My Wife's Vista

[dbar07]

First, Thank you for your time. For a month or so my wife's Vista Home Premium machine has shown some issue.

1. Slow response time, starting up, programs, internet, etc.

2. Only Firefox can browse the internet. IE, Safari, and Google's Chrome will time out, or say it can not connect to the server. IE says, "Internet Explorer cannot display the webpage." When you try to diagnose or repair the connection Vista says it can not find any problems. I do remember when this first happened, repair said something about the DNS could not be found. Can not remember the exact error but it was about the DNS. Last night I tried to replicate the error message but I could not find it. Without IE connecting to the internet I can not update windows.

I turned my attention back to the issue last night and started to clean off the system, update, uninstall crapware, and run some logs. Here are the steps that I have taken so far.

Steps completed so far

1. Uninstalled all unnecessary programs

2. Ran MalwareBytes - Came up with a few adware and Coupon Printers. My wife loves the coupon printers even though I keep warning her that nothing good comes from them.

3. Uninstalled all versions of Java

4. Uninstalled Acrobat Reader 8

5. Ran CCleaner.

6. Restarted the computer - Things felt a bit more responsive at this point.

7. Reinstalled the latest version of Java and Acrobat

8. Ran Combofix from the desktop, didn't touch the mouse, let it run, and it produced this log. The utorrent and limewire where on the computer before we married. I uninstalled them about a year ago and I have been trying to remove all traces since then. Note the file it deleted and the two hidden files which I don't think was deleted and still on the computer.

ComboFix 09-02-06.01 - jewells 2009-02-07 2:00:02.1 - NTFSx86

Microsoft

[AdvancedSetup]

Well I'd like you to run this on the PC before we dive in any further. You have/had a lot of stuff there.

Turn off System Restore-Vista

• Click the Vista/Start icon.
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Uncheck All drives
  
• Click "Turn Off System Restore" at the prompt then click "Apply".
  
• Restart your computer.
  

Turn ON System Restore-Vista

• Click the Vista/Start icon
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Checkmark All drives that were selected previously then click "Apply".
  

This will remove all restore points except the new one you just created.

Empty the Quarantine areas of all Security software.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Avira AntiVir Rescue System - download

Avira AntiVir Rescue System
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:





• repair a damaged system,
• rescue data,
  
  
• scan the system for virus infections.

  
  Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
  The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.
  

Rescue CD screen resolution problem

Please see the post here if you're unable to view the entire screen of Avira.

[dbar07]

I ran Avira AntiVir Rescue System and on the first scan it found the following items in the Recycling Bin that I failed to empty.

1. Spybot -Search and Destroy/recovery/FunWeb.zip, FunWebProducts.zip, MyWayMyWebSearch.zip, MyWebSearch.zip, startupfiledoesnotexist.zip, and wrongapppath.zip

2. Combofix was still in the Recycling Bin and it found [APPL/ PsExec.E] 32788R22FWJFW\psexec.cfexe <<<contains detection pattern of the application APPL/ PSExec.E

3. I had a folder of icons that were downloaded at one time in the Recycling Bin: [sPR/Tool.Brutefor.2] Folder-Public.ico <<< Contains detection pattern of the SPR/Tool.Brutefor.2 program.

It found nothing else, so I exited the program, started up and emptied the Recycling Bin. Restarted, and booted from the Rescued CD again. After a full scan it found nothing. Here is a run down.

AntiVir/Linux Version 2.1.12-114

VDF Version: 7.1.1.235

Checking the master boot record of drive 128

error (2): cannot read record

auto excluding /sys from scans (is a special fs)

auto excluding /proc from scans (is a special fs)

checking drive /path (list): /

----scan results----

directories: 24940

scanned files: 328684

alerts: 0

suspicious: 0

scan time: 00:47:56

Thank you

[AdvancedSetup]

Okay, so how is the computer running now?

Are there still any signs of infection or features that are blocked?

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP 1

Uninstall ComboFix.exe

• Click
  START
  then
  RUN
• Now type
  Combofix /u
  (if you renamed Combofix.exe use that name instead)
  in the runbox and click OK. Note the
  space
  between the
  X
  and the
  /U
  , it needs to be there.
  
  
• 

  
  

• When shown the disclaimer, Select "2"
  

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe

STEP 2

Uninstall GMER

Click on

START - RUN

and type in or copy/paste

%windir%\gmer_uninstall.cmd

to remove GMER.

STEP 3

Uninstall other tools

Please

Download

OTMoveIt3

by Old Timer

and save it to your

Desktop

.

• Double-click
  OTMoveIt3.exe
  to run it.
• While connected to the Internet, Click on the green
  CleanUp!
  button and it will populate a list of items to clean from your system that we used or may have used.
  
  
• It should ask if you want to clean up, select Yes and allow the system to clean up these items.
  
  
  NOW
  please reboot your computer to finish the cleanup process
  
  

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore-Vista

• Click the Vista/Start icon.
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Uncheck All drives
  
• Click "Turn Off System Restore" at the prompt then click "Apply".
  
• Restart your computer.
  

