Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BITS Missing, Unable to change Firewall Settings and more


  • This topic is locked This topic is locked
11 replies to this topic

#1 K Stanley

K Stanley

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 30 April 2009 - 08:16 AM

My computer is running very slow most of the time. I recently noticed Windows Update was no longer working. It fails with the following error: The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem."

While trying to resolve this error, I've discovered many malware issues and now the scans are coming up clean, but the problem still remains.

Discovered BITS is missing, I cannot change the firewall settings any longer - it is currently disabled. DVD Burner no longer works. I've tried many fixes and I fear I'm making things worse.

Attached you will find the DDS.txt and Attach.txt files.

Thank you in advance for your assistance.

Kathy

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:07:58 AM

Posted 13 May 2009 - 11:08 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 16 May 2009 - 03:22 PM

I'm still running into problems with 100% CPU usage

I have been able to remedy the BITS issue, so I can perform Windows Update again. I cannot make changes to my firewall though.

Here is my current DDS log.

Edited to insert DDS log In-Line ~ Maurice


DDS (Ver_09-05-14.01) - NTFSx86
Run by Kathy at 15:09:21.03 on Sat 05/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.361 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kathy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kathy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uDefault_Page_URL = hxxp://www.dell.com
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
mSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\kathy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
TCP: {8E9EB467-A22D-4501-A801-06604E518564} = 74.62.166.163
Notify: klogon - c:\windows\system32\klogon.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
AppInit_DLLs: c:\progra~1\google\google~3\googledesktopnetwork3.dll c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathy\applic~1\mozilla\firefox\profiles\2fozenkk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\kathy\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\plugins\npmozax.dll
FF - plugin: c:\program files\plugins\npnul32.dll
FF - plugin: c:\program files\plugins\npqtplugin.dll
FF - plugin: c:\program files\plugins\npqtplugin2.dll
FF - plugin: c:\program files\plugins\npqtplugin3.dll
FF - plugin: c:\program files\plugins\npqtplugin4.dll
FF - plugin: c:\program files\plugins\npqtplugin5.dll
FF - plugin: c:\program files\plugins\npqtplugin6.dll
FF - plugin: c:\program files\plugins\npqtplugin7.dll
FF - plugin: c:\program files\plugins\npyaxmpb.dll
FF - HiddenExtension: XUL Cache: {DC9D18F5-55D3-4BE8-9748-45E27C6C4DC4} - c:\documents and settings\kathy\local settings\application data\{DC9D18F5-55D3-4BE8-9748-45E27C6C4DC4}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("content.interrupt.parsing", true);
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("content.max.tokenizing.time", 2250000);
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("content.notify.interval", 750000);
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("content.notify.ontimer", true);
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("content.switch.threshold", 750000);
c:\program files\mozilla firefox\defaults\profile\user.js - user_pref("nglayout.initialpaint.delay", 0);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-27 28544]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-5-5 226832]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-7 353672]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 Xgiv3;Xgiv3;c:\windows\system32\drivers\Xgiv3m.sys [1980-1-1 337408]
S0 mcaeq;mcaeq;c:\windows\system32\drivers\ckkueopa.sys --> c:\windows\system32\drivers\ckkueopa.sys [?]
S0 mtqdvovd;mtqdvovd;c:\windows\system32\drivers\rhieaxq.sys --> c:\windows\system32\drivers\rhieaxq.sys [?]
S0 uxliwix;uxliwix;c:\windows\system32\drivers\cdvmkwfr.sys --> c:\windows\system32\drivers\cdvmkwfr.sys [?]

