Solved: new type of rootkit????

wannabeageek · 18-Nov-2009, 10:04 PM #1

My desktop got hit again and I was wondering if anyone has seen this type of filechk.000 file recovery before. My daughter was reading the blue screen of death error message to me over the phone as I was at work.
She mention that the error was for a NTFS file error.
My computers all use fat-32 file sytems.
This is what got my attention.
What happens is this, when I boot up the computer, the screen goes blank. Absolutely no video. this even occurs in safemode.
But I can view the drive and scan it.
When I do scan the drive, the scan process freezes up when it hits certain dll files in the windows\system32 subfolder.
Anyone have any ideas?

http://img690.imageshack.us/img690/3976/filechk000.png

wannabeageek · 19-Nov-2009, 04:15 PM #2

Greetings and salutations. I got my drive up and running again. This time I got hijack and scanned a log.
None of the following show any type of rootkit or viri infection when I scan my drive. I am actually posting from the infected system, so it is somewhat operable, yet sluggish and slow.
When I use 1 internet exporer window, I get 2 processes called iexplore.exe in the task manager window.
Here is a copy of my log. Hope this helps. Thanks in advance.
Mike.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:53 PM, on 11/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\AVG\AVG9\avgchsvx.exe
D:\Program Files\AVG\AVG9\avgrsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\Program Files\AVG\AVG9\avgwdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\AVG\AVG9\avgemc.exe
D:\Program Files\AVG\AVG9\avgnsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
D:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\AGRSMMSG.exe
D:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\DOCUME~1\RACHEL~1\LOCALS~1\Temp\HouseCall\housecall.bin
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3C4F7D28-08D1-4BE8-BEB9-B88BC566BE49} - D:\WINDOWS\system32\jkkKeeBQ.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {A2D8A4E1-024A-4FCA-BF5E-AAFBC9EA256D} - (no file)
O2 - BHO: (no name) - {D7336D32-62F7-43B5-8B8C-3963C72CA498} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E6472B57-AF6C-474B-85D6-7AE019D1D9A1} - D:\WINDOWS\system32\ljJDsqPg.dll (file missing)
O2 - BHO: (no name) - {F0C06F30-62B8-4AFE-8889-5AA2984AF4D4} - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [itype] "D:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PhilipsDM] "D:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] D:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/24c1544b...p/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1162624366335
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A62F7F3-906E-4B5F-9783-3E432B7219DB}: NameServer = 207.69.188.185,207.69.188.186,207.69.188.187
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter hijack: text/html - {26b8b465-96c3-41c0-b098-4e3e6c79f2e8} - D:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: jrvnqf.dll
O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - D:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - D:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - file:///D:/Documents%20and%20Setting...20Camp%203.bmp
--
End of file - 7833 bytes

muppy03 · 19-Nov-2009, 07:27 PM #3

Hello and welcome to TSG

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-

Continue to respond to this thread until I give you the All Clean!
Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
Please follow all instructions in the order posted.
If you have any questions or do not understand instructions, please ask before continuing.
Please reply to this thread. Do not start a new topic.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {3C4F7D28-08D1-4BE8-BEB9-B88BC566BE49} - D:\WINDOWS\system32\jkkKeeBQ.dll (file missing)
O2 - BHO: (no name) - {A2D8A4E1-024A-4FCA-BF5E-AAFBC9EA256D} - (no file)
O2 - BHO: (no name) - {D7336D32-62F7-43B5-8B8C-3963C72CA498} - (no file)
O2 - BHO: (no name) - {E6472B57-AF6C-474B-85D6-7AE019D1D9A1} - D:\WINDOWS\system32\ljJDsqPg.dll (file missing)
O2 - BHO: (no name) - {F0C06F30-62B8-4AFE-8889-5AA2984AF4D4} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter hijack: text/html - {26b8b465-96c3-41c0-b098-4e3e6c79f2e8} - D:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: jrvnqf.dll

Once selected close all windows except HJT an click on Fix Checked

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
If you need help to disable your protection programs see here.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/comb...o-use-combofix

Please reply with:-

Combofix log
New HJT log

wannabeageek · 19-Nov-2009, 11:21 PM #4

Combofix log followed by the new highjack log

muppy03 · 20-Nov-2009, 12:02 AM #5

Hi, Please copy and paste all logs.

Can I have the uninstall list asked for in the first post, also please update me on the problems that you are having.

