seneka, ndler2, browser hijack at Google

[dayirmiter]

Standalone Dell Dimension 4700 running XP SP2 with cable connection to Internet. 2.8 GHz Pentium processor, 512 MB RAM, 70 and 20 GB hard drives. Email programs used are Outlook Express and Thunderbird. Browsers most used are Opera and Firefox, IE rarely. Symptoms follow.

Processes with random-string filenames sporadically start in Task Manager and proceed to continuously use 40-50% of processing power. Also sometimes it's a cmd.exe that does this. Other times ndler2.exe

Similarly-named processes sporadically seek Internet access, as I am informed by McAfee Personal Firewall.

Clicks on search results from Google yield completely other sites than what's listed.

Sluggishness in machine function, including network responsivity.

Machine has shut itself down on two or three occasions in the last couple days.

I've been hacking around at this myself and am usually pretty careful not to go beyond what I understand, but this thing is obviously beyond my skill level and weariness is setting in. I was considering a whole new installation until I started reading about ComboFix and your assistance program. Have spent most of the afternoon reading thread 360536 Vundo!grb-trojan-keeps-coming-back. I must be a geek at heart since I found it pretty engaging reading, like a mystery novel (sort of :-).

Anyway, it looks like there's a lot of need out there. Hope somebody can get to me soon. Thanks. Day


DDS (Ver_09-03-16.01) - NTFSx86
Run by Dee Huston at 16:19:49.92 on Tue 04/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.244 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\snmptrap.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Neuber TaskMan\TaskMan.exe
C:\Program Files\Opera9\Opera.exe
C:\Documents and Settings\Dee Huston\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
BHO: {1cd2be82-4e6a-4dec-bb98-922291e73c39} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {b7859779-7635-4d0d-879c-62f32cfdbfdc} - No File
mRun: [MPFEXE] "c:\program files\mcafee.com\personal firewall\MPFTray.exe"
dRun: [InetChk] c:\windows\temp\ms1239146156.exe work
dRun: [Java Syncro] c:\documents and settings\networkservice\local settings\application data\zchMiB.exe
dRun: [WinProx32_1] c:\documents and settings\networkservice\application data\psvrr.exe
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230311704718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\dejidono.dll
LSA: Notification Packages = scecli c:\windows\system32\dejidono.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deehus~1\applic~1\mozilla\firefox\profiles\ek174873.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

============= SERVICES / DRIVERS ===============

S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-5-23 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-5-23 17540]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2008-7-9 76260]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-10-21 126976]
S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-10-21 122368]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-9-6 245760]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-7-10 25824]

============== File Associations ===============

regfile\shell\edit\command="c:\program files\textpad\TXTPAD32.EXE" "%1"

=============== Created Last 30 ================

2009-04-07 16:15 83,456 a------- c:\windows\system32\krbclick1.exe
2009-04-07 14:51 155 a------- c:\windows\system32\SelfDel.bat
2009-04-07 14:51 84,045 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-07 02:18 310 a------- C:\boot.in_
2009-04-06 04:27 66 a------- c:\windows\wininit.ini
2009-04-06 02:06 0 a------- C:\CEPxAC83.tmp
2009-04-06 00:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-04-06 00:58 <DIR> --d----- c:\program files\Neuber TaskMan
2009-04-05 13:39 20,480 a------- c:\windows\system32\nDler2.exe
2009-04-05 00:59 <DIR> --d----- C:\_virus-related
2009-04-04 23:52 229,584 a------- C:\boot.ini - vlaurie.com^computers2^Articles^bootini.htm.pdf
2009-04-03 12:05 <DIR> --d----- c:\docume~1\deehus~1\applic~1\WD
2009-04-03 12:05 <DIR> --ds---- c:\docume~1\alluse~1\applic~1\WD
2009-04-03 12:05 <DIR> --d----- c:\program files\common files\eSellerate
2009-04-03 12:05 <DIR> --d----- c:\program files\WD
2009-04-03 11:49 <DIR> --d----- c:\program files\Western Digital
2009-04-01 14:45 2,148 a------- c:\windows\system32\wpa.dbl
2009-04-01 14:45 33,024 a------- c:\windows\system32\Status.MPF
2009-03-23 13:01 <DIR> --d----- c:\docume~1\deehus~1\applic~1\STOIK
2009-03-21 02:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-03-21 02:48 <DIR> --d----- c:\program files\AVS4YOU
2009-03-21 02:38 <DIR> --d----- c:\program files\mp3DirectCut