=============== Created Last 30 ================

2009-05-13 05:05 <DIR> --d----- c:\program files\FTP Commander
2009-05-09 05:44 <DIR> --d----- c:\docume~1\kathy\applic~1\Jarte
2009-05-09 05:44 <DIR> --d----- c:\program files\Jarte
2009-05-08 08:37 <DIR> --d----- c:\windows\system32\scripting
2009-05-08 08:37 <DIR> --d----- c:\windows\l2schemas
2009-05-08 08:37 <DIR> --d----- c:\windows\system32\en
2009-05-08 08:37 <DIR> --d----- c:\windows\system32\bits
2009-05-08 08:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-08 08:20 <DIR> --d----- c:\windows\network diagnostic
2009-05-08 07:08 <DIR> --d----- c:\windows\EHome
2009-05-07 09:05 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-07 09:05 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-05-07 09:05 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-05-07 09:05 <DIR> --d----- c:\program files\Zone Labs
2009-05-07 09:05 350,192 a------- c:\windows\system32\vsconfig.xml
2009-05-07 09:03 <DIR> --d----- c:\windows\Internet Logs
2009-05-07 05:22 388,608 a------- c:\windows\system32\cmd.execf
2009-05-06 19:13 <DIR> --d----- c:\program files\CCleaner
2009-05-06 07:51 666,792 a------- C:\RegBackup.reg
2009-05-06 06:05 136,192 -------- c:\windows\system32\aaclient.dll
2009-05-06 06:05 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2009-05-06 06:05 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2009-05-06 06:05 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2009-05-06 06:05 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2009-05-06 06:05 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2009-05-06 06:05 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2009-05-06 06:05 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2009-05-06 06:03 1,261 -------- c:\windows\system32\pid.inf
2009-05-06 06:02 155,136 -------- c:\windows\system32\mssha.dll
2009-05-06 06:01 121,984 -------- c:\windows\system32\drivers\usbvideo.sys
2009-05-06 05:42 104,960 -------- c:\windows\system32\drivers\atinrvxx.sys
2009-05-05 16:42 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-05-05 16:42 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-05-05 16:39 4,730,912 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-05 16:39 598,048 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-05 16:39 38,040 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-05 16:39 3,124 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-05 16:39 <DIR> --d----- c:\program files\Kaspersky Lab
2009-05-05 16:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-05-03 05:39 <DIR> --d----- c:\documents and settings\kathy\DoctorWeb
2009-05-01 05:23 <DIR> --d----- c:\windows\system32\CatRoot2
2009-04-30 06:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-04-28 20:12 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-28 18:29 <DIR> --d----- c:\program files\Trend Micro
2009-04-27 08:56 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-27 08:54 <DIR> --d----- c:\program files\Panda Security
2009-04-25 17:53 <DIR> --d----- c:\docume~1\kathy\applic~1\Malwarebytes
2009-04-25 17:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-25 17:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-25 17:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-19 09:14 148,480 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-16 18:07 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 18:07 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 18:07 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-08 08:54 78,739 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-05 17:12 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-04-16 04:56 674 a------- c:\windows\fonts\DIN-Regular.pfm
2009-04-10 16:17 1,436 a------- c:\program files\install.log
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 18:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-20 03:11 3,068,416 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 03:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 03:10 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-20 03:10 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-20 03:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-20 03:10 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2008-08-29 04:17 8,855 a------- c:\program files\updates.xml
2008-08-29 04:17 1,159 a------- c:\program files\active-update.xml
2008-07-04 10:01 709 a------- c:\program files\updater.ini
2008-07-04 10:01 14,347 a------- c:\program files\removed-files
2008-07-04 10:01 181 a------- c:\program files\README.txt
2008-07-04 10:01 112 a------- c:\program files\old-homepage-default.properties
2008-07-04 10:01 31,436 a------- c:\program files\LICENSE
2008-07-04 10:01 232 a------- c:\program files\browserconfig.properties
2008-07-04 10:01 0 a------- c:\program files\.autoreg
2006-07-07 11:42 2,983 a------- c:\program files\install_wizard.log
2006-07-07 11:42 1,435 a------- c:\program files\install_status.log

============= FINISH: 15:14:45.25 ===============

Edited by Maurice Naggar, 16 May 2009 - 03:56 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:58 AM

Posted 16 May 2009 - 04:07 PM

Hello K Stanley.

