Unusual Malware Infection

[Frazzled]

Two days ago, my Dell Dimension (2.0ghz, 2.0 gig ram, default video, running windows xpSP3) went down. I was running AVG free and am connected to the internet via a USB connected wireless card. After the infection, AVG was disabled, as well as Microsoft's Firewall, and I cannot connect to the internet.
I unninstalled AVG, thinking the corruption might be causing me to not be able to connect. I started by running scans using SAS ,M-Bam, and SpyBot S&D to no avail.
I proceeded to try and get internet connectivity and reenable the firewall using the following. Oh, and all of my system restore points were corrupted and will not work.
I tried the following:

winsock fix
lsp fix
sharedaccess.reg
root repeal
IP Config generates an internal error occured, request is not supported.
Tried netsh firewall reset
netsh winsock reset
and finally if I try to manually start the windows ICS firewall service I recieve an error 2, cannot find file specified.
  Please bear with me as I cannot connect to the internet and must use a friends machine. All programs to run/update must be done via Flash Drive.

Dr Web found and quarrantined a file called Backdoor.Tdss.2459

The requested logs are followed below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/06/2010 at 06:35 PM

Application Version : 4.45.1000

Core Rules Database Version : 5820
Trace Rules Database Version: 3632

Scan type       : Complete Scan
Total Scan Time : 00:40:13

Memory items scanned      : 395
Memory threats detected   : 0
Registry items scanned    : 6594
Registry threats detected : 0
File items scanned        : 31522
File threats detected     : 1

Trojan.Agent/Gen
   C:\WINDOWS\MBR.EXE

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5009

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

11/6/2010 2:07:29 PM
mbam-log-2010-11-06 (14-07-29).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 219988
Time elapsed: 49 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Rudy\My Documents\My Received Files\peoplesearch.exe (Trojan.FakePlayer) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:17:13 PM, on 11/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplus.com/_bin/AWSDrawingViewer.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AST Service (astcc) -  Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - eBoostr.com - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4110 bytes

Thank you for your help.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
******************************************

Have you tried hardwiring the computer to the modem? Did you try resetting the modem? Disconnect the power for more than 10 secs and then reconnect.
******************************

Please navigate to Start>Run and type cmd

in the window that pops up type ipconfig /flushdns

*****************************************
Please run Notepad (start > All Programs > Accessories >
Notepad) and copy and paste the text in the code box into a new file:

Code: [Select]

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

•Go to the File menu at the top of the Notepad and select Save as.

•Select save in: desktop

•Fill in File name: test.bat

•Save as type: All file types (*.*)

•Click save.

•Close the Notepad.

•Locate and double-click test.bat on the desktop.

•A notepad opens, copy and paste the content it (log1.txt) to your reply.
*************************************

[Frazzled]

Thank you Dave,
since I am not at the infrcted computer, I will do this Thurs AM and report the results to you.

[Frazzled]

Good morning dave,
OK, I installed Microsoft Security essentials but is will not update and in the console it shows real time protection is OFF.

The flush dns command gave the following:
An internal error occured: The request is not supported. Unable to query host name

Here is the test.bat log results

Windows IP Configuration



An internal error occurred: The request is not supported.

 

Please contact Microsoft Product Support Services for further help.



Additional information: Unable to query host name.

Server:  UnKnown
Address:  127.0.0.1

Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Ping request could not find host yahoo.com. Please check the name and try again.

[SuperDave]

Ok. The signal is not getting through. Are you using wireless or is your computer hardwired to the modem?
If wireless, please try hardwiring it the the modem and run the ping test again.
Did you try re-setting your modem? Disconnect the power supply for more than ten seconds.

[Frazzled]

I am using a wireless usb Netopia card. The hardwired card that came with the computer is disabled in the device manager. The wireless icon in the taskbar shows that there is an excellent connection and that it is connected. I cannot, because of the router location, move the computer to hardwire it to the router.(I will need to purchase 100" of cable) Two different laptops connect seamlessly to the router, so I am thinking the signal is fine. I cannot start several services relating to the windows ICS. Perhaps this has something to do with the internet connectivity. And Yes,I did reboot the router with the same sad results. Is there some other reason for the signal to be blocked perhaps software related?

As an aside, I was able to manually download a current definitions file for MSE and I installed and ran it with the result of a possible infected file.
PromptstickynotesSetupfull.exe  had a Trojan Downloader:Win32/Troxen!rts

[SuperDave]

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the

shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
**********************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Frazzled]

OK,
I did what was requested and here is the combofix file.

ComboFix 10-11-14.01 - Rudy 11/14/2010  16:35:37.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1243 [GMT -6:00]
Running from: c:\documents and settings\Rudy\desktop\commy.exe
Command switches used :: /stepdel
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe

.
(((((((((((((((((((((((((   Files Created from 2010-10-14 to 2010-11-14  )))))))))))))))))))))))))))))))
.

