[muppy03]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :DIR
  C:\bcdc8b5afbfe09f762629c7954

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Download and Run OTM.exe

Download OTM.exe by Old Timer and save it to your Desktop.

• Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
• Copy the lines in the codebox below.

Code:

:Files
c:\windows\system32\drivers\xbyhiqsf.sys

:Reg
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^sams club.YOUR-4DACD0EA75^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetModule27]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetPack24]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Home Antivirus 2010]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PromoReg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system tool]


:Commands

[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTM.exe

Please reply with:-

• System look txt
• OTM log
• New HJT log
• Update on problems

[lianapan]

Thanks again for the help!!

Ran SystemLook, OTM and HJT. Here are the log files....

I'm not sure if the OTM file is the one you were looking for - the machine rebooted and this the what was there upon reboot. Is this the right file? I couldn't copy and paste what was under the green Results header before the reboot.

Other problems....
I got a message that Symatec is turned off in a lower right had corner bubble. It said "click this balloon to turn on" but it went away and I didn't click the balloon. I checked if I could get a LiveUpdate and that still is failing. Should I reinstall Symatec?

I am also getting a message when opening IE "A program on your computer has corrupted your default search providedr setting for IE. IE has resent this setting to your original search provider, Google (www.google.com). IE will now open search setting, where you can change this settin or install more search providers. OK" I click OK, cancel out of the search settings screen and it seems to go on OK from that point.

Outlook wouldn't let me Send/Receive emails. It said that I did not have the "appropriate permissions". I searched MS knowledge base and found a suggestion to creat a new profile. With the new profiel send/receive seems to work again.

Thanks again!!!

[muppy03]

Please delete the C:\RSITfolder, reboot then run RSIT again and post both logs please.

Also have you been doing anything other or following anothers instructions inbetween?

[lianapan]

Removed RSIT folder and ran RSIT and here are the two files.

The only thing I've tried to do myself is figure out why Outlook didn't let me get email so I ran detect and repair and poked around in control panel's email setting. There was a "messaging queue" setting that I thought had something to do with Outlook before I found the knowledge base article suggesting to set up new profile which seemed to work.

The only other thing I've done it to try to run Symatec's Live Update which still failed.

This is my daughter's computer and a few days ago she tried to run an Apple (ipod) update but I asked her not to do anything after that until we get this straightened out.

Lastly I have a yellow shield with an exclaimation mark that says that there are upddates waiting for the computer and to "click here when ready to install" which I have not done yet.

That's all - please let me know if you are seeing something particularly odd.

Thanks!!

[lianapan]

I see a Windows Defender running - it was something that I downloaded before I contacted this forum. It appeared to be a Microsoft provided service but is is legit? Was I redirected there and should it be removed? Is it really MS's?

[muppy03]

Quote:

That's all - please let me know if you are seeing something particularly odd.

No nothing particularly odd

Quote:

I checked if I could get a LiveUpdate and that still is failing. Should I reinstall Symatec?

You in effect turned liveupdate off when you disabled the services. It appears to be still off. Please enable all that you disabled. Once it is enabled try and see if it will update but do not run a scan yet.

Quote:

There was a "messaging queue" setting that I thought had something to do with Outlook

you can turn this back off, since all is ok now.

Quote:

there are upddates waiting for the computer and to "click here when ready to install" which I have not done yet.

Install away if might fix the search page error.

Quote:

see a Windows Defender running - it was something that I downloaded before I contacted this forum. It appeared to be a Microsoft provided service but is is legit? Was I redirected there and should it be removed? Is it really MS's?

It is a legit program, but I find a bit useless for XP and a huge resource hog. I would go to add/remove programs and uninstall in is not really needed.

While there also uninstall WildTangent Web Driver.

Do you use AOL?

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.2 are vulnerable.

• Go HERE and click on AdbeRdr920_en_US.exe to download the latest version of Adobe Acrobat Reader.
• Save this file to your desktop and run it to install the latest version of Adobe Reader.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 17.

• Go to Java Site
• Click to Download Java SE Runtime Environment (JRE) 6 Update 17
• In Platform box choose Windows.
• Check the box to Accept License Agreement and click Continue.
• Click on Windows Offline Installation, click on the link under it which says "jre-6u17-windows-i586.exe" and save the downloaded file to your desktop.
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.
  
  Code:

  J2SE Runtime Environment 5.0 Update 5
  Java(TM) 6 Update 13
  Java(TM) 6 Update 2

• Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
• Reboot your computer

Once the above is done please post back a NEW HJT and another update of problems.

[lianapan]

Thanks again!!

Uninstalled Windows Defender and Wild Tangent. During the Wild Tanget uninstall received a warning that B~NSISU.exe has encountered a problem and needs to close.

Installed Adobe update. Removed old Java and installed new Java. Restarted the machine.

Here's the HJT log.

I'm still getting the error that "A program on your computer has corrupted your default search provider, Google (www.google.com)..."
It takes me to a screen where it shows the search providers and Google is the default but I can't seem to change anything. Should I uninstall Google Toolbar through Add/Remove Programs (control panel)?

I also got a Redirect warning. This is something new. A screen came up saying that I was about to be redirected to invoices-templates.com and it asked if I wanted to continue or return to the prior screen. This is and good except that the redirect is still happening but at least there is a warning!

Thanks!!

[lianapan]

I am still getting the corrupted search provider - here's a screen shot of the add-ons manager. I can't seem to change the default to be something other than google even if I select one one of the other search providers. Does this have something to do with the redirects?