I'll be helping you to look for remaining malwares and to remove them. Note that the DVD burner issue will have to wait.
The main issue here is to look for malware.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member K Stanley only. If you are a casual reader, do NOT try this on your system!
If you are not K Stanley and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=

Run MBAM MalwareBytes Anti-Malware with the most current definitions database:
Start your Alpha {MBAM}.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2139 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Now, RE-Enable your AntiVirus and AntiSpyware applications.

Run a new Hijackthis Scan and Save

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

Reply with copies of contents of C:\Combofix.txt
the Sysclean log
the latest MBAM scan log
and tell me, How is your system now?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2009 - 05:15 AM

Here's my Combofix log
< Edited to place log In-Line ~ Maurice>
ComboFix 09-05-16.03 - Kathy 05/16/2009 16:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.511 [GMT -5:00]
Running from: c:\documents and settings\Kathy\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WMDMPMSN_SERVICE
-------\Service_WmdmPmSN Service


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 10:05 . 2009-05-16 13:09 -------- d-----w c:\program files\FTP Commander
2009-05-09 10:44 . 2009-05-16 13:17 -------- d-----w c:\documents and settings\Kathy\Application Data\Jarte
2009-05-09 10:44 . 2009-05-09 10:44 -------- d-----w c:\program files\Jarte
2009-05-08 13:37 . 2009-05-08 13:37 -------- d-----w c:\windows\system32\scripting
2009-05-08 13:37 . 2009-05-08 13:37 -------- d-----w c:\windows\l2schemas
2009-05-08 13:37 . 2009-05-08 13:37 -------- d-----w c:\windows\system32\en
2009-05-08 13:37 . 2009-05-08 13:37 -------- d-----w c:\windows\system32\bits
2009-05-08 13:26 . 2009-05-08 13:41 -------- d-----w c:\windows\ServicePackFiles
2009-05-08 12:08 . 2009-05-08 12:08 -------- d-----w c:\windows\EHome
2009-05-07 14:05 . 2009-05-07 14:05 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-07 14:05 . 2009-02-16 05:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-05-07 14:05 . 2009-05-07 14:05 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-07 14:05 . 2009-05-07 14:05 -------- d-----w c:\program files\Zone Labs
2009-05-07 14:03 . 2009-05-16 21:56 -------- d-----w c:\windows\Internet Logs
2009-05-07 00:13 . 2009-05-07 00:13 -------- d-----w c:\program files\CCleaner
2009-05-06 12:51 . 2009-05-06 12:51 666792 ----a-w C:\RegBackup.reg
2009-05-06 11:05 . 2008-04-14 00:11 136192 ------w c:\windows\system32\aaclient.dll
2009-05-06 11:05 . 2008-04-14 00:11 4255 ------w c:\windows\system32\drivers\adv01nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3967 ------w c:\windows\system32\drivers\adv02nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3615 ------w c:\windows\system32\drivers\adv05nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3647 ------w c:\windows\system32\drivers\adv07nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3135 ------w c:\windows\system32\drivers\adv08nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3711 ------w c:\windows\system32\drivers\adv09nt5.dll
2009-05-06 11:05 . 2008-04-14 00:11 3775 ------w c:\windows\system32\drivers\adv11nt5.dll
2009-05-06 11:03 . 2008-04-14 00:09 6144 ------w c:\windows\system32\kbdbhc.dll
2009-05-06 11:02 . 2008-04-14 00:12 155136 ------w c:\windows\system32\mssha.dll
2009-05-06 11:01 . 2008-04-13 18:56 12800 ------w c:\windows\system32\drivers\usb8023x.sys
2009-05-06 10:42 . 2004-08-04 03:29 104960 ------w c:\windows\system32\drivers\atinrvxx.sys
2009-05-05 21:42 . 2009-05-05 22:12 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-05-05 21:42 . 2009-05-05 22:12 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-05-05 21:39 . 2009-05-16 21:49 4730912 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-05 21:39 . 2009-05-16 21:49 614432 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-05 21:39 . 2009-05-05 21:39 -------- d-----w c:\program files\Kaspersky Lab
2009-05-05 21:39 . 2009-05-16 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-05-04 09:53 . 2009-05-04 09:53 -------- d-----w c:\documents and settings\Administrator\DoctorWeb
