Started as a malware/virus issue...

But became a potential software/hardware issue.

Hello!
Thank you for your time, too.

If I may, I’d like to explain my situation a little; it seems the Read n’ Run Me helped resolve many of the conflicts on my machine, but I’ve still a few things I’d like to see if I can get resolution on.

My desktop computer was acting odd, and I kept getting “steered” to places I don’t normally haunt on the ‘Web (luckily, just store sites!), and the PC’s performance (even for an older unit) was lackluster at best. I figured, it’s possible that a sneaky something had gotten its nose under the tent and snuck in, so I came to Major Geeks and grabbed the Kaspersky Virus Removal Tool and commenced to scan with the default settings. (This was done before I had ever done the Read n’ Run Me.)

Kaspersky’s Virus Removal Tool initially found nothing on my Machine, and then after it completed that scan, I ran it just to check the harddrive (C:\)—the respective box was ‘ticked’ or checked.
It found eight (8) threats in what appears to be two (2) categories:

C:\Program Files\trojan-spy win32.zbot.aoqt

C:\System Volume Information\_rest...\A0241247.exe

Popped up, and then, by the time it was done, it had located the others, but only deleted the first five, four of which were “program files”, and then, only one “System Volume Info” was removed; after that, it didn’t find the other three files (I suspect the elimination of the first four plus the first of the “system” files may have remedied this).

Here are the other identified files.

C:\Program Files\FLV PlayeRCatsetup.exe

C:\Program Files\FLV PlayeRCatsetup.exe//plugins\plugin_zhttp.dll

C:\Program Files\FLV
PlayeRCatsetup.exe//plugins\plugin_zhttp.dll//data0002.res

C:\Program Files\FLV PlayeRCatsetup.exe//plugins\plugin_zhttp.dll//#

C:\System Volume Information\_restore{10E7B3E6-F08F-4BCA-A4B8-8BDDC0868672}\RP1881\A0241247.exe

All of these files were detected, located, and deleted. But these next ones were detected, only, and didn’t get removed or quarantined:

C:\System Volume Information\FLV PlayeRCatsetup.exe//plugins\plugin_zhttp.dll

C:\System Volume Information\FLV PlayeRCatsetup.exe//plugins\plugin_zhttp.dll//#

C:\System Volume Information\FLV PlayeRCatsetup.exe//plugins\plugin_zhttp.dll//data0002.res

I’ve read all over the Internet that this is a nasty virus that hands out your personal data and so much else. Has the Kaspersky tool eliminated it, or will it simply restore once I reboot the Computer again?

I also noticed a file that the Kaspersky tool had “yellow flagged”, and noticed it was a “Fidbox.dat” file (in the ‘Drivers’ folder) that specifies itself as a Nero Media Player File; I haven’t had Nero in years (uninstalled it forever ago). The thing I find particularly queer about it is that the file is sized at 3.99GB.

Even though I have over 300Gig available to use, that’s still a monster file; is it possible that it’s somehow linked to my music files (I’ve got more than three gig in music, but still, I used to burn the heck out of discs and dvds...I like to make ‘disposable’ copies so my original copies remain in good shape.)

Another big file is “Fidbox.IDX”, at 52.5Mb (I don’t know if it’s related).

Another interesting note is that of the files contained in the Drivers folder, these two in particular are...faded (?), and look as though they’re transparent, as opposed to the others’ sharper, more ‘solid’ appearance.

I haven’t done anything with either of these files.

Also, just as an aside, I don’t like Google, yet every time I turn around, it’s installed itself (or an updater) onto my Computer. Any way around this?

A second scan found some minor security issues (saved the log file, this time!), but all the threats from before didn’t register at all. (As of update, most of these have been resolved.)

Actually found an .flv player that I didn’t install hidden among the program folders that had a title similar to the issues that popped up; the issue was “FLV PlayeRCATSetup.exe”, and the executable I removed had “FLV PlayeR” in it, similarly titled files were also systematically located and removed (only two), and they were unshared.

So now I’ve running a third scan with the Kaspersky Tool, and this time, I’ve got it set really high (hostile environment) to see what it finds. (Update, the machine's clean, and after the Read n' Run Me, that's confirmed--three times.)