==================== Find3M ====================


============= FINISH: 16:20:09.15 ===============

several symptoms I forgot to mention:

on bootup, transient blocks of solid color show up on right and left ends of taskbar

dragged objects (including scroll bars) get hung and the pointer loses them

files saved with name seneka*.* are saved but are invisible to Windows Explorer

The broswer Back arrow is taking three clicks to work

[amateur]

Hello and welcome to TSF.

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

========================

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  
  To disable McAfee Virusscan:
  Please navigate to the system tray on the bottom right hand corner and look for a sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.


Further info on: How to disable your security applications

[dayirmiter]

Okay, here goes. Be back to you when it's done. Thanks for the reply!

[dayirmiter]

Here are most recent developments. I reformatted the 20GB drive and made a second installation of XP. Booting to that installation, I was able to see seneka* filenames on the other drive, which I deleted. (Interestingly, having partitioned the reformatted drive and directed the installer to partition 2, when I returned after being called away I found it had adopted partition 1 of the clean drive as system root. I'd done the same just a few days before - partitioned and installed - but in that instance the system root remained on the drive with the old installation.) Also, I got rid of the orphaned BHOs listed in the DDS report in my previous post.

Some things have improved. The mysterious appearance in Task Manager of a CPU-hogging processes seems to have ceased, as also their requests for Internet access. There do still occur, however, what appear to me anomalous spikes in CPU and network usage.

The problem at Google was that, if I moved the mouse pointer over a link while a search-returns page was loading I would see its correct Web address in the status bar, but as soon as the search-returns page had loaded the status bar would display "Looking up v1.adwarefeed.com", after which mouseovers of links on the page would no longer display addresses, only the word "Done". Clicking on a link then would yield a completely different site than that in the search return list.

This redirection seems no longer to be happening but I continue to see the status bar message about looking for v1.adwarefeed.com and page-wait time has increased by a multiple of at least four. In the same sluggish vein, shutdown time has greatly increased and now includes a new "Closing Network Connections" message that I've never seen before.

The graphical and mouse anomalies continue.

Also, ComboFix was not able to make a Restore Point (at least so far as I can see). System Restore has not been working for at least the last couple of weeks. I don't know why not.


ComboFix 09-04-04.01 - Dee Huston 2009-04-10 2:51:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.299 [GMT -7:00]
Running from: c:\documents and settings\Dee Huston\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\mdm.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-08 23:04 . 2009-04-08 23:04 <DIR> d-------- C:\Intel
2009-04-08 23:00 . 2005-01-23 14:30 163,840 --a------ c:\windows\system32\igfxres.dll
2009-04-07 23:17 . 2009-04-10 03:03 2,148 --a------ c:\windows\system32\wpa.dbl
2009-04-07 02:18 . 2009-04-07 02:18 310 --a------ C:\boot.in_
2009-04-06 04:27 . 2009-04-06 08:12 66 --a------ c:\windows\wininit.ini
2009-04-06 02:06 . 2009-04-06 02:06 0 --a------ C:\CEPxAC83.tmp
2009-04-06 00:58 . 2009-04-06 00:59 <DIR> d-------- c:\program files\Neuber TaskMan
2009-04-05 00:59 . 2009-04-09 14:29 <DIR> d-------- C:\_virus-related
2009-04-04 23:52 . 2009-04-04 23:52 229,584 --a------ C:\boot.ini - vlaurie.com^computers2^Articles^bootini.htm.pdf
2009-04-04 23:42 . 2009-04-04 23:42 <DIR> d-------- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-04-03 23:15 . 2009-04-03 23:15 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\program files\WD
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\program files\Common Files\eSellerate
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d-------- c:\documents and settings\Dee Huston\Application Data\WD
2009-04-03 12:05 . 2009-04-03 12:05 <DIR> d---s---- c:\documents and settings\All Users\Application Data\WD
2009-04-03 11:49 . 2009-04-03 11:49 <DIR> d-------- c:\program files\Western Digital
2009-04-02 16:07 . 2009-04-02 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Dell
2009-04-02 15:13 . 2009-04-02 15:13 <DIR> d-------- c:\windows\system32\FxsTmp
2009-04-01 16:54 . 2009-04-01 16:54 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\McAfee.com Personal Firewall
2009-04-01 14:45 . 2009-04-10 03:03 37,152 --a------ c:\windows\system32\Status.MPF
2009-03-23 13:01 . 2009-03-23 13:01 <DIR> d-------- c:\documents and settings\Dee Huston\Application Data\STOIK
2009-03-21 02:48 . 2009-03-22 06:01 <DIR> d-------- c:\program files\AVS4YOU
2009-03-21 02:48 . 2009-03-21 02:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-21 02:38 . 2009-03-21 02:43 <DIR> d-------- c:\program files\mp3DirectCut

