Hello,

I began a scan because the update was successful and found the file options icon hung again.

I didn’t know to scan for a true or false on warnings then read the forum; I put all trojans in the chest before. Actually did read in help but didn’t know to scan again before moving trojan to chest.

I turned off system restore, scheduled a boot scan, (missed archive selection though), to see if a trojan was blocking functions that were hanging then ended up with a trojan.

I couldn’t turn off system restore at location, had to shut it down through Control Panel>System

The following is all information, beginning with system info:

Windows XP Professional SP2 2002
398 MHz
64 MB RAM
Cable Connection
IE: 6.0.2900.2180.spsp2.
Avast 4.7

Trojan: Warning after reboot and MS error report popped up

       c:\WINDOWS\System 32\2k3.exe
       Win 32-RBot-FHS {trj}
       VPS Version:  080306-1, 03/06/2008

MS Error: BCCode: ea BCPI: FF8CA738 BCP2: 81121R-10
BCP3: 81112FEO
BCP4P 00000001 OSVer: 5_1_2600 SP:2_0
PRODUCT: 256_1

Three processes hung
hijackthis
Avast scan file option icon
Control Panel>Internet Options>View Files

At reboot Avast report showed “0” files scanned

Can you tell me why the file option scan icon on the Avast interface hangs-I can’t scan and what to do, I can’t find any information on this.

Also, I have several infections moved to the chest. How can I fix the exe. files, etc. attached to them and delete the infections?

I guess instead of leaving this alert hang I will move this new trojan to the chest also since I can’t scan and the program isn’t working.

Here is the list of the infections in the chest:

WINDOWS\system32 2/29 Win32:RBot-FHS
" 3/03 "
" 3/05 "

System Volume Information_restore 1/25 Win32: TratBHO
" 1/24 Win32:TratBHO

Documents and Settings\Melissa\Local 2/20 Nutcracker Family
(Five times all on 2/20)

C:\VundoFix Backups 1/26 Win32:TratBHO
" " "

Thanks, and hope this makes sense, Missyann

Hi Missyann

I think I replied to a similar post before. i see you still have the vundofix backup folder.

Ok, you definately have some thing going on.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Let’s see what we get.

Hey,
I didn’t realize my post didn’t go through until I scrolled down today. I had a problem with the programs and went ahead and did a scan with ComboFix, then they worked. Lot’s of trojans in between and problems.

What I did was run A ComboFix from the internet because I didn’t realize you had one specific in your post. It was a new release because of the root kit attachment problems previous.

The hjt scan would not save a log until I did the ComboFix. Afterwards it worked. Only problmem with that scan was that it saved it as exe and I couldn’t open it. And I couldn’t find the ComboFix Log that I first ran.

Therefore, I ran another hjt which is below, downloaded your suggested ComboFix and it’s below and then ran another hjt which is also below.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:10:55 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Melissa\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pogo/luxor_2/mjolauncher.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 4706 bytes

Continued in next reply to this reply-this post wouldn’t hold all info

Hey,
ComboFix log

ComboFix 08-03-09.1 - Melissa 2008-03-09 12:36:22.5 - FAT32x86
Running from: C:\Documents and Settings\Melissa\Desktop\ComboFix.exe