Oddly, I have to go through another computer to download and carry it in a jump drive to the main Computer of the house; when I try to download the programs to the desktop Computer (main Computer), the download cancels. Clicking the cancelled download makes it download, and the icon for the new download is present on my Computer’s desktop only during the actual download process—then it vanishes as if it never were. Changing the name or the file-type doesn’t rectify the matter, but it’ll work fine if I jump it from my laptop to the desktop computer.

Update, 02/09/2012

Okay, I’ve not only done some really intensive cleaning, and can now say that there are no Viruses or Spyware on my computer and that things appear to be running much better. I can do downloads on the Desktop Machine, and things are going much better. But apparently in my zeal to run the bare minimum (selective startup), I’ve disabled things that were connected to other programs. That is corrected, now, but I’d still like to not have my Yahoo Messenger modules try to start up. I may just uninstall it, as I use Skype as my primary online “social interaction” tool, and I really don’t seek conversation with anyone but Family and a friend or two.

I’ve since done the Read n’ Run Me process—by the letter.

And WOW...it was a major help! Thanks for the guide!

The only snag I ran into was with ComboFix, but it wasn’t the fault of the software; I wasn’t actively connected to the Internet, for one, and for two, I didn’t have the Windows Recovery Console on the hard drive. I couldn’t install it, since my CD/DVD drives stopped working properly a long time ago—I think it’s more software than hardware issues; I used to copy the heck out of my albums, and things went downhill since I uninstalled Nero. (I’ll also double-check the connections within my tower itself; I do occasionally vacuum in there, VERY carefully...I have a tech vac.)

Nero “burning ROM” came with the computer, and expired, and I hated it anyway; I assume that in removal, I must have eliminated some files I shouldn’t have in the un-install process.

So I made due with what ComboFix could manage minus the Recovery Console, then got myself back online and ran ComboFix again, and it let me have the Recovery Console, successfully installed, and I have both logs for those events—each identified in the title—which I’ll be happy to include. (Please note that I’ve replaced my name with “BLUESTREAK” for the sake of my own personal comfort...I suppose I’m a bit paranoid, lol).

Also, when I go to get my System Info, I get this message:

“Can’t Collect Information
Failed connection to this computer. Check to see that the Winmgmt service is running.”
And it doesn’t show me anything in any of the categories or subcategories.

I can tell you that I’m Running Windows XP Home with Service Pack 3, and I believe I’ve got a 2GB processor, Nvidia Soundcard, Logitech mouse and a Windows Intellitype (ergo) keyboard...

Recently updated my Nvidia drivers through DriverMax (freebie account, ’coz I’m a cheapskate) and it had a tremendous positive impact on the appearance of things.

So as it sits, I’m pretty much virus free, and things are working better, and of course, I’ve made plenty of restore points. But I’d like to get things working completely—like the disc drives, so I can backup the system with the Windows CD, and be able to see and or submit System Information as I should.

Any advice? For the sake of edification, I’ve included my Logs: 2 from ComboFix, one from SuperAntiSpyware, and the other from Malwarebytes.

I'm still running in Normal Startup Mode, and plan to keep it that way if things continue to remain stable.

Thanks for listening to me ramble; hopefully, you’ll ramble back!

 

Thank you, Kestrel13! for your attention; I apologize for the infodump, but I wanted to be certain to include everything I could. Hehh, good reason I've picked 'Bluestreak' as a nickname here, but I'll try to keep it a little shorter in the future. I'll get the MGTools log...I hadn't run that one yet (only the ones I submitted were mentioned in the Windows XP information category...I kinda figured I was missing something...).

Again, thanks for your time. Hopefully I can get my Winmgmt and cd/dvd drives working again, keeping the system stable.

Any more, instead of disabling through Startup, I'll just shut-down any programs I don't want running (Like ULead, Yahoo!Messenger, and Logitech Webcam Software). Since I'm not always using them, I don't need them running.

 

Okay...I ran a MGTools.exe and it ran flawlessly. I haven't any actively running antivirus, outside of MalwareBytes and I exited that before I ran anything.