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 16:43 --------- d-----w c:\program files\TextPad
2009-04-06 09:05 --------- d-----w c:\program files\Sonique
2009-04-03 19:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-03 19:00 --------- d-----w c:\program files\Google
2009-04-03 18:45 --------- d-----w c:\program files\Thunderbird2
2009-04-03 02:38 --------- d-----w c:\program files\Paint Shop Pro 5
2009-04-03 01:56 --------- d-----w c:\program files\QuickTime
2009-04-02 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-02 23:03 --------- d-----w c:\program files\Audacity1.2.4
2009-04-02 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-02 20:52 --------- d-----w c:\program files\GlaryUtilities
2009-04-01 20:16 --------- d-----w c:\program files\Windows Desktop Search
2009-03-22 13:21 --------- d-----w c:\program files\VLC9.6
2009-03-22 13:01 --------- d-----w c:\program files\Common Files\AVSMedia
2009-03-21 09:48 --------- d-----w c:\documents and settings\Dee Huston\Application Data\AVS4YOU
2009-03-05 14:54 --------- d-----w c:\program files\Intel
2009-03-05 14:54 --------- d-----w c:\program files\Canon
2009-03-05 10:46 --------- d-----w c:\program files\IrfanView3.61
2009-03-05 10:21 --------- d-----w c:\documents and settings\Dee Huston\Application Data\GlarySoft
2009-03-01 05:54 --------- d-----w c:\program files\IrfanView4.20
2009-02-25 11:35 --------- d-----w c:\program files\CyberLink
2009-02-22 11:48 --------- d-----w c:\program files\RAR Extract Frog
2009-02-17 16:49 --------- d-----w c:\program files\Opera9
2009-02-16 10:15 --------- d-----w c:\documents and settings\Dee Huston\Application Data\vlc
2009-02-16 08:43 --------- d-----w c:\program files\IrfanView4.23
2008-11-13 20:20 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-13 20:20 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-13 20:20 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-13 20:20 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-13 20:20 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MPFEXE"="c:\program files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-11-11 1005096]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk]
backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dee Huston^Start Menu^Programs^Startup^Shortcut to taskman.exe.lnk]
backup=c:\windows\pss\Shortcut to taskman.exe.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPage
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QUAD Scheduler
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QUAD Windows service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinProx32_1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-09-13 18:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-01-23 14:31 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-01-23 14:36 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-16 16:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFEXE]
--a------ 2005-11-11 17:00 1005096 c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2004-08-04 03:00 158208 c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-09-06 19:23 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
--a------ 1999-10-08 22:13 46432 c:\progra~1\Sonique\sqstart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 17:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 15:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
--a------ 2003-07-14 10:52 40960 c:\windows\ltmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"NetSvc"=2 (0x2)
"MemeoBackgroundService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McDetect.exe"=3 (0x3)
"IDriverT"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-05-23 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-05-23 17540]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2008-07-09 76260]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [2008-07-10 25824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a3c99e9-2e03-11dc-aeda-d55ec796d40b}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\GlaryUtilities\initialize.exe [2009-02-12 17:10]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
FF - ProfilePath - c:\documents and settings\Dee Huston\Application Data\Mozilla\Firefox\Profiles\ek174873.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
regfile\shell\edit\command="c:\program files\TextPad\TXTPAD32.EXE" "%1"
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 03:03:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MPFEXE = "c:\program files\McAfee.com\Personal Firewall\MPFTray.exe"?????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????
???????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\snmptrap.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
.
**************************************************************************
.
Completion time: 2009-04-10 3:05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-10 10:05:09

Pre-Run: 66,805,878,784 bytes free
Post-Run: 66,758,578,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="testbed" /noexecute=optin /fastdetect /noguiboot /sos

225

[dayirmiter]

Immediately after posting the CF report I noticed my browser looking up jbrlsr.com, to which site I went in a separate window and found a total blank - not even anything in the page source. I didn't know that could be done. Mean anything to you?

