Author Topic: Computer Doctor Needed!! (Read 27854 times)

Katman_09 · « **on:** July 30, 2008, 11:15:18 AM »

Hello,

I've currently developed a problem with my computer and need a lot of assistance.

The other day, my computer started running slow. All of a sudden i received a blue screen which i then wrote down the code and rebooted. When it came back up, my Norton was not in my start up area nor did it work. I then used my spybot which also didn't work and received a "not a valid WIN32 application". Since i sensed a problem, i wanted to back up my files onto my external drive which hasn't been used for about 4 weeks. My problem next was i was unable to view my local settings/application data folders. However, if i typed in %TEMP% in the address bar, i was directed to the Temp folder and could see the path but couldn't go back to my local settings.
So, i decided to go into Safe Mode. As i did this, i received the blue screen again and rebooted. My operating system boots up but can't go into safe mode. I ran a diagnostics test on my hard drive and everything passed.
I proceeded to d/l Defender and PC Doctor which i was able to but unable to execute the files.
I have since found a way to get to my local settings folder but i had to go into my email and go through the export option. When i did this, i was able to see my local settings folder and application folder but i was only able to click and copy the files one at a time as i was only in that option to move my email files to a back up.
My other problem with email is i am unable to email myself from work to home. If i send something home, it comes back to me as undeliverable and that i don't exist. However, if i have someone else do it, they are able to. Not sure if it's kicking it back since it's recognizing my name or what. In addition to all this, my IE is running slow.
Can anyone please help me or direct me in the right direction?

Thank you.

evilfantasy · « **Reply #1 on:** July 30, 2008, 01:58:50 PM »

Download Deckard's Association File Tool (DAFT) and save it to your desktop.

Rename daft.exe to daft.com and double click on it to run.
Read the disclaimer and click OK.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a checkmark (tick) in the boxes in question.
Click the Fix button.

.

Then run the scans found here and post the logs when complete.

Katman_09 · « **Reply #2 on:** July 31, 2008, 06:45:52 AM »

Ok, i followed all of the steps but wasn't successful in all of them. I have attached all the logs though.

Regarding the Anitspyware download, once i d/l, scanned and removed everything, i rebooted but couldn't boot to my operating system. I had all the options from safe mode, to windows settings, etc... I tried window settings a few times, then safe mode but it kept taking me back to the black screen. I was forced to select return to last original settings in order to get it to reboot to my operating system.

As for Hijackthis, i was able to download it but it wouldn't let me rename.

On a bright note, my browser is working much quicker and so far my e-mail hasn't been returned that i sent to myself from work.

Any more advice?

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #3 on:** July 31, 2008, 11:49:00 AM »

I still need the log from HijackThis even if you couldn't rename it.

Katman_09 · « **Reply #4 on:** July 31, 2008, 12:25:35 PM »

When i installed Hijackthis, it wouldn't open nor run so i was unable to get a log.

evilfantasy · « **Reply #5 on:** July 31, 2008, 12:36:44 PM »

Download Deckard's System Scanner (DSS) from here or here to your Desktop.
Note: You must be logged onto an account with administrator privileges.
Vista users Right click DSS and Run as Administrator.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open
main.txt <- this one will be maximized
extra.txt <- this one will be minimized

Add the contents of main.txt in your post.
Also add extra.txt to your post.

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

[/COLOR]
What DSS will do:

Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Katman_09 · « **Reply #6 on:** July 31, 2008, 07:59:43 PM »

Ok, i did as instructed and nothing popped up. The only thing i saw was "backing up registry hives" and after that nothing. I waited a couple hours just in case but still nothing.

evilfantasy · « **Reply #7 on:** July 31, 2008, 08:56:03 PM »

Run this online scan. Requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply

Katman_09 · « **Reply #8 on:** July 31, 2008, 09:03:03 PM »

Ok, i tried the steps again and was able to get some things removed. I was then able to run the dss.exe file and Hijackthis. Attached are my logs. Should i still complete your last posting?

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #9 on:** July 31, 2008, 09:47:54 PM »

Not yet. let me look through the DSS logs first.

evilfantasy · « **Reply #10 on:** July 31, 2008, 10:05:26 PM »

ErrorClean v4.1
Viewpoint Media Player

SafeBootKeyRepair-CF

It will only take a short moment for it to finish running.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply.

