    102664    32    C:\WINDOWS\system32\drivers\tmcomm.sys

====== Files under "\User\Local Settings\Temp" Last 30 Days======

12/3/2008 4:30:00 AM    426    32    C:\Documents and Settings\Tim\Local Settings\Temp\AcrEEDD.tmp
12/4/2008 5:21:37 PM    4    32    C:\Documents and Settings\Tim\Local Settings\Temp\PMShared
12/4/2008 7:43:52 PM    239    32    C:\Documents and Settings\Tim\Local Settings\Temp\TMP128B.tmp
12/4/2008 5:24:44 PM    2179    32    C:\Documents and Settings\Tim\Local Settings\Temp\toasterWrite1.html
12/3/2008 9:35:58 PM    2150    32    C:\Documents and Settings\Tim\Local Settings\Temp\wmplog00.sqm
12/3/2008 9:39:36 PM    2150    32    C:\Documents and Settings\Tim\Local Settings\Temp\wmplog05.sqm
12/3/2008 9:40:09 PM    2150    32    C:\Documents and Settings\Tim\Local Settings\Temp\wmplog06.sqm
12/3/2008 9:41:13 PM    2150    32    C:\Documents and Settings\Tim\Local Settings\Temp\wmplog07.sqm
12/3/2008 5:40:01 AM    13116    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@R10.tmp
12/3/2008 5:40:01 AM    32596    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@R12.tmp
12/3/2008 5:40:01 AM    35656    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@R14.tmp
12/3/2008 5:38:46 AM    10208    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@RC.tmp
12/3/2008 5:40:01 AM    14948    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@RE.tmp
12/3/2008 5:40:01 AM    1409    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@S11.tmp
12/3/2008 5:40:01 AM    1409    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@S13.tmp
12/3/2008 5:40:01 AM    1409    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@S15.tmp
12/3/2008 5:38:46 AM    1409    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@SD.tmp
12/3/2008 5:40:01 AM    1409    2    C:\Documents and Settings\Tim\Local Settings\Temp\Z@SF.tmp
12/4/2008 4:01:12 PM    16384    32    C:\Documents and Settings\Tim\Local Settings\Temp\~DFA1A1.tmp

====== Files and Folders under "All Users\Application Data" Last 30 Days======


 ====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9BBCDEA8-6E27-4842-862E-CC739792746D}


====== Services ( Services that are Whitelisted are not shown) ======

 InCD Helper (read only) (InCDsrvR) C:\Program Files\Ahead\InCD\InCDsrv.exe -r  - Disabled

 Logitech Process Monitor (LVPrcSrv) c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe  - Disabled

 LVSrvLauncher (LVSrvLauncher) C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe  - Disabled

 SNMP Service (SNMP) C:\WINDOWS\System32\snmp.exe  - Auto

 SNMP Trap Service (SNMPTRAP) C:\WINDOWS\System32\snmptrap.exe  - Manual

 Linksys Wireless Guard Network Manager Service (WSCNetManager) "C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe"  - Auto

 WUSB54Gv4SVC (WUSB54Gv4SVC) "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe"  - Disabled


====== Running Processes ======

System Idle Process   [0]  
System   [4]  
smss.exe   [700]   \SystemRoot\System32\smss.exe
csrss.exe   [752]  
winlogon.exe   [776]   winlogon.exe
services.exe   [820]   C:\WINDOWS\system32\services.exe
lsass.exe   [832]   C:\WINDOWS\system32\lsass.exe
svchost.exe   [1000]   C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe   [1076]  
svchost.exe   [1200]   C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe   [1244]  
svchost.exe   [1476]  
spoolsv.exe   [1628]   C:\WINDOWS\system32\spoolsv.exe
AOLacsd.exe   [1780]   "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
svchost.exe   [1836]   C:\WINDOWS\System32\svchost.exe -k HTTPFilter
mcvsrte.exe   [1860]   c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding
snmp.exe   [1956]   C:\WINDOWS\System32\snmp.exe
svchost.exe   [188]   C:\WINDOWS\System32\svchost.exe -k imgsvc
WscNetMgrSvc.exe   [320]   "C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe"
wmpnetwk.exe   [880]  
alg.exe   [1572]  
wuauclt.exe   [308]   "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[4b0]SUSDS25ef9c4c2eb8e1418f600ca64db84077
explorer.exe   [2076]   C:\WINDOWS\Explorer.EXE
wscntfy.exe   [2132]   C:\WINDOWS\system32\wscntfy.exe
mcagent.exe   [2320]   "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ctfmon.exe   [2376]   "C:\WINDOWS\system32\ctfmon.exe"
WscGuard.exe   [2468]   "C:\Program Files\Linksys Wireless Guard\WscGuard.exe"
wscript.exe   [1520]   "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\Tim\Desktop\FileLister.vbe"
wmiprvse.exe   [948]  
wmiprvse.exe   [3048]  