Curious; I have read over and over that MalwareBytes and SuperAntiSpyware doesn’t provide "active" protection unless they are paid for, Yet my copy of MalwareBytes says it has active protection going, lets me run flash scans, and so on, and hasn't come off 13 days of trial period remaining. Of course, I start it before I start the Internet connection each session, too.

Recently downloaded the latest Adobe Reader and it stuck Norton Internet Security (clicked while someone was talking to me, wasn’t thinking), and just removed that, so it’ll likely show up in the MGTools log, so please disregard, it hasn’t been on my system for a whole day.

So here's my log.

 

Hi again, Kestrel13!

If it's attached to "TopSevenReviews" it's an issue with an FLV converter I downloaded a couple weeks ago. Go figure. I will uninstall that post haste, and then do the assigned tasks, if that's just as acceptable. (But until then, I'll wait until you give the nod to do so.) I ask because I'm wondering if leaving the program (topseven) intact would simply re-insert it into my startup queue (to which, I went in there and disabled it).

Things are already running markedly better than they were originally, but if I have some kind of malware or something, it's reasonable to want it gone. Also, I notice that I'm not alone with the whole "fidbox" files issue; everywhere I've read, it's just a folder full of zeros that takes up (THREE GIG!) space. Can these be removed? Thanks!

Looking forward to further correspondence.

 

Following your instruction, I applied the changes as prescribed. ComboFix seemed to run normally, but when it got to the “Scanning for infected files” section, it seemed to hang up; no “Stage 1, Stage2, Stage3, and so on, just a long pause. This is where, my home’s electrical got a “phantom power-surge” (it happens all the time; In fact, that was the THIRD one this morning. Elec Co. only suggests I monitor and take note, does nothing.) and rebooted my freaking computer. I have a battery backup to keep the spike from frying things.

Anyway, when I finally got back up and running, I disabled the Internet (it didn’t ask for an update the first time) and firewall and ran things again, and it performed normally, finishing in about 20 minutes.

___________

Things I wonder about in the ComboFix Log (Likely more something to submit to the software forums):

1.) c:\documents and settings\All Users\Application Data\Norton
I don’t have Norton. When I put Adobe back on, it gave me the Internet Security Tool and I disabled that—thought I uninstalled it, but there’s still that footprint.
2.) c:\program files\RegCleaner
I had this program (found it here long ago) and it’s a good program. But it never activates, no matter where I get a copy of it from. It appears (the Desktop Icon), and when I click it, the hourglass blinks a couple times and then nothing. It hasn’t worked in years. In fact, I tried putting it back in there recently and the result is the same.
3.) c:\program files\Topsevenreviews
Smug thing. Still there.
4.) c:\windows\system32\TubeFinder.exe
I don’t remember any program with this that I have installed, and I just sort of wonder about it. “The Internet is a series of tubes…” (Sorry.)
5.) c:\program files\Free FLV Converter (Aha! Are there any legitimate programs of this nater? I just want to share YouTube vids on my Walkman.)
6.) c:\documents and settings\”BLUESTREAK”\Application Data\FreeFLVConverter (See above. This is likely the same one.)

The rest, I’m utterly clueless about and will submit to your tender mercies.
___________

And then there’s this thing called “Qoobox” that has a quarantine file. I can only seem to locate it by hunting for it (Windows Explorer=>My Comp. =>Local Disk C:\)

Properties says it was created on Feb 9, 2012 is 3.89MB in size (Size on Disk is 3.88MB) and that it contains 17 files, 15 folders

In the folders there's mention of Iconix, an old e-mail program I ran with Yahoo; most likely because Iconix was a program meant to keep me from getting viruses in my e-mails (a good reason to have a quarantine folder!). It’s long-outdated.

I’ll likely uninstall it, since it doesn’t work with the “new” yahoo mail anyway.
___________

Additionally, I’ve noticed that when I view my C:\ drive through Windows Explorer, I’ve got a boatload of old program files to things I’ve long since Uninstalled. Once I’m finished with this process (Including resetting the fidbox files), can I uninstall and/or delete these things? Or, perhaps is there a program that’ll find and eliminate them? No point in having the drive cluttered with invalid references.