----------

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

[/list]

Code: [Select]

[kill explorer]
C:\Documents and Settings\Frank\Application Data\m\flec006.exe
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

.
----------

Please post the OTMoveIt2 log in the next reply.

See if you can get HjackThis to run and post a log from it if so.

Katman_09 · « **Reply #11 on:** July 31, 2008, 10:58:24 PM »

Ok, ihere we go

I didn't get the extra file from Hijackthis, just the main one. Before i rebooted, though, i could see all of my folders (local settings, application data) but now i can't.

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #12 on:** July 31, 2008, 11:01:41 PM »

Can you get this HijackThis to run now? TrendMicro HijackThis.exe

Katman_09 · « **Reply #13 on:** August 01, 2008, 05:13:36 AM »

Yep, here's the log.

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #14 on:** August 01, 2008, 02:09:58 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {A7FB032D-C184-4C17-88F4-B0AA7D9581B6} - C:\WINDOWS\system32\mp43dnod.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.0.24\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.24\SmrtShpr.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and run CCleaner.

----------

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Download Combofix by sUBs from one of the below links.

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.

Important! Temporarily disable your antivirus, and any antispyware real time protection before performing a scan.

Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

Choose Yes to accept the Disclaimers.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open Task Manager then the Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix and installing the Recover Console.

Remember to re-enable your antivirus and antispyware protection.

----------

Please post the Combofix log in the next reply.

Katman_09 · « **Reply #15 on:** August 01, 2008, 03:12:57 PM »

Ok, i need serious help!!! I ran everything and got to the combofix, it reboted my computer. Now i get to my logon screen, put my password in and it starts the log on and then turns around and logs me off. What can i do now?

evilfantasy · « **Reply #16 on:** August 01, 2008, 03:23:50 PM »

See if you can log on in Safe Mode and do a System Restore.

Do you have your XP CD?

Katman_09 · « **Reply #17 on:** August 01, 2008, 03:28:31 PM »

I receive a blue screen for safe mode but i do have my XP cd. I'll put my cd in.

Katman_09 · « **Reply #18 on:** August 01, 2008, 03:31:28 PM »

Once i put the CD in, where do i go from here?

evilfantasy · « **Reply #19 on:** August 01, 2008, 03:43:14 PM »

XP Repair Install

http://www.michaelstevenstech.com/XPrepairinstall.htm

Katman_09 · « **Reply #20 on:** August 01, 2008, 04:20:59 PM »

It's installing now but i do have a error that has popped up while it's still running.

\CF14293.exe

"Windows cannot find "\CF14293.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search.

Should i hit ok on this?

evilfantasy · « **Reply #21 on:** August 01, 2008, 04:24:00 PM »

I'm pretty sure that is the ComboFix log that was supposed to come up after the restart. No need searching for it.

I will be away for a few hours. When you get finished go to C:\combofix.txt and see if the log is there and post it please.

Also post a new HijackThis log.

Be back later.

Katman_09 · « **Reply #22 on:** August 01, 2008, 04:37:10 PM »

Ok, will do

Didn't have a chance yet but thanks so much for the help you've given me.

Seems as if we're making some progress, this is a nasty virurs.

Katman_09 · « **Reply #23 on:** August 01, 2008, 05:14:27 PM »

Ok, here are my log files.

Should i have my windows firewall turned on since i have no protection right now?

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #24 on:** August 01, 2008, 06:09:28 PM »

Yes you should turn on the firewall, also we need to get some antivirus installed now.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [combofix] \CF14293.exe /c C:\ComboFix\Combobatch.bat

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Now download The Avenger by Swandog46 and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop
Run avenger.exe by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\ComboFix\Combobatch.bat

Folders to delete:
C:\ComboFix

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Now click the Execute button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

Add the Avenger log in your next post.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Katman_09 · « **Reply #25 on:** August 01, 2008, 08:25:34 PM »

Ok, my new problem is my internet explorer isn't working. I can get to my home page but unable to get to the forum to download the link. I also can't get to any other site besides what's in my home page. When i click to go to another site, another browser just opens and blinks.

evilfantasy · « **Reply #26 on:** August 01, 2008, 08:27:39 PM »

Do you have a flash drive to transfer over a program or two? Might need to reset your Hosts file.

