Author Topic: Browsing, Downloading Issues (Read 3797 times)

kota123 · « **on:** October 13, 2009, 05:32:45 AM »

I cannot seem to update any programs or download and install new programs. For example (i) I tried to install AVG Free, but when I run the .exe file, it says it cannot detect an internet connection; (ii) I try to go to my emial page on Comcast, it tells me there are security certificate issues; (iii) I tried to download HiJackThis Installer from your pinned topic, it could not open the page; (iv) I hit the Update button in Malwarebytes, I get an Error message, etc., etc.

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:25 AM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.EXE
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\DllHost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570621154
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570594275
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EDBC60-91DF-486C-9929-938433EAA145}: NameServer = 218.248.255.194 218.248.255.162
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4835 bytes

Can you please help. Thanks.

guestolo · « **Reply #1 on:** October 13, 2009, 08:39:38 AM »

Quote

I tried to install AVG Free, but when I run the .exe file, it says it cannot detect an internet connection

I see McAfee installed, were you planning on removing it, is it outdated?
I see remnants of Symantec's installed, did you recently uninstall it, or had it installed a while ago and have since removed it?
How long have you had McAfee installed?

Can you do the following
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

In addition: If possible, can you also supply the following
Download and Save to your desktop
[color=\"#FF0000\"]OTS.exe[/color] by OldTimer

Double click on OTS.exe to run it
Under Additional Scans click the button labelled "Extras"
Also, put a tick beside>> Reg - Disabled MS Config Items
So now all the following will be ticked

Afterwards: Click the button [color=\"#0000FF\"]Run Scan[/color]

Let this scan finish, when done, it will open a log
Can you copy and paste that log back here please
A copy of the log will also be on your desktop>>OTS.txt

NOTE: If you do get an error posting this log, please Upload it in a reply
Simply using the (Browse..) navigate to the file and select it, then click on the (UPLOAD) button
on the bottom right of the reply box

kota123 · « **Reply #2 on:** October 13, 2009, 10:05:17 AM »

Thanks for replying.

McAfee and Symantec are both old and outdated, but I don't know if they were ever uninstalled.

Uninstall List Log:

Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Download Manager
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
ArcSoft Panorama Maker 3
Autodesk Design Review
Avance AC'97 Audio
Creative Jukebox Driver
Creative MediaSource
Creative NOMAD Jukebox Zen Xtra
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
F-22 Raptor Demo
GdiplusUpgrade
Google Video Player
HijackThis 2.0.2
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
J2SE Runtime Environment 5.0 Update 3
jetAudio
LimeWire PRO 4.12.3
LiveReg (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Mozilla Firefox (3.5.3)
MSN
MSXML 4.0 SP2 (KB927978)
Nero - Burning Rom
Nikon Message Center
PictureProject
QuickTime
QuickTime for Windows (32-bit)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.5
Smart Menus (Windows Live Toolbar)
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Tabbed Browsing (Windows Live Toolbar)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
________________________________________________

I will Upload the OTS Log in a separate reply.

As an aside, is it possible for you to email me my password to [email protected]? I have forgotten the password and I would like to access your replies from my laptop while I carry out your instructions on this desktop.

Thanks again.

kota123 · « **Reply #3 on:** October 13, 2009, 10:12:25 AM »

Uninstall List Log posted in previous Reply.

Cannot Upload OTS Log because it says the file is larger than the available space. Should I break it up into two to three files and upload it? Thanks.

guestolo · « **Reply #4 on:** October 13, 2009, 09:48:58 PM »

Sure, go ahead and break it up if you have to
OR, as I suggested in my last post

Quote

NOTE: If you do get an error posting this log, please Upload it in a reply
Simply using the (Browse..) navigate to the file and select it, then click on the (UPLOAD) button
on the bottom right of the reply box

kota123 · « **Reply #5 on:** October 13, 2009, 10:24:53 PM »

I am sorry, but I should have mentioned that it did not let me upload either...the file size was bigger than allowed capacity. Maybe I did something wrong, the OTS file is 1.7 MB. Can I email it to some address.

guestolo · « **Reply #6 on:** October 13, 2009, 10:40:46 PM »

You can go to
http://www.rapidshare.com/

It's a free service
Post a link to your download here

kota123 · « **Reply #7 on:** October 13, 2009, 10:46:02 PM »

Hope this works:

http://rapidshare.com/files/292732120/OTS1013.Txt.html

guestolo · « **Reply #8 on:** October 13, 2009, 11:21:46 PM »

I have a feeling we need to properly remove and uninstall some outdated programs

Please download the following tools
download [color=\"#0000FF\"]JavaRa[/color]

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe, select language
Close down all browser windows
then click Remove Older Versions.
Reboot the computer
Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version.