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 10:07 . 2008-03-07 10:07 d-------- C:\Program Files\XoftSpySE
2008-03-06 22:38 . 2008-03-06 22:38 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 22:30 . 2008-03-06 22:30 d-------- C:\Program Files\MSECACHE
2008-03-04 08:42 . 2008-03-05 01:16 65,536 --ah----- C:\WINDOWS\MEMORY.DMP
2008-02-17 13:17 . 2008-02-17 13:17 303 --a------ C:\WINDOWS\ST6UNST.001
2008-02-17 13:15 . 2008-02-17 13:15 303 --a------ C:\WINDOWS\ST6UNST.000
2008-02-17 12:48 . 2008-02-17 12:48 d-------- C:\downloads
2008-02-16 02:02 . 2008-02-23 00:14 48 --a------ C:\WINDOWS.prj
2008-02-15 12:49 . 2008-02-15 12:49 d-------- C:\Documents and Settings\Melissa\Application Data\PKWARE
2008-02-15 12:49 . 2008-02-15 12:49 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKWARE
2008-02-15 12:42 . 2008-02-15 12:42 d-------- C:\Program Files\PKWARE
2008-02-15 12:42 . 2008-02-15 12:42 d-------- C:\Program Files\Common Files\PKWARE
2008-02-15 12:39 . 2008-02-15 12:39 d-------- C:\WINDOWS\Downloaded Installations
2008-02-12 02:44 . 1998-06-18 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-02-12 02:44 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2008-02-12 02:44 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2008-02-12 02:44 . 2008-02-23 00:15 466 --a------ C:\WINDOWS\pagebreeze.ini
2008-02-12 02:44 . 2008-02-12 02:44 44 --a------ C:\WINDOWS\formbreeze.ini
2008-02-12 02:43 . 2008-02-12 02:43 d-------- C:\Program Files\PageBreeze
2008-02-12 02:43 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2008-02-12 02:43 . 1998-06-24 00:00 369,696 --a------ C:\WINDOWS\system32\Comct332.ocx
2008-02-12 02:43 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2008-02-12 02:43 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2008-02-12 02:03 . 2008-02-12 02:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 02:03 . 2008-02-12 02:03 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:20 --------- d-sh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 01:18 --------- d-----w C:\Program Files\Windows Live
2008-02-08 01:16 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2008-01-31 15:51 --------- d-----w C:\Program Files\Alwil Software
2008-01-31 08:42 --------- d-----w C:\Program Files\Java
2008-01-31 08:42 --------- d-----w C:\Program Files\Common Files\Java
2008-01-31 08:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo
2008-01-31 06:31 --------- d-----w C:\Program Files\SpywareGuard
2008-01-31 06:22 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-31 06:09 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-25 09:49 34,360 ----a-w C:\WINDOWS\system32\drivers\sbapifs.sys
2008-01-25 08:29 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Sunbelt Software
2008-01-24 00:21 --------- d-----w C:\Documents and Settings\Melissa\Application Data\SpywareBot
2008-01-21 05:25 --------- d-----w C:\Documents and Settings\Melissa\Application Data\iWinArcade
2008-01-21 05:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\iWin Games
2008-01-21 05:21 --------- d-----w C:\Program Files\Google
2008-01-20 06:23 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Nvu
2008-01-18 04:41 --------- d-----w C:\Program Files\iPod
2008-01-18 04:40 --------- d-----w C:\Program Files\iTunes
2008-01-18 04:33 --------- d-----w C:\Program Files\QuickTime
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2002-10-14 18:15 1,618 ----a-w C:\Program Files\EULA.txt
2002-10-05 05:42 5,841 ----a-w C:\Program Files\readme.txt
2002-01-18 03:45 86,588 ----a-w C:\Program Files\ssnetlib.dll
2002-01-18 03:45 29,244 ----a-w C:\Program Files\ssmslpcn.dll
2002-01-18 03:45 29,244 ----a-w C:\Program Files\dbmslpcn.dll
.

------- Sigcheck -------

2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\svchost.exe
2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\dllcache\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\svchost.exe
2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS$NtServicePackUninstall$\svchost.exe

2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS\system32\dllcache\wininet.dll
2004-08-04 01:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2002-10-25 12:00 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS$NtServicePackUninstall$\wininet.dll

2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\winlogon.exe
2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS$NtServicePackUninstall$\winlogon.exe

2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\system32\drivers\ndis.sys
2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS$NtServicePackUninstall$\ndis.sys

2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\explorer.exe
2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-03-07_19.48.05.07 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-01-25 15:25:54 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2008-03-09 17:45:16 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2008-01-25 15:25:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