When I did these scans (ComboFix and MGTools), in both cases when I went to run Word, it said something about “Resizing”, something is too big or too small. Upon Restart, it doesn’t do it, though. Just thought I’d mention it.

Pardon the litany, but it’s just things I was wondering about.

Thanks for your patience and your assistance.

Here's my Logs--I copied your instructions into a Word Document and titled it "ReDo", so that's why the CF log has the unusual name.

 

Man, am I ever embarrassed. I usually don't act on impulse, but I did, and it cost me (really, I'm the least likely type to be a pain in the arse!). Fortunately, there has been a degree of recovery and some minor resolution, but I had to wade through a bunch of garbage to get to it.

To say the least, my experience has been most unhappy, and rife with frustration.

Like I had mentioned at the onset of all of this, my computer was acting strangely, and this seemed to be affecting the other computers that are wirelessly connected to it. The more conventional methods (cleaning and such) weren’t doing the trick, so I elected to start updating drivers (which helped much) and doing the Read n’ Run Me process. Again, hugely helpful.

Starting with the Kaspersky tool, which found the trojanware I’d indicated in my first address to this forum. Kestrel13!, you have been implemental in lending an assist, and I can’t thank you enough. (Will be sure to address that once we’re done here.)

Everything was working swimmingly.

Sunday morning I decided to see drivers that needed attending to, and DriverMax recommended a driver download for my Ethernet Adapter, as mine was way outdated. I downloaded it and installed and this is where things went straight to hell.

Windows insisted I needed to reactivate, and there were problems. This put me in a position where I had to contact Microsoft and they helped me do a repair install, but because of the driver update, there were hang-ups that wouldn’t let me go any further.

Needless to say, Sunday was miserable. Luckily, I was able to get on the Internet through another computer in the house, and download from the Intel® website the drivers compatible with my motherboard (they wouldn’t install from disc that I had, so I went and made a new one with the download), put them to disc and installed the new from there.

The call to Microsoft managed to get at least one disk drive working, which is how I was able to do the repair install, as well as the driver install later on, thank goodness. I suspect that the other DVD RAM drive may just have a loose connection, perhaps? It gets power, the door opens and closes, but if I put in a disk, it asks for me to “insert a disk into drive D”—but that’s another issue for a later date, unless I have another crack at the Microsoft tech today and we manage to resolve it.

My Malwarebytes has ‘expired’ (couldn’t expect to get away with it forever, lol!). I have Comodo with a firewall (the one recommended here at Major Geeks), and want to install that. It says Winxp SP2 and I have WinXP SP3. Will there be any problems as a result of this?

But I’ve learnt my lesson the hard way: finish working with y’all first. I’ve been spreading my attention over so many things lately, and I shouldn’t at the risk of losing an excellent computer. My sincerest apologies, in the event I’ve made things more difficult; such is never my intention.

So if you’d like (and if you’re willing), now that things are working somewhat again, I’d be happy to get a fresh set of logs from the respective programs of your choosing so you can have a look for any salient changes my stupidity has produced.

In the interim, I’ll get the Avenger program you have since suggested, but will wait until you respond to this post before moving to act upon your instruction. Just in case something has changed.

I do have to close out my case with the Microsoft Technician I was working with, but not before I make sure my Windows and other programs and services are as they should be. After all, I did have to pay for the fellow’s time and energy, for one, and since I’ve got it, I figure I might as well make the best of it.

 

Hello again, Kestrel13!

Addressing what I can,

Won’t mess with other files, but since I’ve put Windows through its paces, it’s gonna do what it’s gotta do (updates...good grief it’s been a while. I’ve forgotten how long it takes).

Leaving Fidbox and Qoobox alone. I did find an old version of Kaspersky Virus software on the computer, and would like to get it out; it’s in the Windows Explorer files, not on the Add/Remove list. Along with removing this, I’d like to get rid of the Tool I got from here....having a zero-filled file taking up 3 gig of space...