[amateur]

Hi,

I missed or didn't get the notification for your post and just saw it while going through my subscribed topics. Did you do all that between the time of your first post and my reply? I would have preferred that you didn't do anything either before or after.

Quote:

Also, ComboFix was not able to make a Restore Point (at least so far as I can see). System Restore has not been working for at least the last couple of weeks. I don't know why not.

Download http://www.kellys-korner-xp.com/regs...temrestore.reg and save it to your desktop. Double click on systemrestore.reg and allow it to merge with the registry. Reboot and see if you can set a system restore point manually.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

============================

Quote:

This redirection seems no longer to be happening but I continue to see the status bar message about looking for v1.adwarefeed.com.

Quote:

Immediately after posting the CF report I noticed my browser looking up jbrlsr.com

Were these happening on IE or FireFox?

============================

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

==============================

Quote:

shutdown time has greatly increased and now includes a new "Closing Network Connections" message that I've never seen before.

My research on that says that it's normal and not malware related. Try this utility

[dayirmiter]

Quote:

I missed or didn't get the notification for your post and just saw it while going through my subscribed topics. Did you do all that between the time of your first post and my reply? I would have preferred that you didn't do anything either before or after.

Okay, I will restrain myself from further fiddling. In the spirit of which I should report that yesterday I deleted (after saving them elsewhere) three HKLM CLSID keys and one HKLM TypeLib key related to "eSellerate".

Don't know if this is related, but mouse function has improved.

Quote:

Download http://www.kellys-korner-xp.com/regs...temrestore.reg and save it to your desktop. Double click on systemrestore.reg and allow it to merge with the registry. Reboot and see if you can set a system restore point manually.

Was able to set a system restore point.

Quote:

Quote:

Were these happening on IE or FireFox?

This was with Firefox. Am continuing to observe jbrlsr.com accesses, following various ad-related accesses, with each pageload as I move around TSF.

Quote:

Please download Malwarebytes' Anti-Malware

Report follows. I am also attaching reruns of the DDS and gmer reports in case you may find them useful in light of freelance changes made since the first set (from which I will desist :-).

Malwarebytes' Anti-Malware 1.36
Database version: 1966
Windows 5.1.2600 Service Pack 2

4/11/2009 9:49:28 AM
mbam-log-2009-04-11 (09-49-28).txt

Scan type: Quick Scan
Objects scanned: 67783
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks for your time and attention!

[amateur]

Hi,

Basically, no malware is showing in your logs. However, the errors in your Event Viewer Messages suggest that you may have some operating system issues which is beyond the scope of this forum.

Quote:

This was with Firefox. Am continuing to observe jbrlsr.com accesses, following various ad-related accesses, with each pageload as I move around TSF.

I would suggest that you remove FireFox via Add or Remove Programs in Control Panel. Reboot. Then reinstall FireFox and see if it's still happening.

============================

The following is an old version of java. Old versions have vulnerabilities that can be exploited by malware. Go to Start>Control Panel>Add or Remove Programs and remove it:

Java 2 Runtime Environment, SE v1.4.2_03

Then, go here and download the latest version of Java which is JRE 6 Update 13.

============================

Your "Adobe Reader" is also out of date.
You may want to download the latest version,
Adobe® Reader® 9.

===========================

Please download and run this utility.

Then post the log which it shall produce.

===========================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

=======================

Please post the Kaspersky report along with the services query log.
Are you experiencing any

[dayirmiter]

Quote:

I would suggest that you remove FireFox via Add or Remove Programs in Control Panel. Reboot. Then reinstall FireFox and see if it's still happening.

Quote:

The following is an old version of java. Old versions have vulnerabilities that can be exploited by malware. Go to here and download the latest version of Java which is JRE 6 Update 13.