2010-11-13 22:53 . 2010-10-18 14:41   6146896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-13 22:52 . 2010-10-18 14:41   6146896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8A57CA1B-6867-4854-B1D9-C191F7A022F9}\mpengine.dll
2010-11-13 16:35 . 2010-11-13 16:35   472808   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-13 16:35 . 2010-11-13 16:35   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-11-11 14:46 . 2010-11-11 14:46   --------   d-----w-   c:\documents and settings\Rudy\Local Settings\Application Data\PCHealth
2010-11-11 14:46 . 2010-11-11 14:46   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-11-11 14:45 . 2010-11-11 14:46   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-11-06 19:13 . 2010-11-06 19:13   388096   ----a-r-   c:\documents and settings\Rudy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-06 19:13 . 2010-11-06 19:13   --------   d-----w-   c:\program files\Trend Micro
2010-11-05 19:37 . 2010-11-05 19:37   578560   ----a-w-   c:\windows\system32\dllcache\user32.dll
2010-11-05 19:35 . 2010-11-05 19:35   --------   d-----w-   c:\windows\ERUNT
2010-11-05 01:59 . 2010-11-05 01:59   --------   d-----w-   c:\program files\Resource Kit
2010-11-03 20:03 . 2010-11-03 20:03   --------   d--h--w-   c:\windows\PIF
2010-11-02 19:59 . 2010-11-02 19:59   --------   d-----w-   c:\documents and settings\Administrator\DoctorWeb
2010-11-02 19:13 . 2010-11-03 19:51   --------   d-----w-   C:\ERDNT
2010-11-01 17:14 . 2010-11-01 17:14   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-30 22:09 . 2010-10-30 22:09   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-10-29 23:17 . 2010-11-03 20:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 16:35 . 2009-03-31 21:16   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-11-09 23:52 . 2010-08-12 02:32   524252   ----a-w-   c:\windows\system32\PerfStringBackup.TMP
2010-10-19 16:41 . 2010-01-02 21:44   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-18 17:23 . 2004-08-10 18:51   974848   ---ha-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 18:51   974848   ---ha-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 18:51   954368   ---ha-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 18:51   953856   ------w-   c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2004-08-10 18:51   667136   ----a-w-   c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-10 18:51   61952   ---ha-w-   c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2009-08-28 15:27   81920   ---ha-w-   c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-10 18:51   369664   ---ha-w-   c:\windows\system32\html.iec
2010-09-01 11:51 . 2004-08-10 18:50   285824   ---ha-w-   c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-10 18:51   1852800   ---ha-w-   c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-10 18:51   119808   ---ha-w-   c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-10 18:51   99840   ---ha-w-   c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-10 18:51   357248   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-07-25 14:44   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-10 18:50   617472   ------w-   c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-10 18:51   58880   ----a-w-   c:\windows\system32\spoolsv.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-01-29 1095872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"DisableMyPicturesDirChange"= 0 (0x0)
"DisableMyMusicDirChange"= 0 (0x0)
"DisableFavoritesDirChange"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoStrCmpLogical"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PiggyBob™.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Rudy^Start Menu^Programs^Startup^Seagate 2GHL5EN4 Product Registration.lnk]
path=c:\documents and settings\Rudy\Start Menu\Programs\Startup\Seagate 2GHL5EN4 Product Registration.lnk
backup=c:\windows\pss\Seagate 2GHL5EN4 Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBoostrCP]
2009-11-12 18:28   1587840   ----a-w-   c:\program files\eBoostr\eBoostrCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 03:17   49152   ----a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemBoosterXP]
2006-03-21 17:57   577536   ------w-   c:\program files\DiskTrix\SystemBooster2\SystemBooster.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\eBoost.sys [11/12/2009 12:28 PM 144984]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 TSKNF900.SYS;TSKNF900.SYS;c:\windows\system32\drivers\Tsknf900.sys [10/26/2009 10:43 AM 17672]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [11/12/2009 12:28 PM 645248]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 12:15 PM 12872]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-18 c:\windows\Tasks\DefragExpress.job
- c:\program files\DiskTrix\DefragExpress\DefragExpress.exe [2009-03-29 14:40]

2010-11-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-07-11 16:14]

2010-11-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 00:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydial/*http://www.yahoo.com/search/ie.html
mWindow Title = Microsoft Internet Explorer
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
IE: E&xport to Microsoft Excel
IE: Yahoo! Dictionary
IE: Yahoo! Search
FF - ProfilePath - c:\documents and settings\Rudy\Application Data\Mozilla\Firefox\Profiles\18f9hcsv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true);  // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true);  // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-UBCD4Win_is1 - c:\ubcd4win\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 16:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_ContactOnline\.Default]
@DACL=(02 0000)
@=""