Go to download the program HostsXpert

Unzip HostXpert to your desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

Katman_09 · « **Reply #27 on:** August 01, 2008, 09:08:34 PM »

I installed spybot and immunized the system. However, i still can't manuever on the net. Not to mention, i don't even have the IE icon, it looks like a raw program without a picture.

evilfantasy · « **Reply #28 on:** August 01, 2008, 09:38:24 PM »

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

Open Dial-a-fix and click the hammer icon. Select Flush DNS and click Go
When complete, select Repair Permissions and click Go
When complete, select Repair/reinstall IE and click Go

If at any time you are prompted for the XP CD, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change.

Extra steps. <- Might as well run these, it's a quick process and can't hurt anything.

Open the folder and run Dial-a-fix.exe
2 windows will open. Close the one in the background labeled Restrictive Policies
On the main window, check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
Check all boxes in Section 5, labeled Registration Center.
Click Go
Restart the computer when done

.
Let me know if IE behaves properly.

Katman_09 · « **Reply #29 on:** August 02, 2008, 01:20:31 AM »

I don't see a hammer but i do have a little round mechanism. The only thing that says flush is "Flush SoftwareDistribution", is that what i want?

Katman_09 · « **Reply #30 on:** August 02, 2008, 01:26:26 AM »

ok, found it, it's early. lol

evilfantasy · « **Reply #31 on:** August 02, 2008, 03:53:47 AM »

Any changes?

Katman_09 · « **Reply #32 on:** August 02, 2008, 09:14:45 AM »

Nope, IE still isn't working right. When i type in a web address in the address bar, another IE box pops up but is blank and just keeps blinking. I have Google is my home page now and if i type msn in the search box, it will pull up all the searches and i can get to the sight that way but it goes bezerk if i type anything in the address bar.

Katman_09 · « **Reply #33 on:** August 02, 2008, 09:42:17 AM »

Ok, so i went to my internet options and unchecked the box for reuse windows for launching shortcuts. Once i did that, i typed an address in my address bar and another window popped up but with the address i typed in. Nothing is locking up but i don't know what it's doing that. Also, if this matters, before all this happened, i was using IE7 (which once all this is cleared up, i'll go to Firefox).

Hope this helps you.

evilfantasy · « **Reply #34 on:** August 02, 2008, 10:49:21 AM »

Have you tried to reset the Web settings?

Reset Web Settings & Default Security Settings

For IE 7 users:

Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

To Reset Default Security Settings:

For IE 7 users, simply click the "Reset all zones to default level" button.

Katman_09 · « **Reply #35 on:** August 02, 2008, 01:30:33 PM »

When i restore settings, it goes back to locking up with a second screen. I'm using the factory IE and not the new version of IE. I didn't know if some files would still be in the system from IE7 that could be affecting me since i'm using IE6.

evilfantasy · « **Reply #36 on:** August 02, 2008, 01:44:29 PM »

Do you use a Router? Have you tried resetting it? Either use the reset button on it or unplug it for 10 seconds and plug it back in. Or....

Try some manual fixes for IE 6. I'm really puzzled over this.

Reset settings for Internet Explorer 6

Reset Explorer Settings IE 6

Then try this if that doesn't work...

Click Start > Run and copy and paste the following line into the run box:
regsvr32 urlmon.dll
Press OK
Once it is completed you will get this message DllRegisterServer in urlmon.dll succeeded, repeat the above steps, but replace regsvr32 urlmon.dll with the following: (enter each line one at a time selecting OK after each)

regsvr32 actxprxy.dll
regsvr32 shdocvw.dll
regsvr32 mshtml.dll
regsvr32 browseui.dll
regsvr32 jscript.dll
regsvr32 vbscript.dll
regsvr32 oleaut32.dll

When finished restart your computer.

And then if that still doesn't work...

Place your XP CD ROM in the drive drive and follow the instructions below:

Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.