Turn ON System Restore-Vista

• Click the Vista/Start icon
  
• Right Click >> Computer
  
• Click Properties.
  
• Click the System Protection tab.
  
• Checkmark All drives that were selected previously then click "Apply".
  

This will remove all restore points except the new one you just created.

[dbar07]

Sadly still no connection for IE and Safari. I tried Chrome and it is able to connect. So, Chrome and Firefox are the only browsers to connect to the internet. In IE, when I type in www.google.com and hit enter it will go to http:/// and say I typed in the address incorrectly. Other sites it just says Internet Explorer cannot display the webpage.

I do apologize if I diluted the issue by posting to much info at the beginning of the post. I don't mind, if you don't, starting over with the diagnostic and suggestions. Start fresh, unless you don't think it is malware related. I have posted my latest Hijackthis log below.

Thank you again for your help.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:12:46 PM, on 2/8/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe

C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe

C:\Program Files\Dell Photo AIO Printer 926\memcard.exe

C:\Program Files\CyberLink\PCM4Everio\EverioService.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\System32\rundll32.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"

O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"

O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"

O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c95bfb9303d81d) (gupdate1c95bfb9303d81d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 8740 bytes

[AdvancedSetup]

Sounds like the setting were probably just messed up from cleaning. Try this.

From within IE go to Tools/Internet Options/Advanced and click on the RESET button.

Then launch IE again and see if that works or not.

[dbar07]

No joy on that either.

[AdvancedSetup]

Okay then please try this.

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
  

That may not fix it but let's get another AV product to confirm no infections are left on the box.

[dbar07]

Thank you for bearing with me. However, I am feeling a bit embarrassed at the moment. Drweb-cureit ran over night and didn't' find a single thing. So, I am left wondering, if it is not malware related at all. Everything keeps checking out ok.

[AdvancedSetup]

Well there was obvious stuff there in the logs but I was assuming that Dr Web or Avira would have removed them.

Please run the following online scanner and post back it's log.

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
  

  [*]Click on My Computer under Scan and then put the kettle on!

  [*]Once the scan is complete, it will display the results. Click on View Scan Report.

  [*]You will see a list of infected items there. Click on Save Report As....

  [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

  [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
  
• Allow the ActiveX download if necessary.
  
• Once the database has downloaded, click Next.
  
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  
• Click on "My Computer" and then put the kettle on!
  
• When the scan has completed, click Save Report As...
  
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
  

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

If this does not work then we'll manually go back and look at some stuff again.

[dbar07]

Thanks Advancedsetup, sounds good! Here is the kaspersky log and HijackThis Log. You were right about putting the kettel on.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, February 11, 2009

Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, February 11, 2009 02:44:38

Records in database: 1780352

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

Scan statistics:

Files scanned: 134371

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 02:54:20

No malware has been detected. The scan area is clean.

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:37:45 PM, on 2/11/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Windows\ehome\ehmsas.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - (no file)

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c95bfb9303d81d) (gupdate1c95bfb9303d81d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 6864 bytes

[AdvancedSetup]

So is IE still having issues connecting to any Websites?

[dbar07]

Yep, it still has issues and will not connect. Safari is still the same as well. I downloaded Opera and it connects to the internet just fine.

[AdvancedSetup]

How did you download Opera? Or did you copy it over from another box?

Reset Winsock

• Click Start. In the Start Search dialog box, type: cmd, and right-click cmd and choose Run as administrator
• Type this exactly as shown:

  netsh winsock reset

  and then press the ENTER key.
  

• Type Exit and press ENTER.
  
• Restart the computer and test this issue again.
  

Try starting the computer into SAFE MODE - "Safe Mode with networking" by tapping the F8 key while it's booting.

Then see if IE can connect or not.

[dbar07]

I downloaded Opera on the same box with the IE issues. Here is a short list

For example, the following items connect to the internet.

1. Firefox

2. Chrome

3. Messenger

4. Opera

5. VPN

6. Remote Desktop

7. Vista's Microsoft updates through the built in update window, not through IE

8. Trend Micro

9. Malwarebytes

The following items can not connect to the internet. I get the typical server is not found message, or can not connect.

1. IE

2. Safari

When I get home I will try the "Reset Winsock". Would a rootkit of some kind cause this? I remember in my first post the combofix showed something and also something called GMER....I think that is what it is called.

Thanks for working with me.

[AdvancedSetup]

The GMER is a tool used to attempt to find hidden items such as are used by Rootkits.

[dbar07]

I ran the "Reset Winsock" as instructed and restarted......no success.

I then started up in safe mode with networking. Started up IE and it worked perfectly. I typed in a few addresses and everything connected. I also checked on Safari and it worked too. Everything in safe mode, including IE, was fast and responsive.

I restarted the computer. We have three profiles, mine, my wife and guest. I signed into my profile but IE would not work. I rarely use my profile. Everything is done through my wife's profile. I logged out and back into my wife's profile, IE still not working.

I doubled check all of IE's add-on and everything is disabled. There seems to be double, triple, quad entries of the same thing, but it says they are all disabled.