Download and Run OTM.exe

Download OTM.exe by Old Timer and save it to your Desktop.

Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
Copy the lines in the codebox below.

Code:

:Files
d:\windows\_000003_.tmp.dll
d:\windows\_000004_.tmp.dll
d:\windows\system32\SET77.tmp
d:\windows\system32\SETAD.tmp
d:\windows\system32\SETC7.tmp
d:\windows\system32\SETC8.tmp
d:\windows\system32\SETCA.tmp
d:\windows\system32\SETCC.tmp
d:\windows\system32\SETCB.tmp
d:\windows\system32\SETD0.tmp
d:\windows\system32\SETD1.tmp
d:\windows\system32\SETD3.tmp

:Commands

[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM.exe

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:Dir
d:\documents and settings\All Users\Application Data\dbg
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please reply with:-

OTM log
System look report
New HJT log
Update on how things are running
Uninstall list

wannabeageek · 20-Nov-2009, 10:56 AM #6

The guest account on this desktop is not functional: no I.E. no control panel, no network connections, maybe more. I think someone was on the guest account when this happened.
Here is the uninstall log as you requested.
I will check the guest account again and see what actually works, rather than list what does not.

muppy03 · 20-Nov-2009, 06:47 PM #7

Do you have the OTM and systemlook logs?

wannabeageek · 20-Nov-2009, 10:59 PM #8

Please reply with:-

OTM log
System look report
New HJT log
Update on how things are running
Uninstall list

I have complied with the above uploads.
There are still 2 iexplorer.exe processes running for 1 window being opened on Rachel's account.
The guest account has problems, but it may have reverted back to a non-administrator settings without internet. However, it displays an error, "Devicemanager MFC Application has encountered a problem and needs to close."

muppy03 · 20-Nov-2009, 11:40 PM #9

Quote:

There are still 2 iexplorer.exe processes running for 1 window being opened on Rachel's account.

This is ok, it is an IE8 thing.

Quote:

The guest account has problems, but it may have reverted back to a non-administrator settings without internet. However, it displays an error, "Devicemanager MFC Application has encountered a problem and needs to close."

Since it is a guest account that might be corrupted, why not create a new one? If all goes ok you can then delete the corrupted one. Leave it until we finish cleaning though.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.

Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.

Go to Java Site
Click to Download Java SE Runtime Environment (JRE) 6 Update 17
In Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586.exe" and save the downloaded file to your desktop.
Go to Start => Control Panel => Add or Remove Programs

Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.

Code:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:

Quote:

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Please reply with:-

ESET log
New HJT log

wannabeageek · 21-Nov-2009, 09:54 AM **#10**

Please reply with:-

ESET log
New HJT log

I replaced the java and the adobe installs as requested and have complied with the above.

muppy03 · 21-Nov-2009, 08:42 PM **#11**

Things are looking good, are you having any problems apart from the guest account issues?

My next question would be regarding an active desktop item:-

O24 - Desktop Component 0: (no name) - file:///D:/Documents%20and%20Settings/rachel%20hall/My%20Documents/My%20Pictures/Copy%20of%20Jeremy%20Camp%203.bmp

Was this set by you? If not do the following:-

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

O24 - Desktop Component 0: (no name) - file:///D:/Documents%20and%20Settings/rachel%20hall/My%20Documents/My%20Pictures/Copy%20of%20Jeremy%20Camp%203.bmp[/b

Once selected close all windows except HJT an click on Fix Checked

Then Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab.
Uncheck and Delete everything you find in there. (Except for "My Current Home Page.")

ESET found infection in some of your LIMEWIRE downloads.

Download and Run OTM.exe

Download OTM.exe by Old Timer and save it to your Desktop.

Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
Copy the lines in the codebox below.

Code:

:Files
D:\Documents and Settings\rachel hall\My Documents\LimeWire\Incomplete\T-4620425-bad day chipmonks.mp3	
D:\Documents and Settings\rachel hall\My Documents\LimeWire\Incomplete\T-5158097-karaoke tim mcgraw taylor.au	
D:\Documents and Settings\rachel hall\My Documents\LimeWire\Saved\think tim mcgraw instrumental [extended concert version].mp3	
D:\Documents and Settings\rachel hall\My Documents\LimeWire\Saved\think tim mcgraw instrumental.mp3	

:Commands

[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM.exe

Please reply with:-

Combofix log
New HJT log
Update on any remaining issues.

wannabeageek · 21-Nov-2009, 11:12 PM **#12**

Please reply with:-

Combofix log
New HJT log
Update on any remaining issues.