2009-05-04 09:45 . 2009-05-04 09:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 10:39 . 2009-05-03 10:39 -------- d-----w c:\documents and settings\Kathy\DoctorWeb
2009-05-01 10:23 . 2009-05-16 21:28 -------- d-----w c:\windows\system32\CatRoot2
2009-04-30 11:49 . 2009-04-30 11:49 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-30 10:08 . 2009-04-30 10:08 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-29 01:12 . 2009-05-05 21:14 -------- d-----w c:\program files\Enigma Software Group
2009-04-28 23:29 . 2009-04-28 23:29 -------- d-----w c:\program files\Trend Micro
2009-04-27 13:56 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-27 13:54 . 2009-04-27 13:54 -------- d-----w c:\program files\Panda Security
2009-04-25 22:53 . 2009-04-25 22:53 -------- d-----w c:\documents and settings\Kathy\Application Data\Malwarebytes
2009-04-25 22:53 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 22:53 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 22:53 . 2009-04-25 22:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-25 22:53 . 2009-04-25 22:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 17:28 . 2009-04-25 17:28 -------- d-----w c:\documents and settings\Kathy\Local Settings\Application Data\{07F19D6C-B490-44B6-A628-90ED47A8A447}
2009-04-25 16:12 . 2009-04-25 18:46 -------- d-----w c:\documents and settings\Kathy\Local Settings\Application Data\{DC9D18F5-55D3-4BE8-9748-45E27C6C4DC4}
2009-04-20 17:03 . 2009-04-25 17:28 -------- d-----w c:\documents and settings\Kathy\Local Settings\Application Data\{07F19D6C-B490-44B6-A628-90ED47A8A447}(2)
2009-04-19 14:14 . 2009-04-19 14:14 148480 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-16 23:07 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 23:07 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 21:49 . 2009-05-05 21:39 38040 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-16 21:49 . 2009-05-05 21:39 3180 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-12 22:21 . 2004-11-02 13:50 148480 ----a-w c:\documents and settings\Kathy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 11:38 . 2004-10-28 21:57 -------- d-----w c:\program files\Yahoo!
2009-05-08 11:21 . 2004-11-11 14:18 -------- d-----w c:\program files\Google
2009-05-07 12:22 . 2006-07-07 16:42 -------- d-----w c:\program files\uninstall
2009-05-06 08:17 . 2007-02-06 16:59 -------- d-----w c:\program files\ruon.neton
2009-05-05 22:12 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-05-05 21:15 . 2004-11-12 15:05 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-05 00:44 . 2004-10-21 06:26 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-04 09:45 . 2006-07-07 16:42 -------- d-----w c:\program files\components
2009-05-01 13:14 . 2004-11-02 14:46 -------- d-----w c:\program files\Sophos SWEEP for NT
2009-04-27 09:33 . 2009-04-13 14:13 208 --s-a-w c:\windows\system32\3427194928.dat
2009-04-25 17:29 . 2005-05-08 13:07 -------- d-----w c:\program files\RssReader
2009-04-20 12:49 . 2009-04-13 17:18 0 ----a-w c:\windows\Ffefafofoce.bin
2009-04-19 10:14 . 2005-02-17 02:06 -------- d-----w c:\program files\TurboTax
2009-04-10 21:21 . 2009-04-10 21:20 -------- d-----w c:\program files\SmartFTP Client
2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\program files\SmartFTP Client 3.0 Setup Files
2009-04-06 11:21 . 2006-07-07 16:41 -------- d-----w c:\program files\plugins
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 10:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 10:00 81920 ----a-w c:\windows\system32\ieencode.dll
2008-08-29 09:17 . 2006-07-27 16:49 8855 ----a-w c:\program files\updates.xml
2008-08-29 09:17 . 2006-07-27 16:49 1159 ----a-w c:\program files\active-update.xml
2008-07-04 15:01 . 2006-07-07 16:42 709 ----a-w c:\program files\updater.ini
2008-07-04 15:01 . 2007-10-15 18:23 112 ----a-w c:\program files\old-homepage-default.properties
2008-07-04 15:01 . 2006-11-09 12:52 14347 ----a-w c:\program files\removed-files
2008-07-04 15:01 . 2006-07-07 16:42 181 ----a-w c:\program files\README.txt
2008-07-04 15:01 . 2006-07-07 16:42 31436 ----a-w c:\program files\LICENSE
2008-07-04 15:01 . 2006-07-07 16:42 232 ----a-w c:\program files\browserconfig.properties