[dbar07]

Well I have some good news for you. First off, you have been great as always in helping me out and I really appreciate it. Your suggestion on starting up in safe mode got me thinking. One of the many services that does not run in safe mode is Trend Micro's Firewall.

1. First I checked how the computer starts up. It is not in normal mode for some reason. I do turn off some startup items. Would this take it out of normal mode?

2. I started to look at the Firewall settings. It was a mess. There were programs in there several times including IE. For example. ieuser.exe was in there once, but iexplore.exe was in there three times with one set to allow connection out and the others were set to deny connection out. Safari was set for deny connection out. Java Platform SE binary was denied. Windows Installer was set to deny. There were two "Host Process for Windows Services". 7 Windows Media Center Store Update. 2 explore.exe. Firefox had two, one set for allow and the other for deny. I deactivated the doubles and made sure the one left was set to allow. I clicked on apply and everything is working now.

3. I also checked my network adapters under the Device Manager. There is an yellow symbol next to two 6T04 adapters, three isatap.{E23C6E81-C6C2-4A2A-B039-15ABD7F1B1AF}, and isatap.carolina.rr.com. Can I disable these?

With this new information and IE and Safari working do you think the machine is still clean. The only thing that makes me worry is the combofix log at the beginning of the post that showed hidden files. However, if you think I am cool, I am cool.

Thanks again for your help and I hope I have not been too much trouble.

[AdvancedSetup]

Well the yellow symbols on the NIC cards is a bit disconcerting as there is a recent new Malware on the scene that is messing up Network card settings.

I've not run into it myself but a couple other Helpers have spoken about it.

Well we can run a NEW HJT and see what we can find. Just delete your copy of Combofix.exe if it's still there and download a NEW copy and run it. Make sure to Disable your Anti-Virus first though or it will mess it up.

Then post the log and I'll take another look at it.

[dbar07]

Hmmm, attached is a clipped screen shot of the Network Adapters.

Here is the Combofix log, followed by a new HijackThis Log

----------

ComboFix 09-02-12.03 - jewells 2009-02-14 1:31:34.1 - NTFSx86

Microsoft

[AdvancedSetup]

Yes, that looks like the infection I was talking about. Actually I'm not even sure of it's name, so let me check with some others and see if/what we can do about it.

[dbar07]

Thank you AdvancedSetup! Take your time. I am trying to finish up my car this weekend. I am putting in a new waterpump, timing chain, full array of gaskets, thermostat, alternator, belts, etc etc. Spent about 750 dollars today. So I will check in when I can. I will be done hopefully on Sunday evening. Thanks again.

[AdvancedSetup]

Ah! The good days of car repair. I spent about 12 years as a Professional Certified Mechanic.

Well the bad news is that so far a couple of people I've spoken with don't have a fix for that yet.

So, still checking and I'll get back to you.

[AdvancedSetup]

Haven't forgotten you - but no answer for a fix yet either

Are you able to check properties on them and see what driver they say they're using?

Let's try this if you can.

Back up your registry with ERUNT

• Download ERUNT from ERUNT and save it to your desktop.
  
• Double click erunt-setup.exe to install the program
  
• Follow the prompts, and then uncheck Create NTREGOPT desktop icon
  
• At the next screen, uncheck Show documentation and check Launch ERUNT
  
• If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  
• At the configuration screen, make sure all 3 checkboxes are checked
  
• Click Ok to run the backup process
  

Note:

The backups can be restored from here:

C:\windows\ERDNT\<todays date>\ERDNT.exe

Then see if you can zip up that new ERUNT folder and attach it to your reply. We can review the files and see if we can find something or not.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

[dbar07]

I haven't forgotten about you either. From Saturday to Monday night, I have been putting in 12 hours a day getting my car back together. The rest of the week, I work till about 1:00am after I get off work. I wish I had your knowledge so maybe I would have had it done already and not have so many problems.

What ERUNT file/folder would you like for me to zip up? I tried zipping up the folder it creates with the date but it was about 18 mb.

I was able to get the driver info for you. Here it is in the order it is listed. It all seems to be the same.

1. 6T04 Adapter: Driver files - c:\windows\system32\drivers\tunnel.sys, Provider - Microsoft Corporation, File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840), Copyright - Microsoft Corporation, Digital Signer: Microsoft Windows

2. 6T04 Adapter: Same as #1

3. isatap.{E23C6E81-C6C2-4A2A-B039-15ABD7F1B1AF}: Driver files - c:\windows\system32\drivers\tunnel.sys, Provider - Microsoft Corporation, File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840), Copyright - Microsoft Corporation, Digital Signer: Microsoft Windows

4. isatap.{E23C6E81-C6C2-4A2A-B039-15ABD7F1B1AF}: Same as #3

5. isatap.{E23C6E81-C6C2-4A2A-B039-15ABD7F1B1AF}: Same as #3

6. isatap.carolina.rr.com: Driver files - c:\windows\system32\drivers\tunnel.sys, Provider - Microsoft Corporation, File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840), Copyright - Microsoft Corporation, Digital Signer: Microsoft Windows

Thanks again