I also just got a screen that said "Message from Webpage"

Message bad grammer and all.....
"Your computer remains infected by viruses! They can cause data loss and file damages and need to be cured as soon as possible. Return to System Security and download it secure to your PC" OK or Cancel

I also had at the same time a Scan Results screen - Windows Security has detected 159 threats.
Win32.Netsky.Q (18)
SoapHoax Spyware (23)
Win32/Bagel.HE.worm (158)

I used task manager to close those screens.


I went to msconfig to see what I could turn back on so that Symatec could get live updates. I notice in the start up tab something that wasn't there before but looks suspicious --- regsvr32/s mqrt. Is it suspicious?

Last time this happen (Symatec failing to get Live Updates) I uninstalled it and reinstalled it. Should I try that now or wait?

Thanks!!!!

[muppy03]

Unfortunately the infection you had could have made quite a few system changes that we will never find. Tools we use can remove the infection but will not always point out to us what changes have been made.

Quote:

Windows Security has detected 159 threats

Check what the file path is, at this stage I would say it is reporting infection from the quarantine files that we have not removed yet.

Quote:

regsvr32/s mqrt. Is it suspicious?

That is from the changes you made to outlook for the message queueing.

Quote:

I'm still getting the error that "A program on your computer has corrupted your default search provider

This appears to be some kind of Microsoft bug rather than malware. Has it been happening for a long time or recently?

Try uninstalling and reinstalling Symantec, it could well have been corrupted by the infections.

After uninstalling through add/remove run the Norton installer to make sure it is all removed before re-installing.

Please go to this -page- and select the product you have

• 1 Download the Norton Removal Tool.
  Save the file to the Windows desktop.
  2 On the Windows desktop, double-click the Norton Removal Tool icon.
  3 Follow the on-screen instructions.
  Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

HostXpert
Download HostXpert from here & save it to your desktop

• Right click on HostsXpert.zip and select Extract All...
• Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard
• Click on the Browse button. Click on Desktop. Then click OK
• Once done, check (tick) the Show extracted files box and click Finish
• Once extracted, HostsXpert folder will open
• Double click on HostsXpert.exe to start it
• On your left hand side, click on Restore MS Hosts File
• Exit HostsXpert

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

Re-run RSIT one log shall be produced this time please post it.

Please reply with:-

• Kaspersky log
• RSIT log

[lianapan]

Uninstalled Symatec and ran Norton Uninstaller. Reinstalled Symatec and I can not get the Live updates! Yeah!!!

Ran HostXpert without a problem.

Disabled Symatec but can't seem to run Kaspersky. Error message is ...
"Message from webpage
Launch of the Java application is interupted! Please establish an uninterupted Internet Connection for work with this program. OK"

"Message from webpage" is the same heading I got earlier today with what appeared to be fake virus alerts.

I did successfully update Java from an earlier post.

Since Kaspersky didn't run successfully I didn't run RSIT yet so no logs to post. What do you suggest for the Java issue with Kaspersky?


I also did a little research on corrupt search provider. Appears to be IE 8 issue. One of the suggested fixes involves a change to a registry key. I didn't want to do it without checking to see if that would be Ok to try.

Thanks for hanging in there with me!!

[lianapan]

OOOPPS!! I meant to say that I can NOW get Symatec live updates. I typed "not" rather than now which is not what I meant. Symatec can now get live updates.

[lianapan]

Here's a new HJT log. A day or so ago you told me to check row with vmodlms in it and hit Fix Checked. However I had a problem and we ran some other stuff and it seemed to be gone. I think it was in 04 but now it appears in 016.
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - https://vmodlms.widerthanam.com/comp...WDLManager.cab

Should I check it in HJT and Fix checked?

Thanks!!

[lianapan]

sorry for the additional post but I wanted to let you know that I read through the earlier post and vmodlms was in 016 not 04 so I went ahead and check Fix Checked in HJT. Here's a new log.

Twice while reading other discusssion threads I have gotten a pop up for "Download Registry Defender". I used task manager to end process since I'm leery or clicking on those fake pages even to close them.

I also noticed that after rebooting there is high CPU usage (close to 100%) going to DoScan.exe. Then the process is gone.

[muppy03]

Quote:

I meant to say that I can NOW get Symatec live updates

Excellent!!!!

DoScan.exe is a part of Symantec. Unfortunately Symantec is a huge resource hog. You appear to be using the corporate version too?

Quote:

I also did a little research on corrupt search provider. Appears to be IE 8 issue.

That’s what I turn up also. Leave it till we finish cleaning then maybe the XP forum will be able to help with it.

Quote:

"Message from webpage" is the same heading I got earlier today with what appeared to be fake virus alerts.

From Kaspersky webpage? Have you had any other fake virus alerts or re-direct?

Please try ESET instead of Kaspersky. Lets see what it turns up and then we can go from there.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  
  Quote:

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[lianapan]

ESET ran and here's the content of the log.txt. To answer your question about the window that popped up for "Download Registry Defender" and the redirect, it wasn't while on the Kasparsky web site. I was just reading other forum enties when teh Download Registrry Defender popped up. The redirect was from clicking links from Google searches. Thanks so much!! I can't tell you how much I appreciate this help!!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=954aed8e436d494896ed0b1afcbfd39c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-30 02:49:03
# local_time=2009-11-30 09:49:03 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 15700024 15700024 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=220995
# found=1
# cleaned=0
# scan_time=11669
C:\Qoobox\Quarantine\C\Documents and Settings\sams club.YOUR-4DACD0EA75\Local Settings\Application Data\xxkrxi\dbwysysguard.exe.vir a variant of Win32/Kryptik.BCR trojan 00000000000000000000000000000000 I