Katman_09 · « **Reply #37 on:** August 02, 2008, 06:13:18 PM »

Yes, i do have a router and did unplug it. Didn't reset it because since it's wireless, that's running my laptop i'm using now. Wasn't sure if i would then not be able to connect again.
I did everything you mentioned and with the last thing regarding the XP disk, i went into "manage" and "system" and there were a TON of errors. I rebooted and got a black screen saying there was an error on drive 5 and to hit F1 to continue or F2 to go to system utility. I hit F1 and then it took me to windows. I then rebooted again and didn't have any errors.

evilfantasy · « **Reply #38 on:** August 02, 2008, 06:20:25 PM »

No changes or are you able to connect to other sites now?

You should be able to unplug the router from the wall, then plug it back in to reset it. It won't effect anything.

Katman_09 · « **Reply #39 on:** August 02, 2008, 06:26:32 PM »

No, no changes. I can only go to sites if i type it in the search bar. If i type a website in the address bar, i still get a second IE window that locks up both windows.

And i did unplug from the wall for about a minute with the same results.

evilfantasy · « **Reply #40 on:** August 02, 2008, 06:36:01 PM »

Try to run Firefox portable from the infected computer, that way we can easily run some of these tools.

Firefox portable download link

If Firefox works then use the below link for Dr. Web. If not the you will need to transfer Dr. Web over.

This is portable so you can transfer it over. You will want to update it first though.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

Katman_09 · « **Reply #41 on:** August 02, 2008, 08:20:45 PM »

Just to keep you posted, Dr. Web is doing a complete scan now.

evilfantasy · « **Reply #42 on:** August 02, 2008, 08:23:31 PM »

Cool. I'm wondering if this is malware causing the problems or if the OS has been damaged. Worse case scenario you will need to re-install. Dr. Web can take a while to complete and should let us know better whats going on.

Katman_09 · « **Reply #43 on:** August 02, 2008, 08:30:55 PM »

I hope so.

So, once this is cleared up, what do you recommend me using to protect my computer. Currently, i have a subscription to Norton until March of next year. I do have spybot but have been told Norton isn't very good. I need something that will take care of all kinds of attacks. Any ideas? Obviously, i'll scrap IE.

evilfantasy · « **Reply #44 on:** August 02, 2008, 08:34:59 PM »

Once we finish up I'll leave links to reliable free solutions for antispyware, firewalls and antivirus.

No trying to do all of that yet.

Katman_09 · « **Reply #45 on:** August 03, 2008, 09:10:32 AM »

Ok, here is the log. FYI, there is a folder in C:\ drive called Qoobox and it has it's own Windows and System32 folder. Also, a text file that is labeled "catchme"

googletoolbarnotifier.exe;c:\program files\google\googletoolbarnotifier;Trojan.DownLoad.3144;Deleted.;
psexesvc.exe;c:\windows;Program.PsExec.170;Incurable.Deleted.;
psexec.cfexe;C:\ComboFix;Program.PsExec.171;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Frank\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Frank\Desktop;Archive contains infected objects;Moved.;
ISUSPM.exe -startup;C:\Program Files\Common Files\InstallShield\UpdateService;Trojan.DownLoad.3144;Deleted.;
Zip_Password_Recovery_Master_6.2.0.0_[Key].exe;C:\Program Files\eMule0.48a\Incoming\Zip_Password_Recovery_Master_6.2.0.0_[Key];Trojan.DownLoad.3144;Deleted.;
hldrrr.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.3144;Deleted.;
mdelk.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers;Trojan.DownLoad.3144;Deleted.;
A0002961.exe;C:\System Volume Information\_restore{1B1F2EBA-1FB4-43F0-A050-FB1448845FFF}\RP1;Trojan.DownLoad.3144;Deleted.;
A0002962.EXE;C:\System Volume Information\_restore{1B1F2EBA-1FB4-43F0-A050-FB1448845FFF}\RP1;Program.PsExec.170;;
A0002963.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{1B1F2EBA-1FB4-43F0-A050-FB1448845FFF}\RP1\A0002963.exe;Program.PsExec.171;;
A0002963.exe;C:\System Volume Information\_restore{1B1F2EBA-1FB4-43F0-A050-FB1448845FFF}\RP1;Archive contains infected objects;Moved.;
A0002964.exe;C:\System Volume Information\_restore{1B1F2EBA-1FB4-43F0-A050-FB1448845FFF}\RP1;Trojan.DownLoad.3144;Deleted.;

evilfantasy · « **Reply #46 on:** August 03, 2008, 01:18:40 PM »

QooBox and catchme are ComboFix files. They can be deleted.