Uninstalled and reinstalled latest versions of browsers, as also the JRE.

Quote:

Please download and run this utility.
Then post the log which it shall produce.

Here it is.

------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, WmdmPmSN


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
CoInitializeSecurityParam REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 8192 (0x2000)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
AuthenticationCapabilities REG_DWORD 12320 (0x3020)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
CoInitializeSecurityParam REG_DWORD 2 (0x2)
AuthenticationCapabilities REG_DWORD 64 (0x40)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
CoInitializeSecurityParam REG_DWORD 1 (0x1)
DefaultRpcStackSize REG_DWORD 8 (0x8)


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: AppMgmt : Application Management
STOPPED: AUTO_START: RemoteAccess : Routing and Remote Access
STOPPED: DEMAND_START: BITS : Background Intelligent Transfer Service
STOPPED: DEMAND_START: Dnscache : DNS Client
STOPPED: DEMAND_START: Schedule : Task Scheduler
STOPPED: DEMAND_START: seclogon : Secondary Logon
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: wscsvc : Security Center
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: lanmanserver : Server
STOPPED: DISABLED: stisvc : Windows Image Acquisition (WIA)
STOPPED: DISABLED: Themes : Themes
STOPPED: DISABLED: WebClient : WebClient

------ SVCHOST CURRENTLY RUNNING:

772- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

868- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

980- C:\WINDOWS\system32\svchost.exe -k netsvcs
- 6to4 : IPv6 Helper Service
- AudioSrv : Windows Audio
- CryptSvc : Cryptographic Services
- Dhcp : DHCP Client
- dmserver : Logical Disk Manager
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- FastUserSwitchingCompatibility : Fast User Switching Compatibility
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- NtmsSvc : Removable Storage
- RasAuto : Remote Access Auto Connection Manager
- RasMan : Remote Access Connection Manager
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- srservice : System Restore Service
- TapiSrv : Telephony
- TrkWks : Distributed Link Tracking Client
- w32time : Windows Time
- winmgmt : Windows Management Instrumentation
- wuauserv : Automatic Updates
- WZCSVC : Wireless Zero Configuration
- xmlprov : Network Provisioning Service

1060- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- SSDPSRV : SSDP Discovery Service
- upnphost : Universal Plug and Play Device Host

1800- C:\WINDOWS\System32\svchost.exe -k HTTPFilter
- HTTPFilter : HTTP SSL

------ SVCHOST SUB-DEPENDENTS

SSDPSRV = 1
RUNNING: upnphost: Universal Plug and Play Device Host

DMServer = 1
RUNNING: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
RUNNING: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 3
RUNNING: RasAuto: Remote Access Auto Connection Manager
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: Fax: Fax

winmgmt = 3
RUNNING: 6to4: IPv6 Helper Service
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
STOPPED: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 47
RUNNING: 6to4: IPv6 Helper Service
RUNNING: aawservice: Lavasoft Ad-Aware Service
RUNNING: AudioSrv: Windows Audio
RUNNING: COMSysApp: COM+ System Application
RUNNING: CryptSvc: Cryptographic Services
RUNNING: dmadmin: Logical Disk Manager Administrative Service
RUNNING: dmserver: Logical Disk Manager
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility
RUNNING: MSDTC: Distributed Transaction Coordinator
RUNNING: Netman: Network Connections
RUNNING: NtmsSvc: Removable Storage
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasAuto: Remote Access Auto Connection Manager
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: SamSs: Security Accounts Manager
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: srservice: System Restore Service
RUNNING: SwPrv: MS Software Shadow Copy Provider
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: VSS: Volume Shadow Copy
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: WmiApSrv: WMI Performance Adapter
RUNNING: WZCSVC: Wireless Zero Configuration
RUNNING: xmlprov: Network Provisioning Service
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: cisvc: Indexing Service
STOPPED: Fax: Fax
STOPPED: HidServ: Human Interface Device Access
STOPPED: McTskshd.exe: McAfee Task Scheduler
STOPPED: mcupdmgr.exe: McAfee SecurityCenter Update Manager
STOPPED: MSIServer: Windows Installer
STOPPED: NetSvc: Intel NCS NetService
STOPPED: PolicyAgent: IPSEC Services
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RSVP: QoS RSVP
STOPPED: Schedule: Task Scheduler
STOPPED: stisvc: Windows Image Acquisition (WIA)
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

