Strange Combination of XP Errors Hijackthis File included

Dear Forum Readers,

Thank you for your assistance on this matter. I know I have some sort of malware problem, yet cannot seem to locate it. When I run FireFox I get a blank popup window for an adware www.utterpop.com. I do not get this popup using IE 7. My problem started when my computer crashed with a blue screen with an error related to the cdudf_xp.sys file. Since then, my laptop has crashed again with this error. While troubleshooting that problem, I have encountered several other problems. I also read somewhere that you cannot use SP1 to recover from a SP3 error.

After reading completely, I would appreciate it if you could give me step by step instructions on what to do next. I’d like to be able to first get the latest version of S&D detection file, scan my computer and then try to tackle the other issues one by one. Thank you for your time and efforts.

1) Cannot Defrag my local drive C: and D:. using XP’s default program. I have downloaded Auslogic and can defrag local drives. I have no problems defragging my external drives connected on my USB ports. After doing a disk cleanup I tried to defrag my drive. Received the error message “Disk Defragmenter could not start”.
2) Cannot use System Restore. In an effort to fix the defrag issue, I tried to do a System Restore. I can start the XP restore program, select a date to restore, then click next, and then nothing happens. When I try to create a restore point, nothing happens as well.
3) I have the latest versions of McAfee, Spybot Search & Destroy, and Spyblaster. I did a full scan on my computer and no viruses were found. I did a full scan with S&D 1.6.1 found some errors, repaired them and the problems above were not resolved. Then I learned that there was a new version of S&D, 1.6.2. I installed it, and was able to immunize my computer, but I cannot download the latest detection file to do a complete scan. I deleted my Host file in the windows\system32\drivers\etc directory and that did not fix the problem either.
4) I have Registry Mechanic 7, ran and repaired the errors. I learned that there is RM 8, but I am unable to download that as well. I deleted my Host file in the windows\system32\drivers\etc directory and that did not fix the problem either.

• Edit by bjgarrick: Inline HJT log removed. READ & RUN ME FIRST sticky not followed.

​

 

Dear BJ Garrick,

Thank you for pointing me in the right direction. I apologize if post the HJT file cause you any hassles. I followed the instructions in the Read and Run me first section. I downloaded all the files and there updates when possible. In several cases I had to go to other sources to download because I could not download on from Major Geeks. I have tried to run SAS, unfortunately I cannot get to their latest definition files. I tried many different sites that had the file, but could not download regardless of the program I used. :confused

I am now starting to have errors getting the latest McAfee update as well.

What do I do now!

Sageofbrooklyn

 

Hi,

I ran the Read and Run First and performed all instructions. I got a friend to download and then email the SAS definition updates and was able to proceed.

All Spyware and viruses have been removed.

THANKS !!!:wave

Do you need me to send you the log files.

 

Dear Tim,

Here are the log files, except Spybot S&D. It found one problem Zlob.DNSchanger, and it was repaired.

If you need that log, please let me know how much data because it is a huge file

Cheers

 

Hi Tim,

I followed your instructions.
When I ran HJT, I did not see a BHO line that said
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I did find other lines with a similar format to the one below
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

and removed them as well.
At this time I have not removed the tools that I downloaded, since I will check my system regularly for a few weeks to see if other problems occur.

I am in China, and it is well known that their networks and websites are very dirty. I will research using another firewall instead of the Windows default program.

Thank you for your time and support.

 

They Are Back - Strange Combination of XP Errors

Dear Tim,

Some of the virii returned today, when I plugged in one of my external HD's on my USB port.

I ran all the programs again:major, and have recovered again. A few questions.

1) How can I check that all my ext memory devices that I use on my USB port are not infected? I ran scans on them using SAS, Malware and PCTools Threatfire. Now what

2) After the first repair, I installed PC Tools Threatfire and PC Toolsfirewall. They created a conflict when running Combofix. I will explain in more details on my next post when I submit the log files.

3) There is a directory on my laptop c:\cmdcons under it is a bunch of *.SY_ files and a system 32 dir. Can I delete it?

When I checked HJT after running the cleaning programs I noticed a line
010 unknown file c:\windows\system32\nwprovau.dll, what should I do with it?

Will write more tomorrow and once again thanks for your help:confused

 

Hi Tim,

Attached to this thread are my new log files and some information regarding a blip that occurred to my computer while running Combofix.

When running Combofix, I disabled all of McAffee’s programs, Threatfire and PC firewall. However, Threatfire restarted when Combofix rebooted my pc. When I saw the message “Threatfire has identified a potential threat from combofixpv.cfexe, what do you want to do” I selected allow the program to run. Unfortunately the damage was done, and for the next 20 minutes all I saw was
“Almost done – This window will close in a short while, please wait for the log file to appear”

The clock was not reset, nor did the log file appear. So, I closed the window and ran Combofix again. This time it did not find any errors, ran much quicker, reset my clock and the log file appeared.

I recommend that the instructions recommend which programs to un-install some programs or have the results be tested from posts like mine. I hope this comment is helpful.

Thank you for providing me with additional guidance from my questions posted yesterday.

 

Hi Tim,

Ran the search on all drives and deleted autorun.inf files,
Found the file listed above and deleted.
Uninstalled ThreatFire Free edition.

Other concerns:
There are the following directories on my laptop, which ones can I delete.
c:\cmdcons under it is a bunch of *.SY_ files and a system 32 dir. It is a hidden directory.
c:\Qoobox
HJT shows the following line
**010 unknown file c:\windows\system32\nwprovau.dll,
what should I do with it?


Thanks for your time and efforts on these matters.