No change on the connection?

I want to run SDFix, it does some other cleanup steps that I think may be a help.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Katman_09 · « **Reply #47 on:** August 03, 2008, 02:24:02 PM »

Ok, here is my "Report.txt" log As for the connection issue, since i installed Firefox, whenever i click on IE, Firefox comes up and works just fine. I tried to find in the settings to see if i can change it back to IE to test it but couldn't find it.

SDFix: Version 1.212
Run by Administrator on Sun 08/03/2008 at 04:05

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\14A9.TMP - Deleted
C:\14BD.TMP - Deleted
C:\1BA.TMP - Deleted
C:\1ECF.TMP - Deleted
C:\1ED6.TMP - Deleted
C:\1F10.TMP - Deleted
C:\28.TMP - Deleted
C:\33DB.TMP - Deleted
C:\33ED.TMP - Deleted
C:\3E1A.TMP - Deleted
C:\3E65.TMP - Deleted
C:\3E6B.TMP - Deleted
C:\3ED0.TMP - Deleted
C:\4268.TMP - Deleted
C:\57D2.TMP - Deleted
C:\57E2.TMP - Deleted
C:\57F4.TMP - Deleted
C:\57FF.TMP - Deleted
C:\583F.TMP - Deleted
C:\5846.TMP - Deleted
C:\5853.TMP - Deleted
C:\5894.TMP - Deleted
C:\589B.TMP - Deleted
C:\58AD.TMP - Deleted
C:\694A.TMP - Deleted
C:\6952.TMP - Deleted
C:\76D6.TMP - Deleted
C:\76DD.TMP - Deleted
C:\815.TMP - Deleted
C:\84FF.TMP - Deleted
C:\986.TMP - Deleted
C:\ADE.TMP - Deleted
C:\AE4.TMP - Deleted
C:\FB.TMP - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 16:13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"="C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe:*:Enabled:Yahoo! UPnP AV Media Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Intelore\\Excel Password Recovery\\ExcelPasswordRecovery.exe"="C:\\Program Files\\Intelore\\Excel Password Recovery\\ExcelPasswordRecovery.exe:*:Enabled:Excel Password Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 25 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 27 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\069dce5b3a6a576c9856befb57fca0a9\BIT25.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT1B.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT19.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT1D.tmp"
Sat 27 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\943145d6fda2a3de96e33285d992c3a5\BITF.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT1C.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT1E.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT1A.tmp"

Finished!

HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:19, on 2008-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSGPSBM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.24\SmrtShpr.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8019 bytes

Katman_09 · « **Reply #48 on:** August 03, 2008, 02:25:44 PM »

One more thing, when it was doing the SDFix scan when i rebooted, it came up and said "Cannot find Foundsvc.txt" Not sure if that means anything. Well, actually it does but not to me. lol

evilfantasy · « **Reply #49 on:** August 03, 2008, 02:42:55 PM »

Were making progress now. SDFix got some tough ones.

Right click the Internet Explorer icon on the Desktop and choose Properties.

Click the Programs tab and then click Reset Web Settings. That should make IE your default browser again.

----------

Now that you have a browser that works on the computer you can use this scanner from IE or Firefox.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Katman_09 · « **Reply #50 on:** August 04, 2008, 04:47:28 AM »

Ok, my problem now seems to be that the scan locks up. I've done it 3 time and it gets locked up on a folder where i have my .mp3's. Any thoughts?

evilfantasy · « **Reply #51 on:** August 04, 2008, 12:40:54 PM »

Update MalwareBytes and run a Full scan with it. Remove anything found and post the log along with a new SDFix log please.