Quote:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

Here it is.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 12, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 12, 2009 04:23:56
Records in database: 2036368
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: no
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 54434
Threat name: 6
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 00:30:56


File name / Threat name / Threats count
C:\_virus-related\syst32\ftp_non_crp.ex_ Infected: Packed.Win32.PolyCrypt.d 1
C:\_virus-related\syst32\ftp_non_crp.ex__ Infected: Packed.Win32.PolyCrypt.d 1
C:\_virus-related\syst32\krbclick1.ex_ Infected: Trojan.Win32.Agent2.hln 1
C:\_virus-related\syst32\ms1238831118.ex_ Infected: Backdoor.Win32.Rbot.kpe 1
C:\_virus-related\syst32\nDler2.ex_ Infected: Trojan-Dropper.Win32.VB.lhs 1
C:\_virus-related\syst32\senekaiwtmnalx.dl_ Infected: Trojan.Win32.Tdss.sbm 1
C:\_virus-related\syst32\senekatupulrhl.dl_ Infected: Trojan.Win32.Tdss.sbq 1
C:\_virus-related\Tmpor\ms1239146156.ex_ Infected: Trojan.Win32.Agent2.hln 1

So it looks like the malware is gone (except for the above quarantined copies I saved for research and documentation purposes). Yet this machine still has problems.

System Restore appears to be unable to maintain a restore point.

If I try to boot to Recovery Console I get an error saying the hal.dll is missing or corrupt. And yet there it is in the system32 folder - the same as the one in the i386 folder in every way Properties can tell me except they have 2004 Create dates about six hours apart (???), and neither works any better than the other at getting Recovery Console to crank up.

Web pages appear to be loading a little faster, but still are taking four or five times as long as say a month ago, both in Opera and in Firefox. So maybe that is an operating system problem. Any suggestions where to go from here?

Two other things.

What do you make of the call to a totally blank page at jbrlsr.com after every page load?

Do you have a higher resolution copy of your avatar picture, or can you point me to one? The picture looks pretty interesting but is not that easy to see in the thumbnail here.

[amateur]

Hi,

Quote:

So it looks like the malware is gone (except for the above quarantined copies I saved for research and documentation purposes). Yet this machine still has problems.

Please delete those files. Yes, your problems appear to be system related, not malware now.

Quote:

System Restore appears to be unable to maintain a restore point.

The service and its dependencies appear to be running at the moment. You were able to set a system restore and your Attach.txt confirms that it is created on 4/11/2009 9:07:21 AM

Yet, from the event viewer report:

Quote:

4/11/2009 9:53:35 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.

Seems like a corrupt system restore. You could try reinstalling System Restore.

Click Start>Run and copy/paste the following into the Run box and click OK:

rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf

If the 'Files Needed' dialog box appears, click Browse and point to the i386 folder on the Windows XP CD or to the i386 folder on the hard drive, if it exists. For systems updated with the Service Pack 2 CD or Download from Microsoft, browse to the C:\Windows\ServicePackFiles\i386 folder. The retail version of Windows XP (SP2) also contains the latest version of the files needed.

Reboot and try System Restore.

Here's some further info on the failure of System Restore: http://groups.google.com/group/micro...ad94049c3f9b50

Quote:

If I try to boot to Recovery Console I get an error saying the hal.dll is missing or corrupt. And yet there it is in the system32 folder - the same as the one in the i386 folder in every way Properties can tell me except they have 2004 Create dates about six hours apart (???), and neither works any better than the other at getting Recovery Console to crank up.

Quote:

e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
E: is FIXED (FAT32) - 0 GiB total, 0.03 GiB free.
J: is FIXED (NTFS) - 20 GiB total, 9.685 GiB free.
I reformatted the 20GB drive and made a second installation of XP

Recovery console appears to have been installed on "e" drive, and that may be the reason.

You now have XP installed in C drive and another XP installation in J drive (I assume J, because that's the 20GB one), and the Recovery Console in "e" drive. The logs are all from C drive. With all the "freelance" changes you've made it's hard for me to figure out what's going on. As I mentioned earlier, this is beyond the scope of this forum. You may be better assisted at the XP forum.