• 2008-03-09 17:45:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

• 2008-01-25 15:25:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

• 2008-03-09 17:45:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
• 2008-03-09 18:17:52 27,536 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
• 2008-03-08 05:22:14 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_504.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Note empty entries & legit default entries are not shown
  REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]

C:\Documents and Settings\Melissa\Start Menu\Programs\Startup
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000001
“AntiVirusDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001

R3 banshee;banshee;C:\WINDOWS\System32\DRIVERS\banshee.sys [2001-08-17 12:48]
R3 USR1801;U.S. Robotics Faxmodem Driver 1801;C:\WINDOWS\System32\DRIVERS\USR1801.SYS [2001-08-17 13:28]
R3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\w940nd.sys [2001-08-17 12:13]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\System32\windows

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 12:39:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
“ImagePath”=“C:\WINDOWS\System32\windows”
.
Completion time: 2008-03-09 12:45:54
ComboFix-quarantined-files.txt 2008-03-09 18:45:42
ComboFix4.txt 2008-01-27 14:38:28
ComboFix3.txt 2008-01-27 18:20:24
ComboFix2.txt 2008-03-08 02:38:06
.
2007-11-26 01:14:06 — E O F —

ComboFix…

ComboFix 08-03-09.1 - Melissa 2008-03-09 12:36:22.5 - FAT32x86
Running from: C:\Documents and Settings\Melissa\Desktop\ComboFix.exe

• Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.

2008-03-07 10:07 . 2008-03-07 10:07 d-------- C:\Program Files\XoftSpySE
2008-03-06 22:38 . 2008-03-06 22:38 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 22:30 . 2008-03-06 22:30 d-------- C:\Program Files\MSECACHE
2008-03-04 08:42 . 2008-03-05 01:16 65,536 --ah----- C:\WINDOWS\MEMORY.DMP
2008-02-17 13:17 . 2008-02-17 13:17 303 --a------ C:\WINDOWS\ST6UNST.001
2008-02-17 13:15 . 2008-02-17 13:15 303 --a------ C:\WINDOWS\ST6UNST.000
2008-02-17 12:48 . 2008-02-17 12:48 d-------- C:\downloads
2008-02-16 02:02 . 2008-02-23 00:14 48 --a------ C:\WINDOWS.prj
2008-02-15 12:49 . 2008-02-15 12:49 d-------- C:\Documents and Settings\Melissa\Application Data\PKWARE
2008-02-15 12:49 . 2008-02-15 12:49 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKWARE
2008-02-15 12:42 . 2008-02-15 12:42 d-------- C:\Program Files\PKWARE
2008-02-15 12:42 . 2008-02-15 12:42 d-------- C:\Program Files\Common Files\PKWARE
2008-02-15 12:39 . 2008-02-15 12:39 d-------- C:\WINDOWS\Downloaded Installations
2008-02-12 02:44 . 1998-06-18 00:00 102,912 --a------ C:\WINDOWS\system32\Vb6stkit.dll
2008-02-12 02:44 . 1999-05-15 00:24 97,280 --a------ C:\WINDOWS\system32\vspell32.ocx
2008-02-12 02:44 . 1997-02-24 17:44 70,656 --a------ C:\WINDOWS\system32\vspell32.dll
2008-02-12 02:44 . 2008-02-23 00:15 466 --a------ C:\WINDOWS\pagebreeze.ini
2008-02-12 02:44 . 2008-02-12 02:44 44 --a------ C:\WINDOWS\formbreeze.ini
2008-02-12 02:43 . 2008-02-12 02:43 d-------- C:\Program Files\PageBreeze
2008-02-12 02:43 . 2005-01-24 12:39 503,808 --a------ C:\WINDOWS\system32\ChilkatFTPx.dll
2008-02-12 02:43 . 1998-06-24 00:00 369,696 --a------ C:\WINDOWS\system32\Comct332.ocx
2008-02-12 02:43 . 1998-11-18 11:40 89,600 --a------ C:\WINDOWS\system32\Leocx32.ocx
2008-02-12 02:43 . 1998-11-22 14:23 84,992 --a------ C:\WINDOWS\system32\Ledit32.dll
2008-02-12 02:03 . 2008-02-12 02:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 02:03 . 2008-02-12 02:03 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:20 --------- d-sh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-08 01:18 --------- d-----w C:\Program Files\Windows Live
2008-02-08 01:16 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2008-01-31 15:51 --------- d-----w C:\Program Files\Alwil Software
2008-01-31 08:42 --------- d-----w C:\Program Files\Java
2008-01-31 08:42 --------- d-----w C:\Program Files\Common Files\Java
2008-01-31 08:10 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\MumboJumbo
2008-01-31 06:31 --------- d-----w C:\Program Files\SpywareGuard
2008-01-31 06:22 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-31 06:09 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-25 09:49 34,360 ----a-w C:\WINDOWS\system32\drivers\sbapifs.sys
2008-01-25 08:29 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Sunbelt Software
2008-01-24 00:21 --------- d-----w C:\Documents and Settings\Melissa\Application Data\SpywareBot
2008-01-21 05:25 --------- d-----w C:\Documents and Settings\Melissa\Application Data\iWinArcade
2008-01-21 05:23 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\iWin Games
2008-01-21 05:21 --------- d-----w C:\Program Files\Google
2008-01-20 06:23 --------- d-----w C:\Documents and Settings\Melissa\Application Data\Nvu
2008-01-18 04:41 --------- d-----w C:\Program Files\iPod
2008-01-18 04:40 --------- d-----w C:\Program Files\iTunes
2008-01-18 04:33 --------- d-----w C:\Program Files\QuickTime
2008-01-09 21:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2002-10-14 18:15 1,618 ----a-w C:\Program Files\EULA.txt
2002-10-05 05:42 5,841 ----a-w C:\Program Files\readme.txt
2002-01-18 03:45 86,588 ----a-w C:\Program Files\ssnetlib.dll
2002-01-18 03:45 29,244 ----a-w C:\Program Files\ssmslpcn.dll
2002-01-18 03:45 29,244 ----a-w C:\Program Files\dbmslpcn.dll
.