I have complied with the above request.

The issue with teh device manager MFC not loading is a Phillips device driver problem.
I am not sure how ti fix the guest account problem, unless it is doen in administrator mode. There is no internet, or access to any system programs and applications. I wanted the guest account to be a limited account, but I did want it to have internet access. If there is a site or resource you could point out for me, I would be happy to tackle it myself.
This is the system summery.
I should have provided it sooner. This also may be why the system is slow. It is old.

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name USER3
System Manufacturer MICRO-STAR INTERNATIONAL CO., LTD
System Model 8366-8233
System Type X86-based PC
Processor x86 Family 6 Model 8 Stepping 0 AuthenticAMD ~1544 Mhz
BIOS Version/Date Award Software International, Inc. 6.00 PG, 10/28/2002
SMBIOS Version 2.2
Windows Directory D:\WINDOWS
System Directory D:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
User Name USER3\rachel hall
Time Zone Pacific Standard Time
Total Physical Memory 256.00 MB
Available Physical Memory 16.11 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 618.25 MB
Page File D:\pagefile.sys

muppy03 · 22-Nov-2009, 12:21 AM **#13**

Quote:

I am not sure how ti fix the guest account problem

Create a new guest account and see if that clears your problems. If all is good you can then delete the corrupted one.

To make a new one, Click, start, control panel,the User account.
Click on Create a New account, call it Guest1 for example. Follow the prompts to make it a limited user and create.

Log into it and see if all is good, if it works as you want then you can delete the old one.

As for the Philips Device Manager, try uninstalling and reinstalling.

Other than that, Malware wise things are looking good, so if you are not having any further problems, I would suggest you proceed as follows.

Remove Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK ( please note the space between Combofix and the /,it is needed)

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Now that the infection is gone lets try to keep it that way by following the below recommendations.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialise and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.

Here are some free programs I recommend that could help you improve your computer's security.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Read some information here how to prevent Malware.

Please reply if you have any problems or questions, and let me know how the NEW guest account goes.

wannabeageek · 22-Nov-2009, 08:11 PM **#14**

Because the combofix found and fixed a file that was infected, i am including the log and a new hijack log.

The internet explorer is already configured the way you asked.

Let me know what you recommend for a viral protection program. As AVG does not seem to do the job it used to.

I was using windows defender and AVG, but the WD program was causing very bad lag issues.

I downloaded winpatrol and installed it. I will give another update on the guest account issue.

My daughter says the machine is running better.

There are a bunch of updates missing. I will get them installed asap. This may be why the machine is so vulnerable to viri.

muppy03 · 22-Nov-2009, 09:58 PM **#15**

These days there is no one Antivirus that will protect you from all that is out there. Surfing habits play a huge part in staying clean. Being wary of what is downloaded and what link is clicked is part of the ‘staying safe process.’

NOD32 is deemed a good antivirus but that one is not free. I use Avira which is free and have no problems, but as I mentioned surfing habits play a part in it.

Malwarebytes' Anti-Malware is a great tool to have on board. Run it weekly or whenever you feel that something could be wrong. It will clear out most things without having to go any further.

Another that I use, and can be used daily, weekly etc is ATF (Atribune Temp File) CleanerÂ© by Atribune. Very small , sits on desktop, very easy to use and usually takes less than a minute.

I agree, no need for Windows Defender, quite a resource hog as is AVG.

I am concerned that Combofix ran and found something after we had finished cleaning, but the logs all look good now.

I think you should manually clear you System Restore Point.

Please create a new Restore Point
To to this

Click Start -> All Programs -> Accessories -> System Tools -> System Restore
Choose the Create a restore point option then click on next
You can name your restore point something like All clean then select create
Once the Restore Point has been created you can hit close

Since we have created a New and Clean Restore Point, I would like you to remove all the Old Restore Points as some of these are infected and if used would re-infect your computer.

To do this

Click Start then click on My Computer Right Click Local Disk c:then select Properties
Click on Disk Cleanup a box shall open scanning you files. This could take a few minutes.
Once the scan is complete another window will appear. Select the More Options Tab
Under System Restore select clean up this will remove all System Restore points except for the most recent one. The one we created earlier.

I hope the above helps.

Tag Cloud
access acer asus bios bsod crash desktop dns driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop mac malware memory monitor motherboard network not working printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!