Quote:

Web pages appear to be loading a little faster, but still are taking four or five times as long as say a month ago, both in Opera and in Firefox. So maybe that is an operating system problem. Any suggestions where to go from here?

When was the last time you defragmented your hard drive? Not all sluggishness is caused by malware. Please visit this page and see if any of their suggestions help.

Slow Computer

Quote:

Do you have a higher resolution copy of your avatar picture, or can you point me to one? The picture looks pretty interesting but is not that easy to see in the thumbnail here.

That's an oil on canvas self-portrait painting by me.

Quote:

What do you make of the call to a totally blank page at jbrlsr.com after every page load?

Is the call to jbrlsr.com still happening?

If so, please do this:

Download regsrch.zip to your Desktop.
1. Unzip the contents of RegSrch.zip to a convenient location.
2. Double-click on RegSrch.vbs.
3. If you have an anti-virus installed it might prompt you about a running script.
4. Please ignore this warning and allow the script to run.
5. In the "Enter search string (case insensitive) and click OK..." box, paste this string:

jbrlsr

6. Click "OK" to search the registry for that string.
7. Wait for a few minutes while it completes the search.
8. Click "OK" to open the results in WordPad.
9. Copy and paste the entire results into your next post.

[dayirmiter]

Sorry for the long silence. I agree the remaining problems are system-related.

Regarding System Restore, it seems it will suspend itself if there are less than 200 MB available on any drive it is supposed to be monitoring but it won't necessarily say so, even if you look at its panel in System Properties. I only discovered this because I decided to turn off monitoring of a removable hard drive. Upon doing that all the other drives registered "Suspended" and an additional paragraph about the MB minimum showed up in the panel's explanatory text. I have always maintained work partitions under that limit on the 20 GB drive for ease of search and backup, so this suspension must have been the case since I integrated that drive into Dee's XP system over a year ago. Having turned off monitoring of these smaller partitions, I am now able not only to set a restore point but have it still be there after a reboot!

Regarding Recovery Console, the problem seems to have had to do with BIOS boot order and that in a multidrive multiboot situation the "C:" designation is differently assigned dependent on which installation is booted. Whether I set it or the new install did it when I wasn't looking, the 20 GB drive now has boot order priority. It is disk 0, where boot.ini is called from, and where Recovery Console wants its files. The disk 0 install shows its own first partition as C and the 70 GB drive as E, whereas the 70 GB (disk 1) install reverses those designations. When I installed Recovery Console from within the disk 1 installation of the OS, the OS recorded that the requisite files were to be found on "E:", as disk 0 partition 1 was denominated at the time. Now I have installed RC from within the disk 0 OS and it is working fine.

Web page loading is still slow from disk 1, which it is not from disk 0, so it must be something about that configuration. There seems to be a lot of time spent on the "looking up" phase. This is exacerbated when a given page looks up six or a dozen other URLs in the process of loading. I did not find the string "jbrlsr" in the registry and have pretty much determined it shows up only when accessing pages at TSF - as do many others such as intellitxt.com, edge-quantserve.com, google-analytics, rgfx.liquidweb, googleads.g.doubleclick.net, pagead2.googlesyndication. I've noticed doubleclick and google-analytics showing up on other sites also but not jbrlsr. WhoIs tells me the domain was registered last December through GoDaddy and DomainsByProxy.

The idea here was to try to wrap up loose ends of this thread, so I hope I've done that somewhat. Thank you, amateur, for your response to my plea for help and for your work here in general. What a great thing! How noble an endeavor! And how much needed! You guys (and gals, I know :-) are like knights of yore, superheroes who swoop in to defend the defenseless. I am gratified and reassured about the human condition just to know you exist. Yayyyyy!

[amateur]

Hi,

Quote:

The idea here was to try to wrap up loose ends of this thread, so I hope I've done that somewhat.

You've done a pretty good job of that and at sorting out the system issues.

You're welcome and thank you for your kind words.

Since you have no further malware issues, you're good to go.

You can go ahead and delete the RegSrch.

• Click Start then Run
• Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!

[dayirmiter]

Thanks for all the helpful tips and links. I've learned a lot.

[amateur]

You're welcome. I am glad to have been able to help. Stay safe!