2008-07-04 15:01 . 2006-07-07 16:42 0 ----a-w c:\program files\.autoreg
2006-07-07 16:42 . 2006-07-07 16:41 2983 ----a-w c:\program files\install_wizard.log
2006-07-07 16:42 . 2006-07-07 16:41 1435 ----a-w c:\program files\install_status.log
2007-09-26 12:17 . 2007-02-19 14:21 135680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-05-05 206088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Kathy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-2 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2005-06-07 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2005-01-04 19:59 24576 ----a-w c:\windows\SYSTEM32\Novell\xtnotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DESKTOP.INI]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
backup=c:\windows\pss\DESKTOP.INICommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hotsync manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterCheck Monitor.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK
backup=c:\windows\pss\InterCheck Monitor.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kathy^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Kathy\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccProxy"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"SharedAccess"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"iPodService"=3 (0x3)
"WLTRYSVC"=2 (0x2)
"TrkWks"=2 (0x2)
"SymWSC"=2 (0x2)
"SNDSrvc"=3 (0x3)
"MSDTC"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"XTAgent"=2 (0x2)
"cusrvc"=3 (0x3)
"SWEEPSRV.SYS"=2 (0x2)
"SweepNet"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"Schedule"=2 (0x2)
"ProtectedStorage"=2 (0x2)
"NtmsSvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [1/29/2008 5:29 PM 33808]
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [4/27/2009 8:56 AM 28544]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [4/30/2008 5:06 PM 24592]
R3 Xgiv3;Xgiv3;c:\windows\SYSTEM32\DRIVERS\Xgiv3m.sys [1/1/1980 337408]
S0 mcaeq;mcaeq;c:\windows\system32\drivers\ckkueopa.sys --> c:\windows\system32\drivers\ckkueopa.sys [?]
S0 mtqdvovd;mtqdvovd;c:\windows\system32\drivers\rhieaxq.sys --> c:\windows\system32\drivers\rhieaxq.sys [?]
S0 uxliwix;uxliwix;c:\windows\system32\drivers\cdvmkwfr.sys --> c:\windows\system32\drivers\cdvmkwfr.sys [?]
S4 XTAgent;Novell XTier Agent Services;c:\windows\SYSTEM32\Novell\xtagent.exe [1/4/2005 2:58 PM 61440]
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1897382067-3760546315-1045484425-1006.job
- c:\documents and settings\Kathy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-28 13:30]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: turbotax.com
TCP: {8E9EB467-A22D-4501-A801-06604E518564} = 74.62.166.163
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kathy\Application Data\Mozilla\Firefox\Profiles\2fozenkk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Kathy\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\plugins\npmozax.dll
FF - plugin: c:\program files\plugins\npnul32.dll
FF - plugin: c:\program files\plugins\npqtplugin.dll
FF - plugin: c:\program files\plugins\npqtplugin2.dll
FF - plugin: c:\program files\plugins\npqtplugin3.dll
FF - plugin: c:\program files\plugins\npqtplugin4.dll
FF - plugin: c:\program files\plugins\npqtplugin5.dll
FF - plugin: c:\program files\plugins\npqtplugin6.dll
FF - plugin: c:\program files\plugins\npqtplugin7.dll
FF - plugin: c:\program files\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("content.interrupt.parsing", true);
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("content.max.tokenizing.time", 2250000);
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("content.notify.interval", 750000);
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("content.notify.ontimer", true);
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("content.switch.threshold", 750000);
c:\program files\Mozilla Firefox\defaults\profile\user.js - user_pref("nglayout.initialpaint.delay", 0);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 16:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1897382067-3760546315-1045484425-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-16 17:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 22:10