Then run SDFix again. Be sure to download a new copy, it's updated since we last ran it.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Katman_09 · « **Reply #52 on:** August 04, 2008, 04:49:35 PM »

Malware Log:

Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 2

06:31:43 PM 2008-08-04
mbam-log-8-4-2008 (18-31-43).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 118025
Time elapsed: 41 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SDFix Log:

SDFix: Version 1.212
Run by Administrator on Mon 08/04/2008 at 06:40

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\nvrsul32.dll - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 18:44:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe"="C:\\Program Files\\Yahoo!\\UPnP\\yupnpsrv.exe:*:Enabled:Yahoo! UPnP AV Media Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Intelore\\Excel Password Recovery\\ExcelPasswordRecovery.exe"="C:\\Program Files\\Intelore\\Excel Password Recovery\\ExcelPasswordRecovery.exe:*:Enabled:Excel Password Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 25 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 27 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 14 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\069dce5b3a6a576c9856befb57fca0a9\BIT25.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT1B.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT19.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT1D.tmp"
Sat 27 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\943145d6fda2a3de96e33285d992c3a5\BITF.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT1C.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT1E.tmp"
Fri 8 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT1A.tmp"

Finished!

HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:48, on 2008-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSGPSBM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.24\SmrtShpr.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8052 bytes

One final note, i'm still not able to use IE. Firefox is working well but was not able to reset web settings on IE. When i clicked on the IE icon, it didn't give me properties, just firefox options.

evilfantasy · « **Reply #53 on:** August 04, 2008, 04:59:19 PM »

Go to C:\Program Files\Internet Explorer and see if you can launch Internet Explorer from the iexplorer.exe found there.

Katman_09 · « **Reply #54 on:** August 04, 2008, 05:58:41 PM »

Ok, that worked, except when i type in another website, it pulls up firefox browser.

evilfantasy · « **Reply #55 on:** August 04, 2008, 06:19:58 PM »

Let's try this.

First:

Download to your desktop FixPolicies.exe, a self-extracting ZIP archive from HERE.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

----------

If that doesn't work.

Reinstall Internet Explorer 6 by using the Ie.inf file

1.Click Start, click Run, type %systemroot%\inf, and then press Enter.
2. Find the Ie.inf file that is located in Windows\Inf folder.
3. Right-click the Ie.inf file, and then click Install.
4.Restart the computer when the file copy process is complete.

Katman_09 · « **Reply #56 on:** August 04, 2008, 06:46:06 PM »

Ok, did both things and after reboot IE comes us and Firefox loads when i type in a web address. Should i unintall firefox?

evilfantasy · « **Reply #57 on:** August 04, 2008, 07:08:05 PM »

How about installing IE 7?

Katman_09 · « **Reply #58 on:** August 04, 2008, 07:47:57 PM »

Ok, that worked.

It did ask if i wanted to install SP3 but i didn't.

evilfantasy · « **Reply #59 on:** August 04, 2008, 07:56:29 PM »

OK, now you have IE working run this online scan and add the log when complete. And you don't want to install SP3 until we have the malware issues taken care of.

This scanner works with Internet Explorer only

Go to the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

Add the bdscan.txt as an attachment in the next post.

If the log is too big to attach use the below site to host the file.

Upload the file to Savefile.com
There is no need to Register
Select Browse and locate the file.
Fill in the Title and Description and security code then click Upload
Copy the download link next to Your link to the file: and post the link back here.

Katman_09 · « **Reply #60 on:** August 05, 2008, 04:58:52 AM »

Here is the BDscan

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #61 on:** August 05, 2008, 09:13:11 AM »

This is another log that will be huge. You may need to upload it to www.savefile.com then post the link to it back here.

Download to your desktop ISeeYouXP.exe by ShadowPuterDude
Next double-click on ISeeYouXP.exe, this should be on your desktop.

ISeeYouXP.exe will self-extract ISeeYouXP to C:\ISeeYouXP.

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate:
ISeeYouXP.bat

Double-click ISeeYouXP.bat to run the script.

Post the following logs
ISeeYouXP

Upload the file to Savefile.com
There is no need to Register
Select Browse and locate the file.
Fill in the Title and Description and security code then click Upload
Copy the download link next to Your link to the file: and post the link back here.

Katman_09 · « **Reply #62 on:** August 05, 2008, 02:42:59 PM »

Ok, here you go.

http://www.savefile.com/files/1710177

evilfantasy · « **Reply #63 on:** August 05, 2008, 04:30:39 PM »

Looks OK besides needing to tighten up a few security settings.