Afterwards,
Go to the following link
http://service1.symantec.com/SUPPORT/tsgen...&view=docid
Scroll to the bottom to STEP 3
Download and save to desktop, the NORTON REMOVAL TOOL
Follow the instructions
On the Windows desktop, double-click the Norton Removal Tool icon.
Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

After that is done
Access your Add/Remove Programs and remove McAfee VirusScan Enterprise
Reboot after removal, then next do the following
regardless if McAfee was successfully removed or not
Download and run MCPR.exe

1. Download the removal tool from: http://download.mcafee.com/products/licens...atches/MCPR.exe
2. Click Save and save the file to your Desktop
3. Navigate to the folder where the file was saved.
4. Make sure all McAfee windows are closed.
5. Double-click MCPR.exe to run the removal tool.
6. Restart your computer after receiving the message CleanUp Successful.

Back in Windows
Go to the following link
http://kb2.adobe.com/cps/141/tn_14157.html

Download and save to desktop the uninstaller for Flash
uninstall_flash_player.exe
Once saved to desktop, again close all browser windows
Double click on the Flash uninstaller to Run it
After successfully running the uninstaller, you can manually delete it from desktop

Again, close down all browser windows
Access your Add and Remove Programs and remove the following
Viewpoint Media Player
In addition, your copies of Adaware and Spybot are outdated
Remove all the below
Ad-Aware SE Personal
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Reboot your computer once again

Update your Flash, using Internet Explorer
go to the following link
http://www.adobe.com/products/flashplayer/

Allow ActiveX control install when prompted
DO NOT install any Toolbar related software, unless preferred
UNTICK the selection to install any

After you have updated Flash for IE
Then install Flash for Firefox
Using the Firefox browser, again go to the following link
http://www.adobe.com/products/flashplayer/
Download/save to desktop the Flash installer
Close Firefox
Run the installer to install latest flash

Come back here and Post a fresh Hijackthis log afterwards

kota123 · « **Reply #9 on:** October 14, 2009, 01:28:26 AM »

Did everything except I have a problem with accessing the websites of both Symantec and McAfee. The only thing I can think of is that both are blocked by my ISP.

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:50 PM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\DllHost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "D:\WINDOWS\system32\rundll32.exe" "D:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570621154
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570594275
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EDBC60-91DF-486C-9929-938433EAA145}: NameServer = 218.248.255.194 218.248.255.162
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5048 bytes

guestolo · « **Reply #10 on:** October 14, 2009, 04:44:03 AM »

If you have an older version of ComboFix, I need you to delete it
Carry on with the following
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
In your case, it may be located at D:\ComboFix.txt

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please

kota123 · « **Reply #11 on:** October 14, 2009, 09:55:38 AM »

Here is the ComboFix Log. Thank you.

ComboFix 09-10-13.04 - user 10/14/2009 19:58.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.100 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\5351a.msi
c:\windows\Installer\c5ed.msi
d:\windows\system32\xuejsmf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XGMVSR
-------\Service_xgmvsr

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.

2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 14:37 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=d:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1157:TCP"= 1157:TCP:fkdsbmz

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
S3 npked;npked;\??\d:\windows\system32\01.tmp --> d:\windows\system32\01.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-14 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKU-Default-Run-ALUAlert - d:\program files\Symantec\LiveUpdate\ALUNotify.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 20:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
"ImagePath"="\??\d:\windows\system32\01.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
d:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-10-14 20:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 14:41

Pre-Run: 11,188,273,152 bytes free
Post-Run: 11,068,473,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Microsoft Windows"

147

kota123 · « **Reply #12 on:** October 14, 2009, 05:14:35 PM »

Also, since I ran ComboFix, I get the message "Generic Host Process for Win 32 Services has encountered problems and needs to close" every time about 15 minutes after I start the computer and everything slows down. I also lose my internet connection.

guestolo · « **Reply #13 on:** October 14, 2009, 08:22:59 PM »

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::
Driver::
npked

File::
d:\windows\system32\01.tmp

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
"ImagePath"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1157:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\StubInstaller.exe"=-
[-HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
NetSvc::

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again

kota123 · « **Reply #14 on:** October 15, 2009, 12:13:02 AM »

ComboFix Log:

ComboFix 09-10-13.04 - user 10/15/2009 10:16.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.97 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\user\Desktop\CFScript.txt

FILE ::
"d:\windows\system32\01.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\WindowsLive.exe
d:\documents and settings\user\Application Data\WindowsLive.exe
d:\windows\Fonts\unwise_.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_HOSTS_CONTROLLER
-------\Service_Windows Hosts Controller