My MalwareBytes is no longer functioning, and I feel the need to have antivirus software (like burning). I’ve picked Comodo (recommended here), since it’s got the best firewall, too....but, I have Service Pack 3, and it says that it’s for XP SP2....will it be problematic if I use it?

Haven’t done the Avenger and whatnot yet. Windows is inclined to demand updates and I am loathe to not comply, particularly since I have limited firewall and an expired Malwarebytes.

Will keep you in the loop.

 

Okay, Windows has finished doing its thing, and I still have a bunch of questions for the Tecchie, but that’s that. Needless to say, things are running far better than they did, and Windows has many file paths it didn’t have (and missed enough that it affected system stability).

Ran the Avenger and did things as prescribed, Logs are attached.

A note, though; when I let the PC reboot, it first went to a black screen, and sat that way for a good several minutes; all the lights that were supposed to be on flashed when they should, and remained lit on the tower as if the start was successful, but the monitor read dead.

When restarted yet again, I was met with a blue screen, bearing this information:

Op: c000021a {Fatal System Error}
E windows Logon Process System Process Terminated unexpectedly with a status o
0x00000402 (0x00000000 0x00000000).
e System has been shut down.

uke

(I swear I got a few more grey hairs when I saw that bright blue death.) I restarted and prayed I hadn’t just toasted my machine. :eek

:-oStarted normally, as did my breathing, and on the desktop was an Avenger Log, waiting for me. See attached.

Ran MGTools getlogs function, and that’s there too.

I posted immediately after all this happened,and I'll be happy to let you know if anything destabilizes. Until later!

 

Well, that's good news!

Things would have been so much better, had I not listened to DriverMax and updated the driver as per their instruction. The road to hell is paved with good intentions...

Since my MalwareBytes has expired, I’ve went and got Comodo Internet Security PRO (paid the fin for the Geek-Buddy Service, too) so I’ll have something to keep me safe and dodge bugs while I’m online. I really hate to be unprotected while online.

It updated and straightaway ran a first scan and found goodies (of course, it doesn’t like MGTools and ComboFix!), but it’s detected some 29 objects and it sees things like an e-mail worm (“Joleee” with 2 e’s) and lots of high-risk malware. Of course, it’s also complaining about the MousePen (my Daughter’s stylus/tablet input devices that let her use the art software on this machine).

I won’t touch anything until we’re through here, though…I just needed to keep my system from being so vulnerable. I've attached the .TXT and Word files that state what it found (Word is first scan, .txt is the one I walked into and found waiting for me). Peruse, and judge; the Word Doc. is highlighted with some very brief explanation.

Oh...and for some reason, my "Superman" Icon for MGTools has vanished.... (shrugs)

 

C:\MGtools\download.exe <--- What is this?
I thought it was something related to MGTools…if it isn’t, it’s gonna be gone once we get through with all of these processes here.

Oh…I refreshed ans see that “ChasLang” has cleared that up for us.
:wave Hello!

C:\WINDOWS\system32\UCMfg.exe <--- Relates to graphic tablet
I’ll make sure it’s listed in the “allowed” functions.

C:\System Volume Information\_restore{10E7B3E6-F08F-4BCA-A4B8-8BDDC0868672}\RP14\A0007553.exe <--- Items like this get flushed away for good when you eventually follow my final steps and toggle system restore.
Okay…I’ll just wait and watch, and follow your instruction before I run a final scan and clean. (Messing with System Restore sounds very intimidating.)

EmailWorm.Win32.Joleee.~J5@112461068 <--- It is not even clear which file is being identified as a threat here.
Uhm, well, It appears twice in a list once Comodo shows me the threat list at the end of each scan. From what I can see, it’s in a folder on my desktop that contains remnants of old programs I’ve long since uninstalled.

They’re both related to the remains of a Hewlett Packard printer I had installed on here a while back, simply sitting in an isolated spot so I can get rid of them once I finished with your instruction.