You can delete ISeeYouXP from C:\ISeeYouXP

----------

Start up IE then go to Tools > Internet Options > Security
Set the Security level for the Internet Zone to High. (If no slider is visible, click Default Level.)
Click the Trusted Sites icon.
Set the Security level for the this Zone to Medium. (If no slider is visible, click Default Level.)
Click OK.

.
----------

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

How is everything now?

Katman_09 · « **Reply #64 on:** August 05, 2008, 07:05:02 PM »

Sweet. So far everything seems good. I'm going to Microsoft to update the stuff i need updated. Also, is now a good time to update to sevice pack 3? Also, should i install my norton back on the computer?

When i go to my start button, the icon for IE is missing, looks just like a blank program file.

evilfantasy · « **Reply #65 on:** August 05, 2008, 10:25:48 PM »

Honestly I would leave Norton alone and stay with Avast! I also suggest installing a reliable firewall. Personally I use Comodo.

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) PC Tools Firewall Plus

----------

You might wait a few days to be sure evrything is running OK before installing the SP3.

----------

Is the icon from the new IE 7 or is it there from IE 6?

Katman_09 · « **Reply #66 on:** August 05, 2008, 10:34:01 PM »

Should i reinstall Avast? When i click on it, it says that it's not a valid Win32 application.

The icon is for IE7

Also, i still have a lot of icons on my deskstop from some of the .exe that we've ran. Would it be safe to delete?
Examples: Launch, dialafix, hostsxpert, iseeyouxp, fixpolicies, sdfix, CCleaner?

Also, should i continue to run Superantispyware, Malwarebytes and Spybot?

I will definitely take your advice for Comodo and Avast!!

Katman_09 · « **Reply #67 on:** August 05, 2008, 10:35:45 PM »

Oh, and with Avast and Comodo, should I purchase it or running the free verisions will be good enough?

evilfantasy · « **Reply #68 on:** August 05, 2008, 10:42:58 PM »

Keep CCleaner and use it to cleanup occasionally. Delete Launch, dialafix, hostsxpert, iseeyouxp, fixpolicies, sdfix.

Keep Superantispyware, Malwarebytes and Spybot and update then run them occasionally?

The free versions of Comodo and Avast are fine, try reinstalling Avast.

Install TweakUi - http://www.filehippo.com/download_tweakui/

There is a setting in there that says Rebuild Icons. Maybe that will fix the Icon problem.

Katman_09 · « **Reply #69 on:** August 05, 2008, 11:08:57 PM »

Ok, my icon is back and working. Could you send me a link to Avast? I did a search but it kept asking me to pay.

evilfantasy · « **Reply #70 on:** August 05, 2008, 11:12:59 PM »

Glad the icon is fixed.

Here is a link to Avast free - http://www.filehippo.com/download_avast_antivirus/

Katman_09 · « **Reply #71 on:** August 06, 2008, 03:56:11 PM »

Well, i have Comdo and Avast installed and running. Will i need to update Avast or will it do it on it's own whenever there are updates?

Also, on the system restore, should I have it checked for "Turned off" or have it unchecked?

Other than that, i think we've fixed it

I appreciate your help so much, thanks a million times over.

evilfantasy · « **Reply #72 on:** August 06, 2008, 04:03:39 PM »

Avast will update on it's own. The only thing avast doesn't do on its own is automatic scans so if you want to scan you will need to open it and do one manually or follow this guide to set them automatically. Click here

Avast also has skins to change the appearance. http://www.avast.com/eng/skins.html

System Restore should be turned on, there should be no check mark. http://support.microsoft.com/kb/310405

CBMatt · « **Reply #73 on:** August 08, 2008, 08:59:16 PM »

As this issue appears to be resolved, I am closing this topic. If you are the original poster and you would like this topic to be re-opened for any reason, PM me or another moderator and it can be arranged.

If you are not the original poster and you require help, please start a New Topic with information about your computer and your problem.

Computer Hope Forum

News:

Author Topic: Computer Doctor Needed!! (Read 27854 times)

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

Katman_09

evilfantasy

Katman_09

evilfantasy

Katman_09

evilfantasy

CBMatt