====== Uninstall List From Registry ======

Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Shockwave Player
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Ares Tube 2.0
ATI Display Driver
Canon CanoScan LiDE 90 User Registration
Canon Utilities Solution Menu
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Creative Removable Disk Manager
Foxit Reader
getPlus(R)_ocx
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
Linksys Wireless Guard
LiveUpdate
InterActual Player
Windows Media Format SDK Hotfix - KB891122
Hotfix for Windows Media Format SDK (KB902344)
Microsoft Base Smart Card Cryptographic Service Provider Package
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Internet Explorer 7 (KB928090)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941569)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB946648)
Hotfix for Windows Internet Explorer 7 (KB947864)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Update for Windows XP (KB951978)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
K-Lite Codec Pack 2.45 Basic
LimeWire 4.12.11
Microsoft .NET Framework 1.1 Hotfix (KB928366)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Move Networks Player for Internet Explorer
Canon MP Navigator EX 1.0
Microsoft Compression Client Pack 1.0 for Windows XP
MySpaceIM
Nero Suite
Microsoft National Language Support Downlevel APIs
OE-Mail Recovery 1.7
Logitech® Camera Driver
RealPlayer
Road Runner Tech Install
Adobe Flash Player 9 ActiveX
SP2 Connection Patcher
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Creative System Information
Viewpoint Manager (Remove Only)
Viewpoint Media Player
McAfee VirusScan
VideoLAN VLC media player 0.8.6f
Windows Genuine Advantage Validation Tool
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
Yahoo! Messenger
WD Diagnostics
Civilization III
CanoScan LiDE 90
Adobe Photoshop Album 2.0 Starter Edition
Linksys Wireless Guard
AutoUpdate
King's Quest Collection(TM)
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
WebFldrs XP
QuickTime
Windows Genuine Advantage v1.3.0254.0
PowerDVD
WebIQ Technology Engine
Microsoft Visual C++ 2005 Redistributable
Final Draft 7
DivX Codec
ArcSoft PhotoStudio 5.5
MSXML 4.0 SP2 (KB954430)
UMVPLStandalone
DivX Player
Microsoft Office XP Professional with FrontPage
Adobe Reader 7.1.0
DivX Converter
Spybot - Search & Destroy
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Reader
DivX Web Player
Apple Software Update
LiveUpdate
Logitech Audio Echo Cancellation Component
MSXML 4.0 SP2 (KB936181)
Linksys Wireless-G USB Network Adapter
Microsoft .NET Framework 1.1
Presto! PageManager 7.15.16
Sony Media Manager for PSP 2.5
ScanSoft OmniPage SE 4
Logitech Video Enumerator
Logitech QuickCam
Adobe Photoshop CS
HighMAT Extension to Microsoft Windows XP CD Writing Wizard

======== Other Info ========

TOTAL PHYSICAL RAM: 527 MB

 

10.4K Posts

December 8th, 2008 06:00


TSignus

1. Go to Add or Remove Programs (Click Start ->> Control Panel ->> Add or Remove programs)
And uninstall the following programs

Viewpoint Manager (Remove Only)
AutoUpdate

Close Add or Remove Programs

2. We Need to temporarily disable SpyBotS&D Tea timer so it doesn't interfere with our fix
  • 1) Run Spybot-S&D
    2) Go to the Mode menu, and make sure "Advanced Mode" is selected
    3) On the left hand side, choose Tools -> Resident
    4) Uncheck "Resident TeaTimer" and OK any prompts
    5) Restart your computer.

Next
1. Rerun Avenger

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\dmconfigk.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"

4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log.

16 Posts

December 8th, 2008 18:00

When I went to the Add/Remove Programs, I was able to find and remove "Viewpoint Manager (Remove Only)", but "AutoUpdate was not listed as a program to be removed. After removing Viewpoint Manager, I ran Avenger and got the following log:

 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open file "C:\WINDOWS\system32\dmconfigk.dll"
Deletion of file "C:\WINDOWS\system32\dmconfigk.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished!  Terminate.