------- Sigcheck -------

2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\svchost.exe
2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\system32\dllcache\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\svchost.exe
2002-10-25 12:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS$NtServicePackUninstall$\svchost.exe

2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS\system32\dllcache\wininet.dll
2004-08-04 01:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2002-10-25 12:00 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2006-06-23 11:33 575488 7e7760c7f263ec7a740ee265b263f770 C:\WINDOWS$NtServicePackUninstall$\wininet.dll

2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\winlogon.exe
2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\winlogon.exe
2002-10-25 12:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS$NtServicePackUninstall$\winlogon.exe

2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\system32\drivers\ndis.sys
2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 00:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2002-10-25 12:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS$NtServicePackUninstall$\ndis.sys

2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\explorer.exe
2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
2002-10-25 12:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-03-07_19.48.05.07 )))))))))))))))))))))))))))))))))))))))))
.

• 2008-01-25 15:25:54 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2008-03-09 17:45:16 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

• 2008-01-25 15:25:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

• 2008-03-09 17:45:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

• 2008-01-25 15:25:54 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

• 2008-03-09 17:45:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
• 2008-03-09 18:17:52 27,536 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
• 2008-03-08 05:22:14 16,384 ----a-w C:\WINDOWS\TEMP\Perflib_Perfdata_504.dat
  .
  ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  to be continued…

this is the last of the log

Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 07:00 79224]

C:\Documents and Settings\Melissa\Start Menu\Programs\Startup
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000001
“AntiVirusDisableNotify”=dword:00000001
“AntiVirusOverride”=dword:00000001
“FirewallOverride”=dword:00000001

