BleepingComputer.com: Windows Security Center and Auto-Update

I was having trouble, and was referred here from my original topic: http://www.bleepingcomputer.com/forums/topic398385.html

In short, Windows Security Center says that Automatic updates are off even though they are on.


Here is the DDS log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Owner at 21:29:59 on 2011-05-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.345 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\COMMON~1\AOL\128606~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\128606~1\EE\AOLServiceHost.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner.OWNER\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5259E
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HostManager] c:\program files\common files\aol\1286069183\ee\AOLHostManager.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\sifxinst\SIFXINST.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: microsoft.com\www.update
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://mauimanakai3.viewnetcam.com/JpegInst.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EAEFAD15-8753-45EF-94B0-1BAA7970CC21} - hxxp://mauimanakai3.viewnetcam.com/MpegInst.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.owner\application data\mozilla\firefox\profiles\okhtg922.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\owner.owner\application data\mozilla\firefox\profiles\okhtg922.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\owner.owner\application data\mozilla\firefox\profiles\okhtg922.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl66307baa;MpKsl66307baa;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5877bcd2-75a6-47c4-afca-bbb8dceceaaa}\MpKsl66307baa.sys [2011-5-21 28752]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-21 67584]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2010-10-2 139008]
S1 MpKsl1a411168;MpKsl1a411168;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65e47129-611f-4286-b5a5-ec3394af4f41}\mpksl1a411168.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65e47129-611f-4286-b5a5-ec3394af4f41}\MpKsl1a411168.sys [?]
S1 MpKsl2704b33b;MpKsl2704b33b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b95b79b9-feb4-40e4-9de6-9325ae14bb62}\mpksl2704b33b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b95b79b9-feb4-40e4-9de6-9325ae14bb62}\MpKsl2704b33b.sys [?]
S1 MpKsl4548bd84;MpKsl4548bd84;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ae51e37-e88a-48a3-9a65-1cfbc083b780}\mpksl4548bd84.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6ae51e37-e88a-48a3-9a65-1cfbc083b780}\MpKsl4548bd84.sys [?]
S1 MpKsl515260ef;MpKsl515260ef;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{791d0b52-bbd2-4f4a-ac3e-986acd73e060}\mpksl515260ef.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{791d0b52-bbd2-4f4a-ac3e-986acd73e060}\MpKsl515260ef.sys [?]
S1 MpKsla9c4a188;MpKsla9c4a188;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f5e3821-72ef-49cc-9d9f-2bf96878d348}\mpksla9c4a188.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f5e3821-72ef-49cc-9d9f-2bf96878d348}\MpKsla9c4a188.sys [?]
S1 MpKslb9ad92b7;MpKslb9ad92b7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e76f117f-76dc-4d7b-848d-f42f58932945}\mpkslb9ad92b7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e76f117f-76dc-4d7b-848d-f42f58932945}\MpKslb9ad92b7.sys [?]
S1 MpKslcb2b6e56;MpKslcb2b6e56;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38be38e7-80bd-4b54-86b5-57659f11e71b}\mpkslcb2b6e56.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38be38e7-80bd-4b54-86b5-57659f11e71b}\MpKslcb2b6e56.sys [?]
S1 MpKslfce16c29;MpKslfce16c29;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b2d82ba1-0388-4877-a7f3-9c33456507f9}\mpkslfce16c29.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b2d82ba1-0388-4877-a7f3-9c33456507f9}\MpKslfce16c29.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\owner~1.own\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\owner~1.own\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\owner~1.own\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\owner~1.own\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-4 136176]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-10-2 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-4 136176]
.
=============== Created Last 30 ================
.
2011-05-22 01:44:15 -------- d-sha-w- c:\windows\Repair
2011-05-22 01:27:44 -------- d-----w- c:\documents and settings\owner.owner\local settings\application data\Safe mirror
2011-05-22 01:27:18 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-21 14:12:02 28752 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5877bcd2-75a6-47c4-afca-bbb8dceceaaa}\MpKsl66307baa.sys
2011-05-21 01:04:51 472808 ------w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-05-20 20:19:39 -------- d-----w- c:\program files\ESET
2011-05-19 16:00:13 6962000 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5877bcd2-75a6-47c4-afca-bbb8dceceaaa}\mpengine.dll
2011-05-15 22:18:52 -------- d-----w- c:\documents and settings\owner.owner\application data\GameMaker
2011-05-15 21:20:11 -------- d-----w- c:\documents and settings\owner.owner\lmms
2011-05-15 21:18:38 -------- d-----w- c:\program files\LMMS
2011-05-09 17:23:18 -------- d-----w- c:\program files\Windows Media Connect 2
2011-05-09 17:21:12 -------- d-----w- c:\windows\system32\LogFiles
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2011-05-09 17:17:00 159744 ------w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-05-09 17:15:47 -------- d-----w- c:\documents and settings\owner.owner\local settings\application data\Apple
2011-05-09 17:15:32 -------- d-----w- c:\documents and settings\owner.owner\local settings\application data\Apple Computer
2011-04-28 07:06:47 -------- d-----w- C:\9bd88165423a431bc6dbd35e
.
==================== Find3M ====================
.
2011-04-14 12:07:59 472808 ------w- c:\windows\system32\deployJava1.dll
2011-04-14 09:40:22 73728 ------w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 21:30:28.07 ===============