EmailWorm.Win32.Joleee.~J5@112461068 C:\Documents and Settings\Vera\Desktop\[Temporary folder name]\Hewlett-Packard [1 with an arbitrary tag to make it very notably different from another HP folder]\hpis\vendors\CeS\maps\wt\DeviceProd\maps\GlobalVars_Ces.mzp|MatcliWrapper.exe

EmailWorm.Win32.Joleee.~J5@112461068 C:\Documents and
Settings\Vera\Desktop\[Temporary Folder Name]\Hewlett-Packard [arbitrary tag to set it apart from another look-alike folder] \hpis\bin\MatcliWrapper.exe


for the record, "Joleee" has 3 'e's, not two...LOL

Otherwise, I’ve run HP for years…I think it’s likely just some kind of tracking cookie or something that makes the HP website remember me and my printer.

 

So far, the computer is running well, and getting more stable with every little step you guide me through. I really appreciate the help, Kestrel13! And your patience is also appreciated.

[Heavy Sigh.] You know, I’m not intentionally working to be a pain in the neck, but I think I may have run into a few snags.

2.) If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Per your instructions, when I went to put (copy and pasted) the "%userprofile%\Desktop\combofix" /uninstall into the run dialog, it tried to actually execute ComboFix. Is this normal?

I had to use a jump drive to move ComboFix (as well as the other software suggested) in a group from another computer due to the fact that this computer wouldn’t let me perform downloads initially.

To be safe, when I ran into the issue with the uninstall of ComboFix, I didn’t proceed any further.

3.) Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

I’ve never installed any Disk emulation software. I’m unfamiliar with it. The only thing that has ‘daemon” in its name that I have running is ‘daemonu.exe’ and it’s associated with my Nvidia graphics card. (I checked before, when looking into DE types of software, since the Read n’ Run Me instructions mentioned ‘daemon’.) Other than having used Nero or Ashampoo a long time ago, I’ve never copied (illegally ripped) any movies or DVDs into my computer.

7.) Go to add/remove programs and uninstall HijackThis.
The only HJT I have came bundled with the MGTools program.

 

Okay--the deed is done.

Before I started the process, I exited my Antivirus before uninstalling (and disabled my Internet, too). ComboFix made the machine beep and told me there was a timer running, and upon checking, I found the "Geek Buddy" service I got with Comodo was running. disabled that and resumed, got another beep. Used the Task Manager to find anything Comodo associated and disabled it, the little alert went away, and I waited.

ComboFix Icon vanishes. Ran the MGTools MGClean.bat file, disabled System Restore, Rebooted.

Fifteen minutes later, my Tower's powered up and sounds like it's running normally, but there's nothing displayed onscreen, so I hit the reset (I referred to this as a "double restart" in previous posts) and the machine booted fine. (Is there a reason for the need to do this..? Can it be resolved?)

Word had slowed to a crawl.

Then I remembered that since Windows needed updates (and a bloody lot of them!) from the work done by Microsoft and meself, what would be the possibility that my old Office 2000 would need a similar treatment?

Sure enough, it's in dire need of updates. I go to Microsoft, but, my Office is obsolete and thus unfit to get attention from a tech. So I have to kind of wing it.

Microsoft's website doesn't "sense" my version of Office and direct accordingly, either. There are two different updates to start with, and they both have specific ways of dealing with certain errors and...I'm a bit daunted by my previous mistake. When we got this machine, all they gave us was Disc 2 for Office.

Oye. Any suggestions? I've checked in the "about" tab in Word's help drop down and found the Version number, but I'm a bit lost as to which updates apply. I mean, I feel confident that I'm gonna need SR-1 forward.....perhaps it'll resolve that nagging "Service Program is not active" alert I've been getting since the visit with the Microsoft Tech. (The second Tech--nowhere like the first, and a bit overbearing--said the problem could lie with Office, since my System Information gives me the correct response for everything BUT Office. I get "Can't Collect Information Failed connection to this Computer. Check to see if Winmgmt Service is running."--but that's addressable in Software, so I digress.)

Blessedly, it seems that things are indeed doing better, though...just, gotta work my way back through those minor hiccups (well, I hope they are minor!).

On that note, Kestrel13!, I sincerely appreciate your focus and time. It's a kind and wonderful thing that you, and these others do here to help the less-than-computer-proficient keep their machines running adequately without charging them a fortune for it.

Yous guys are top-drawer!

Hope to hear from you again, soon.