R3 banshee;banshee;C:\WINDOWS\System32\DRIVERS\banshee.sys [2001-08-17 12:48]
R3 USR1801;U.S. Robotics Faxmodem Driver 1801;C:\WINDOWS\System32\DRIVERS\USR1801.SYS [2001-08-17 13:28]
R3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;C:\WINDOWS\System32\DRIVERS\w940nd.sys [2001-08-17 12:13]
S4 MSControlService;Microsoft cache control;C:\WINDOWS\System32\windows

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 12:39:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
“ImagePath”=“C:\WINDOWS\System32\windows”
.
Completion time: 2008-03-09 12:45:54
ComboFix-quarantined-files.txt 2008-03-09 18:45:42
ComboFix4.txt 2008-01-27 14:38:28
ComboFix3.txt 2008-01-27 18:20:24
ComboFix2.txt 2008-03-08 02:38:06
.
2007-11-26 01:14:06 — E O F —

5555555555555555555555555555555555

hjt

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:20, on 2008-03-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Melissa\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pogo/luxor_2/mjolauncher.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 4653 bytes

The first ComboFix made a restore point. I had to restore my computer back to Friday because when I attempted to download the first ComboFix I recieved a window that I didn’t have some files. After closing this window the downloading bar froze and the computer. Once I restored I was able to download the suggested ComboFix.

Thanks again.

You are using an old version of HJT it would probably be best to get the latest and run it again, FileHippo Download - HiJackThis.

You are also running HJT from the desktop and it is best to run it from its own folder as outlined in oldman’s first reply.

Oh, must have misunderstood and also didn’t realize hjt needed updated.
I thought when it said save exe to desktop that it would be okay to save it to destop and when it said it would save a folder in programs automatically, then I just figured my desktop icon for hjt was normal to use since that’s how it downloaded last time before I came here with the malfunctioning avast icon.

sooo, here is another hjt log from the updated site

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:08 PM, on 2008-03-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pogo/luxor_2/mjolauncher.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 4437 bytes
Hope this is better.

Thanks DavidR.

Missyanne, a couple of things we have to first.

hijackthis.exe is now in the program files folder. It should have it’s own folder, example C:\program files\hijackthis\hijackthis.exe.

What I need you do is

1. delete the hijackthis short cut from your desktop, we’ll make a new one.
2. open windows explorer,navigate to this folder

C:\program files

click on it, then at the top of windows explorer, click file, highlite new, click folder. A new folder will appear in the right hand panel, with the name “new folder” highlited. Just type hijackthis , then left click anywhere near the folder to ensure the name is correct.

click on the program files folder again, and in the right panel locate hijackthis.exe. Right click on the file, now holding the right mouse button down, drag the file to the folder you just created, it will be in the left panel. When the folder is highlited, let the button go, select move here.

click on the hijackthis folder, then right click on the file hijackthis.exe in the right hand panel, select send to, select Desktop (create shortcut). You will now have the exe in it’s own folder and a new shortcut on your desktop.

The other thing is, since you ran combofix more than once, I have no idea of what was removed. I will need you to post the previous combofix texts. They are located at c:combofix and will have a .txt extention.

similar to this

ComboFix4.txt 2008-01-27 14:38:28
ComboFix3.txt 2008-01-27 18:20:24
ComboFix2.txt 2008-03-08 02:38:06

also this one would be useful

ComboFix-quarantined-files.txt 2008-03-09 18:45:42

You can attach them to your post by using the addition options button on the reply page. You may have to scroll down to see the browse button. You can attach more than one to a reply by using the more attachments located beside the browse button.

While you are doing this, I’ll see what I can find in the log you posted.

Thanks.

Please do the steps in the above post and post the logs I asked for in my previous post, then do the steps in this one.

Hi, a little work for you to do. There is some rogue antispyware installed, that will have to go.