Please help.

This post has been edited by Orange Blossom: 27 May 2011 - 07:52 PM
Reason for edit: Removed spoiler coding for ease of reading. ~ OB

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
  
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  
• If you have already posted a DDS log, please do so again, as your situation may have changed.
  
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks and again sorry for the delay.

Hi, thanks for the response.

-I haven't solved the problem.
-My computer starts up fine, but it is Windows XP sp2. 32bit, I think. I'll confirm this later.
-I don't have my windows boot disk.
-To reiterate, my problem is that Windows Security Center continues to give a warning that automatic updates are not on. It started doing this after removing this virus from my original topic: http://www.bleepingcomputer.com/forums/topic398385.html

Running those scans now.

Hi Mead,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  
• It's often worth reading through these instructions and printing them for ease of reference.
  
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Sorry about that. Apparently I clicked on the wrong button.

This post has been edited by Tomk_: 31 May 2011 - 05:22 PM

OK, runnng combofix as I write this. Instead of asking the text shown in the messages above, it was slightly different (Regarding the Windows Recovery Console), however, I just clicked Yes to install as if it were.

Awaiting the finish of the scan...


Heard the XP 'shutting down' jingle, is that normal?

Wasn't aware that it would restart before producing the log.

This post has been edited by Mead: 31 May 2011 - 06:21 PM

C:\ComboFix.txt is attached to this post.

This post has been edited by Mead: 31 May 2011 - 06:32 PM

Restarting is normal.

It's looking good. Your windows update service was rebuilt.

Can you update now?

Yes I can, thank you very much!

Great.


Time for some housekeeping

• Click START then RUN
  
• Now type Combofix /Uninstall in the runbox and click OK
  
• Note the space between the X and the U, it needs to be there.

The above procedure will:

• Implement some cleanup procedures.
  
• Reset System Restore.

Please re-enable any security that was disabled.


The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

When I type 'Combofix /Uninstall' in the Run box, it continues to try to run combofix. It gives the security warning. I thought that it was needed to uninstall, so I click Run, and combofix seemed to try to scan again. I hard-rebooted.

Did I make a mistake?

Typeing 'Combofix /Uninstall' in the run box will run ComboFix... but it only runs so far as to uninstall it's components and do some resetting of things. It will only take a minute and you shouldn't get the window popping up that starts enemurating tasks completed. A small pop up should appear that says something like "ComboFix has been uninstalled" and then the icon will disappear off of your desktop. No log will be produced.

Thank you very much for all your help!

Did everything "clean-up" alright?

Yup, all good.