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
2009-10-14 16:52 . 2009-10-14 16:52 141454 ----a-w- d:\windows\system32\man8.exe
2009-10-14 15:02 . 2009-10-14 15:03 1050713 ----a-w- d:\windows\system32\rss.exe
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 04:54 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-15 04:55 . 2009-10-15 04:55 16384 d:\windows\temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"55322:TCP"= 55322:TCP:FD
"9991:TCP"= 9991:TCP:PORT2
"58311:TCP"= 58311:TCP:FD
"56500:TCP"= 56500:TCP:FD
"36203:TCP"= 36203:TCP:FD
"60715:TCP"= 60715:TCP:FD

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder

2009-10-15 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Windows Live - d:\documents and settings\All Users\WindowsLive.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 10:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
.
**************************************************************************
.
Completion time: 2009-10-15 10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 04:58

Pre-Run: 11,133,091,840 bytes free
Post-Run: 11,115,757,568 bytes free

149

Thanks. Today, small windows have started opening up. One of these said "Operation timed out when attemting to contact linkbee.com"

kota123 · « **Reply #15 on:** October 15, 2009, 12:44:01 AM »

I lose my internet connection a few minutes after starting my computer. I have to restart the computer to get the connection back.

guestolo · « **Reply #16 on:** October 15, 2009, 09:51:16 AM »

Your still infected, can you please do the following
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

In addition:
Win32kDiag:

Please save this [color=\"#0000FF\"]file[/color] to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

kota123 · « **Reply #17 on:** October 16, 2009, 02:14:21 PM »

When I ran Dr.WebCureIt the first time, we had a power cut here in the middle of the Complete Scan. In the current memory scan, it found a virus and deleted it, but I don't remember the name. After we got the power, I ran Dr.WebCureIt again, and also Win32kDiag. Following is the log from the second scan.

Dr.WebCureIt Log

A0006383.DLL;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Autoruner.5555;Deleted.;
A0007625.exe;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Piabot.4;Deleted.;
A0008643.exe;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Piabot.4;Deleted.;
WrapperOuter1154.EXE;D:\Backup of old c\My Documents\My Pictures;Adware.VirtualBouncer;;
WrapperOuter1154.EXE;D:\Backup of old c\data of c\My Documents\My Pictures;Adware.VirtualBouncer;;
casinonet.exe\data010;D:\Backup of old d\Documents and Settings\S K Jolly\Local Settings\Temp\casinonet.exe;Program.PrcView.3725;;
casinonet.exe;D:\Backup of old d\Documents and Settings\S K Jolly\Local Settings\Temp;Archive contains infected objects;Moved.;
VCD_PLAY.EXE.Vir;D:\quarantine;Win32.Parite.2;Cured.;
VCD_PLAY.EXE.Vir.0;D:\quarantine;Win32.Parite.2;Cured.;
xuejsmf.dll.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32;Win32.HLLW.Autoruner.5555;Deleted.;

Win32kDiag Log:
Running from: D:\Documents and Settings\user\Desktop\Win32kDiag.exe

Log file at : D:\Documents and Settings\user\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...

Finished!

_________________________________

Thanks.

guestolo · « **Reply #18 on:** October 17, 2009, 02:16:52 PM »

Ok, can you do the following please
Delete your copy of ComboFix from desktop
Then, REDownload ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
Run ComboFix again, post it's log afterwards

kota123 · « **Reply #19 on:** October 18, 2009, 03:47:27 AM »

Re-downloaded and ran ComboFix. Upon restart, while the blue Combofix window was open, got a pop-up message saying that the Recycle bin of Drive D was corrupted. Clicked Yes to clean it up. Following is the ComboFix log:

ComboFix 09-10-16.09 - user 10/18/2009 13:31.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.103 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_HOSTS_CONTROLLER

((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-16 08:05 . 2009-10-16 08:05 -------- d-----w- d:\documents and settings\user\DoctorWeb
2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
2009-10-14 15:02 . 2009-10-14 15:03 1050713 ----a-w- d:\windows\system32\rss.exe
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 08:09 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-18 08:09 . 2009-10-18 08:09 16384 d:\windows\temp\Perflib_Perfdata_54c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"55322:TCP"= 55322:TCP:FD
"9991:TCP"= 9991:TCP:PORT2
"58311:TCP"= 58311:TCP:FD
"56500:TCP"= 56500:TCP:FD
"36203:TCP"= 36203:TCP:FD
"60715:TCP"= 60715:TCP:FD
"50170:TCP"= 50170:TCP:FD
"53233:TCP"= 53233:TCP:FD
"30525:TCP"= 30525:TCP:FD
"19776:TCP"= 19776:TCP:FD
"53896:TCP"= 53896:TCP:FD
"9892:TCP"= 9892:TCP:FD

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 13:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
.
**************************************************************************
.
Completion time: 2009-10-18 13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 08:14
ComboFix2.txt 2009-10-15 04:59

Pre-Run: 11,011,719,168 bytes free
Post-Run: 11,020,206,080 bytes free

138

News:

Author Topic: Browsing, Downloading Issues (Read 3797 times)