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewAlert\.Default]
@DACL=(02 0000)
@=""

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMail\.Default]
@DACL=(02 0000)
@=""

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage]
@DACL=(02 0000)
@SACL=

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\AppEvents\Schemes\Apps\MSMSGS\MSMSGS_NewMessage\.Default]
@DACL=(02 0000)
@=""

[HKEY_USERS\S-1-5-21-3879861973-781856831-1523397609-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\DB2]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\DBASE]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\FOXPRO]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\INFORMIX]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\INTRBASE]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\MSACCESS]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\MSSQL]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\ORACLE]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\PARADOX]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\DRIVERS\SYBASE]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\SYSTEM\FORMATS]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Borland\Database Engine\Settings\SYSTEM\INIT]
@DACL=(02 0000)
"VERSION"="4.0"
"LOCAL SHARE"="FALSE"
"MINBUFSIZE"="128"
"MAXBUFSIZE"="2048"
"LANGDRIVER"="DBWINUS0"
"MAXFILEHANDLES"="128"
"SYSFLAGS"="0"
"LOW MEMORY USAGE LIMIT"="32"
"AUTO ODBC"="FALSE"
"DEFAULT DRIVER"="PARADOX"
"SQLQRYMODE"=""
"MEMSIZE"="16"
"SHAREDMEMSIZE"="8192"
"SHAREDMEMLOCATION"=""
"DATA REPOSITORY"=""
"MTS POOLING"="FALSE"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(376)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-11-14  16:43:18
ComboFix-quarantined-files.txt  2010-11-14 22:43
ComboFix2.txt  2010-11-13 00:53

Pre-Run: 8,281,456,640 bytes free
Post-Run: 8,266,915,840 bytes free

- - End Of File - - 76F312E577625C00229986A33FF2901B

[SuperDave]

That's good. Could you please try to run the ping test again as stated in Reply #1?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

[Frazzled]

Hello WHen I ping the computer, I stil get the same internal error occured message.
Atched below is the sysprot file.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 9EE6B000
Module End: 9EE83000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B5E07000
Module End: B5E09000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwDeviceIoControlFile
Address: F786E803
Driver Base: F7865000
Driver End: F787D000
Driver Name: IPVNMon.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

[SuperDave]

Is there some other reason for the signal to be blocked perhaps software related?

Most infections like to block access to the net so you can't get any help.

As an aside, I was able to manually download a current definitions file for MSE and I installed and ran it with the result of a possible infected file.
PromptstickynotesSetupfull.exe  had a Trojan Downloader:Win32/Troxen!rts
 

Did it cure it?

Make sure, your computer is set to obtain IP address automatically.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.

[Frazzled]

Hello SuperDave,

I guess I got a really good malware, as disabling my internet is exactly happened.
I went to the network and did what you said. It was set up that way initially, so I actually undid the obtain the IP address automatically and rechecked it so in case there was some glitch it might reset itself. No avail. Any suggestions?

[SuperDave]

Please download LSPFix © 2002-2006 Cexx.org.
Save it to your desktop.  Alternate download site available  here
============================== IMPORTANT! ==============================

PRINT these instructions... then disconnect from the Internet and close all browser windows.

• Double click the LSPFix.exe icon on your desktop.
  
• If you had to use the alternate download...double click the "lspfix.zip" file on your desktop.
  
• Use XPs Compressed File Extraction Wizard or your own 3rd party zip file program.
• Extract the "LSPFix.exe" file to your desktop... double click to start the program.
  
• Press the "Finish... button.
  
• Now...Reboot your computer, normally, to complete the process.
  

[Frazzled]

Hello Super Dave,
I downloaded and ran LSP fix and wish I could report success. Unfortunately it is not to be so. My computer is the same as b4. Next idea?

[Computer Hope Admin]

Did your computer loose its Internet connection after you installed eBoostr on the computer? I've seen all types of issues occur when these types of enhancing your computer programs are installed. If this did happen after installing eBoostr, try uninstalling the program.

Otherwise I'd assume based off all the troubleshooting that SuperDave has done that this issue is likely a driver or other network related issue.

First, make sure it's not a router issue or broadband modem issue (if you have one) by disconnecting the power to each device waiting a minute and then plugging the power back in. I've dealt with a lot of network issues where it's just something that has gone wrong with one of these devices and simply appears to be a virus related issue.

After this has been done reboot the computer and allow it to try to re-establish a network connection and see if that fixes it.

If not, my next suggestion would be to go into the Device Manager and remove all the devices under "Network Adapters" by highlighting them and pressing delete to remove them. Once they've been removed reboot the computer and allow Windows to reinstall the drivers for your network.

If this happens automatically without asking for drivers but still does not resolve the issue. Try re-installing the software that came with your USB wireless network adapter.

Hope this helps