Pre-Run: 797,622,272 bytes free
Post-Run: 754,257,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
283 --- E O F --- 2009-05-10 04:04

Edited by Maurice Naggar, 17 May 2009 - 06:56 AM.


#6 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2009 - 05:23 AM

Here's the sysclean log
< Edited to place log In-line ~ Maurice> Note that top portion had un-readable characters ! >

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-16, 17:33:14, Auto-clean mode specified.
2009-05-16, 17:33:16, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-16, 17:33:16, Running scanner "C:\dce\TSC.BIN"...
2009-05-16, 17:33:36, Scanner "C:\dce\TSC.BIN" has finished running.
2009-05-16, 17:33:36, TSC Log:



2009-05-16, 17:33:36, Running scanner "C:\dce\VSCANTM.BIN"...
2009-05-16, 20:43:39, Scanner "C:\dce\VSCANTM.BIN" has finished running.
2009-05-16, 20:43:39, VSCANTM Log:

2009-05-16, 20:43:39, Files Detected:
Copyright 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 17:33:38
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\dce\lpt$vpn.133

C:\Program Files\Qualcomm\Eudora\attach\SECURE-INFO.zip [Mal_Naix-1]
90170 files have been read.
90170 files have been checked.
90139 files have been scanned.
231830 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 20:43:38 3 hours 9 minutes 56 seconds (11396.13 seconds) has elapsed.(126.385 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 20:43:39, Files Clean:
Copyright 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 17:33:38
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\dce\lpt$vpn.133

Fail to Clean [ Mal_Naix-1]( 1) from C:\Program Files\Qualcomm\Eudora\attach\SECURE-INFO.zip
90170 files have been read.
90170 files have been checked.
90139 files have been scanned.
231830 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 20:43:38 3 hours 9 minutes 56 seconds (11396.13 seconds) has elapsed.(126.385 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 20:43:39, Clean Fail:
Copyright 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 17:33:38
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\dce\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\dce\lpt$vpn.133

Fail to Clean [ Mal_Naix-1]( 1) from C:\Program Files\Qualcomm\Eudora\attach\SECURE-INFO.zip
90170 files have been read.
90170 files have been checked.
90139 files have been scanned.
231830 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 20:43:38 3 hours 9 minutes 56 seconds (11396.13 seconds) has elapsed.(126.385 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 20:43:39, Running SSAPI scanner ""...
2009-05-16, 22:32:00, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.67
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/16/2009 20:44:01

Detected: 0 items.

Spyware Scan Ended: 05/16/2009 22:31:59
Scan Complete. Time=6499.483398.[/b]

Edited by Maurice Naggar, 17 May 2009 - 07:04 AM.


#7 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2009 - 05:29 AM

The latest MBAM log.

At this moment, the computer seems to be running better. After running the Trend Micro Sysclean Package, I don't have any wallpaper on my desktop. I went into the settings, selected the Wallpaper again, and clicked 'Apply', but it didn't show up. This might be resolved after a reboot, and it really is of no consequence. I just wanted to include the information for you.