But before you uninstall it we have to find out what it removed. So, first diasable Spywarebot. It is notorious for flagging legitamate program files. Please find it’s quaratined list and post it here. Please leave this program disabled, we will remove it later.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS.prj

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

We will run combofix a little differently this time, so please follow the instructions.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000000 "AntiVirusDisableNotify"=dword:00000000 "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]

Driver::
MSControlService

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply .

note when doing the combofix fix

A window may open with a warning. Type “1” (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File, click Exit and answer ‘Yes’ to save changes

open HJT again and click Open the Misc Tools Section. Near the top of the next window you’ll see a button labled Generate Startuplist log. Place a check mark in the two options next to this button (‘List also minor Section’ and “List Empty Sections”), then click the Generate Startuplist log button. OK the warning dialogue and either post or attach the information that opens in notepad.

Finally for now, open HJT do a system scan and post that log.

I will require the following logs/results
virustotal results
Spywarebot quarintine
combofix log
startup list
HJT log

Thanks.

Hi,
Thanks. Here are two of the Combo files requested. There is one more Combo file but it’s too large to attach, 265 kb, the quarantened file is 550kb. Please let me know what you’d like me to do.

I am going to work on the next things and put in the next reply when finished. I am unsure if you wanted another hijackthis report or if you just wanted to get it into the folder for later.
I did put it in it’s own folder.

Please let me know if you do want one now.

I don’t know if your instructions for this virus check is for the Spywarebot or something else but I went to the site and put what you instructed and copied and am pasting what it copied. Although the page showed different ISP’s and names in a table, lots of them. Yet they are not showing up, only what’s below. Lost here. But here is what I got and I am moving onto the next instructions with ComboFix. That will be in the next reply.

File .prj received on 03.10.2008 08:44:36 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.10 -
Authentium

Hi, don’t worry about the other old combofix logs. I found them on the forum where you recieved help in Jan/Feb. Reviewing those logs show you had a major infection.

So let’s concentrate on what happen from then to now. Finish the steps in the last post and we’ll go from there.

One other log I’d like to see is the avast warning log. You can attach it. The path is C:\program files\alwil software\avast4\log\warning log.This will give us a better insight into what is happening.

Are you seeing any improvement? Please ensure windows firewall is enabled. We’ll look at a better one afterwards.

Thanks

ps what you saw at virustotal was right. It’s a list of 32 scanners and what they found. It doesn’t look like it finished as there are only 3 scanners shown. Please try it again, it may take a few minutes.

Well, I hate to say this but during the process of going to internet settings to make sure the firewall was on the computer hung, and then again during something else, can’t remember, kind of burnt out here-lol!
Not funny though.
Anyway, I don’t know where the Combo copy went, can’t find it anywhere after all that work, maybe lost it in the freeze.
I did do everything else, looks like the one virus check is the same:
File .prj received on 03.10.2008 11:14:54 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 6.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

Attached the hjt list

Also, of course can’t open so I don’t know if it is it, but I think I found the ComboFix scan and attached it also.

ok, here is the hjt scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:45, on 2008-03-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [combofix] C:\WINDOWS\system32\CF13032.exe /c C:\ComboFix\Combobatch.bat
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pogo/luxor_2/mjolauncher.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 4524 bytes

I did get a warning again on a trojan. Now I will check the firewall, wanted to get this done before the computer hangs again.

Thanks again.

Hi
Combofix didn’t finish. Did you follow the instructions regarding security progams as in reply #1 ? What you found was the Cfscript.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.[/color]

If you are not sure how, click the words “this link” in the original post for instructions. For secuity programs you have avast, SpywareGuard, SpywareBlaster.

• highjackthis.exe is not in it’s own folder, from the HJT log

C:\Program Files\HiJackThis.exe

Please do that before proceding.

Open HJT, run a system scan only, check mark these lines if present

O4 - HKLM..\Run: [combofix] C:\WINDOWS\system32\CF13032.exe /c C:\ComboFix\Combobatch.bat
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Close all other browsers/windows, click fix, close HJT.