 

 

AND HERE'S THE LATEST HIJACK THIS LOG:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:04 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9BBCDEA8-6E27-4842-862E-CC739792746D} - C:\WINDOWS\system32\dmconfigk.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 3831 bytes

10.4K Posts

December 9th, 2008 09:00


Tsignus

O.K. Let's try a little trick here

With Spybot S&D disabled

You may want to print out these instructions for reference.

1. We are going to create a Folder
Rt Click a blank spot on your Desktop ->> Select New ->> Folder
And Name it Junk

2. Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)

Locate the following file

C:\WINDOWS\system32\dmconfigk.dll

3. Once located Reduce the size of the open Explorer window so you can see the file and the Junk folder you created on your Desktop

4. Left Click and Hold the file C:\WINDOWS\system32\dmconfigk.dll and drag it to the Junk folder and drop it. What we are trying to do is move this file.

5. If successful, close all open windows, Reboot your PC ->> Rerun Hijackthis and post a fresh Hijackthis log. If there is a problem then reply, we will do it another way

16 Posts

December 9th, 2008 17:00

When I tried to move the dmconfigk.dll file over to the Junk folder, it wouldn't allow me to move it. A window popped up saying "Error Moving File or Folder. Cannot move dmconfigk: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

I suppose it's time for a plan B?

10.4K Posts

December 10th, 2008 12:00


TSignus

O.k. Plan B.

Before we proceed, do you remember denying a decision in Spybot S&D regarding this file?

And are you the Administrator on this PC?

1. Go HERE and download WormFix

Save it to your Desktop. But do not run it yet.

2. Reboot into Safe Mode
This can be done by
  • Restart your PC, and after it starts, but before you see the Windows Splash screen
    Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
    Use your arrow keys and select Safe Mode and then Enter


3. Close all Internet Explorer Windows and Run WormFix
  • Double click the WormFix.Zip file to unzip it.
    Open the WormFix Folder
    Double Click WormFix.vbe to run the program
    Then Select O.K. at the prompt
    Allow the program to run (Your desktop will disappear, then re-appear. This is normal)
    When it is finished it wil produce a log C:\WormFix.txt
    Copy and paste the results of that log in your reply


4. Then reboot your PC into Normal Windows Mode->> Rerun Hijackthis and post a fresh Hiajckthis log.
As well as the C:\WormFix.txt log

Note: you may have to post the results in more than one reply

16 Posts

December 10th, 2008 19:00

I downloaded the WormFix program, but my computer won't run safe mode. I got all the way to the selection screen where I chose safe mode, but then instead of opening in safe mode, it flashed a blue screen very briefly and then the whole computer restarted. I tried this several times, but every time I choose safe mode now, the computer just seems to restart on me. Should I try and run WormFix from just my normal desktop?

10.4K Posts

December 11th, 2008 05:00

TSignus

Yes run Wormfix in Normal Windows mode and let's see how it does.

 

16 Posts

December 11th, 2008 21:00

Here's the HiJack This log I ran after restarting. The dmconfigk.dll appears to be back...

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:44 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Linksys Wireless Guard\WscGuard.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AIM95\aim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9BBCDEA8-6E27-4842-862E-CC739792746D} - C:\WINDOWS\system32\dmconfigk.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Linksys Wireless Guard.lnk = C:\Program Files\Linksys Wireless Guard\WscGuard.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Linksys Wireless Guard Network Manager Service (WSCNetManager) - Wireless Security Corporation - C:\Program Files\Linksys Wireless Guard\WscNetMgrSvc.exe

--
End of file - 3488 bytes

16 Posts

December 11th, 2008 21:00

Here's the WormFix log. I'll restart my computer now and run another HijackThis log and post it too.

 

========================================
WormFix

Version 1.1.5

By bamajim @  bamajim.com

========================================

C:\WINDOWS\SYSTEM32\dmconfigk.dll Found!
C:\WINDOWS\SYSTEM32\dmconfigk.dll Deleted!

10.4K Posts

December 12th, 2008 05:00

TSignus


You ever remember allowing or denying a decision in Spybot S&D regarding this file?

 

16 Posts

December 13th, 2008 11:00

Shortly before I first posted my problem to this board, I ran spybot. It found the dmsconfigk.dll file as something that was a problem, but when i tried to have spybot get rid of it, it said it was unable to remove the file.

No Events found!

Top