<Edited to place log In-line ~ Maurice>
Malwarebytes' Anti-Malware 1.36
Database version: 2144
Windows 5.1.2600 Service Pack 3

5/17/2009 5:06:46 AM
mbam-log-2009-05-17 (05-06-46).txt

Scan type: Quick Scan
Objects scanned: 83355
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Maurice Naggar, 17 May 2009 - 07:07 AM.


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:58 AM

Posted 17 May 2009 - 08:19 AM

Hello,
Check on some key Windows services by using the services management console ( services.msc).
The following services must NOT be *Disabled* in the Startup type.
Automatic Updates
Background Intelligent Transfer Service(BITS)
Cryptographic Services
Remote Procedure Call (RPC)


You use Start button > Select RUN and type into the run box Code:

services.msc
amd press OK.

They need to show a startup type of Manual or Automatic.

Here are the services & their Startup types:

Automatic Updates . . . . . . . . . . . . . . . . . Automatic
Background Intelligent Transfer Service(BITS) . . . Manual
Cryptographic Services . . . . . . . . . . . . . . .Automatic
Remote Procedure Call (RPC). . . . . . . . . . . . .Automatic
System Restore Service . . . . . . . . . . . . . . .Automatic

Tell me how yours are showing.

=
Your initial post mentioned BITS was missing, and also you were getting "page not found" when attempting Windows Update website.
Is this still an issue?
and if so, did you use the Internet Explorer browser?

=
The MBAM scan found nothing. And I believe the Sysclean just tagged 1 zip file from 1 email attachment in Eudora. I won't be concerned about that one; except to advise that you always Save zip files to your system, and only then, scan with AV, and then if clean result - then open the zip and proceed.

Your Java runtime needs cleanup and update:
Uninstall jre1.4 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2009 - 08:58 AM

The services are running correctly. I had discovered the problem and resolved it before anyone had responded to my post. Whatever virus I had, changed my registry settings on the Automatic Updates and BITS to read /fystem.... instead of /system.... Once I changed the registry back, the services - with the exception of Windows Firewall were restored.

My current services settings are as follows:
Automatic Updates . . . . . . . . . . . . . . . . . Automatic
Background Intelligent Transfer Service(BITS) . . . Manual
Cryptographic Services . . . . . . . . . . . . . . .Automatic
Remote Procedure Call (RPC). . . . . . . . . . . . .Automatic
System Restore Service . . . . . . . . . . . . . . .Automatic

I have updated Java as you have instructed.

I'm currently running the trial version of Kasperky Anti Virus. What AV program would you recommend?

I wasn't able to enable Windows Firewall, so I have started using Zone Alarm. I'm pleased with the performance of this product, so I wasn't going to worry about the Windows Firewall feature.

I appreciate all of your help on these issues.

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:58 AM

Posted 17 May 2009 - 09:23 AM

Congratulations on fixing the Windows Update issue. :thumbup2: Did you use Regedit?

I am glad you told me that you'd fixed that. Plus also it tells us how/where the malware messed with the services.

On AV, Kaspersky is a fine product. See how it works out for you. For other AV, Avira has gotten high praise in the past year or so. I's also recommend NOD32 (even if I were not getting it free as an MS MVP).

Since the issues are resolved, we'll proceed with cleanup of tools.
You may revert the Windows Explorer folders view options to back to where they were. Most likely the duhfault.

If you use the ZoneAlarm firewall, then you do not want (ever) a 2nd firewall; Windows Firewall should be off.

I think I had you name MBAM.exe to Alpa.exe
If so, named it back to MBAM.exe

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note there is one space after x and before the slash.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Edited by Maurice Naggar, 17 May 2009 - 09:27 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 K Stanley

K Stanley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 17 May 2009 - 10:17 AM

Maurice,

Yes, I used regedit to make the registry corrections.

I have finished the clean up, and downloaded the recommended products. I appreciate all of the assistance you've given me with these problems.

Thanks again,

Kathy

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:58 AM

Posted 17 May 2009 - 12:09 PM

Kathy,

You are most welcome. Your info much appreciated. All the best to you.
I'll now close this thread.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users