• Windows messenger was damaged in your previous infection so you may as well unistall it.

• We’ll fix the registry a little diferently than we tried with combo fix.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“UpdatesDisableNotify”=dword:00000000
“AntiVirusDisableNotify”=dword:00000000
“AntiVirusOverride”=dword:00000000
“FirewallOverride”=dword:00000000

[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box , set the top box Save in to desktop Then in the FILE NAME box type (including the " " marks “fix.reg”
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

• click the start button,click run. In the run box copy and paste the following lines, one at a time, hitting enter after each line

sc stop MSControlService
sc delete MSControlService

• Please post the avast warning log, location is in reply #12. We can then see what is being detected and where.

• Open HJT, click on the misc tools button, then click Open Uninstall manager. Click save list, save it to your desktop and attach it to your next reply.

• Did you find Spywarebot’s quarantine list?

Thanks

Hey,
Thanks.
I didn’t realize that was a shortcut I put in a folder. If I had scrolled down I would have. It’s correct now. Thanks.

I am attaching the ComboFix File; HJT Uninstall List and the Avast Warning List

You are right, humming along setting up the Combo with the CF Script, I forgot to turn off protections and firewall.

The only files I have on Spywarebot are in notepad. I think this is one of the few programs I tried to download but hung, maybe. I will attach wherever I have room on this so you can see them, (2). There is no quaranteen list, did a search for that before too.
Here is one of the files, they are cookies. Should I delete these?

__utma
231763805.381575317.1201136203.1201136203.1201139669.2
spywarebot.com/
1088
4290951296
30055374
242568896
29908524
*
__utmb
231763805
spywarebot.com/
1088
2268499712
29908528
1455318896
29908524
*
__utmz
231763805.1201136203.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
spywarebot.com/
1088
3098736512
29945228
4256594560
29908515
*
hop
pcregain
spywarebot.com/
1024
3666083328
29908607
229358896
29908524
*
index
1
spywarebot.com/
1024
3666083328
29908607
230258896
29908524
*
_pageUsed
buynow_step6.php
spywarebot.com/
1024
531116032
29908608
1397438896
29908524
*
os
Windows+XP
spywarebot.com/
1024
3666083328
29908607
233158896
29908524
*
split_test
1
spywarebot.com/
1024
531116032
29908608
1392528896
29908524
*
split_test_pageUsed
B
spywarebot.com/
1024
531116032
29908608
1393828896
29908524
*
buynow_step6.php
1
spywarebot.com/
1024
531116032
29908608
1395128896
29908524
*
Okay, I think that’s it. If not please let me know. Thanks a lot

Most of the detections ae in system restore. Not a problem right now, unless you use a restore point.

We will use a different scan tool to try to to see where tis is coming from.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Hello,
Okay here ya go, I had to attach the files. Thanks again.

Hi missyann. I reread this thread and the other thread where you had your other problem taken care of before. What struck me as odd was there wasn’t any clean up of the tools you used or the removal of old, possibly infected restore points.

So our best chance at finding what is going on is to pick up from there. Then we’ll do a deeper scan that can take us back 90 days and see what we can find.

• Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

• Please download
  OTMoveIt2 by OldTimer.

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

• Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

• Remove old restore points

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

• Please download ATF Cleaner by Atribune.
  This program is for XP and Windows 2000 only
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  If you use Firefox browser
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser
  Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
  For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\System32\CF11148.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Now we look deeper. Before you run this scanner make sure both fields are set to 90 days

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log.

I will resume working on this problem later this evening. I got hit with an actual human virus on the 14th of March and almost died. I finally knew who I was around the 29th of March and am only home temporarily until Thurs. morn to take care of some matters then back to assisted living for rehabilitation. I have to learn how to walk and build up the respiratory. Amazing isn’t it? Totally. I am fortunate-some people didn’t live from this winter’s virus.