[willdh45qd]

After doing a Recovery on my PC I found I could not connect to Microsoft I got BING cache pages with various Microsoft links which continued to gve me `Page Unavailable` I uninstalled my anti virus software but still had the same problem.I downloaded Firefox and tried that instead of my IE6 SP1 browser,same result.I do not have Windows Install disc or Boot CD as my PC is OEM version. Ihope you can help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Bill Gillett at 17:25:38.23 on 24/07/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.1279.855 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bill Gillett\My Documents\Downloads\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytalktalk.co.uk
mDefault_Page_URL = hxxp://www.medion.com/
mStart Page = hxxp://www.mytalktalk.co.uk
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [CHotkey] mHotkey.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AntivirusRegistration] c:\program files\excid.com aps\etrust antivirus registration\EzAntivirusRegistrationCheck.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billgi~1\applic~1\mozilla\firefox\profiles\bkt4f7j3.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-14 165456]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-7 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-7 166632]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-20 53248]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-7 840936]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-14 40384]
S2 jvklwutav;Manager Universal;c:\windows\system32\svchost.exe -k netsvcs [2003-10-29 12800]
S3 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2002-9-20 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [2002-9-20 77824]

=============== Created Last 30 ================

2010-07-16 20:07:00 177415 ----a-w- c:\documents and settings\bill gillett\~
2010-07-16 15:51:03 0 d-----w- c:\docume~1\billgi~1\applic~1\Trusteer
2010-07-16 15:50:22 0 d-----w- c:\program files\Trusteer
2010-07-16 15:48:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Trusteer
2010-07-14 15:22:27 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 15:22:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-14 11:54:58 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-14 07:30:51 0 d-----w- c:\docume~1\billgi~1\applic~1\Common Toolkit Suite
2010-07-14 07:30:01 0 d-----w- c:\program files\Fighters
2010-07-14 07:30:01 0 d-----w- c:\program files\common files\Common Toolkit Suite
2010-07-14 07:30:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Common Toolkit Suite
2010-07-14 07:19:11 0 dc----w- c:\docume~1\alluse~1\applic~1\{77D41C6F-BBE9-496A-87A9-AC324BDA2BCF}
2010-07-14 07:18:58 0 d-----w- c:\docume~1\billgi~1\applic~1\Fighters
2010-07-05 13:30:28 0 d-----w- C:\ShareScope
2010-07-01 12:08:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-07-01 12:08:32 150528 ----a-w- c:\windows\system32\ptpusd.dll
2010-06-30 18:47:12 516920 ----a-w- c:\temp\tidyup.exe
2010-06-30 18:45:17 0 d-----w- C:\temp
2010-06-30 13:06:22 804 ----a-w- c:\windows\hpinfo.lnk
2010-06-30 13:06:20 0 d-----w- c:\program files\hp deskjet 3420 series
2010-06-30 13:06:08 184386 ----a-w- c:\windows\system32\hpzsnt05.dll
2010-06-30 13:06:05 3144 -c--a-w- c:\windows\system32\dllcache\srgb.icm
2010-06-30 12:31:15 24960 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-30 12:31:15 24960 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-27 17:05:43 70688 ----a-w- c:\windows\system32\drivers\alcaudsl.sys
2010-06-27 17:05:43 5606 ----a-w- c:\windows\system32\stci.dll
2010-06-27 17:05:43 5280 ----a-w- c:\windows\system32\drivers\alcawh.sys
2010-06-27 17:05:43 3968 ----a-w- c:\windows\system32\drivers\alcacr.sys
2010-06-27 17:05:42 53600 ----a-w- c:\windows\system32\drivers\alcan5wn.sys
2010-06-27 17:05:41 0 d-----w- c:\program files\Thomson
2010-06-27 17:02:26 0 d-----w- c:\program files\common files\SupportSoft
2010-06-27 12:25:45 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-06-27 12:24:20 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-06-27 12:24:20 186136 ----a-w- c:\windows\system32\wuaueng1.dll
2010-06-27 12:24:20 167704 ----a-w- c:\windows\system32\wuauclt1.exe
2010-06-27 12:13:41 9 ----a-w- c:\windows\Debug.ini
2010-06-27 12:13:38 216064 ----a-w- c:\windows\system32\um34scan.dll
2010-06-27 12:13:38 14208 ----a-w- c:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2002-08-29 12:00:00 167324 --sha-r- c:\windows\system32\pxxjabbe.dll

============= FINISH: 17:25:59.60 ===============

 

[tetonbob]

Hello, and Welcome to TSF.

Is there some reason why this machine is still at Service Pack 1? Or, by doing the recovery, did it revert to Service Pack 1, while the machine had been current before the Recovery?

Support for Service Pack 1 and now Service Pack 2 has been ended. Service Pack 3 for Windows XP has been out for quite some time. Without it, your machine is open to exploit. Once we clear the infection, we'll be updating the machine again.

I see what appears to be a conficker/downadup infection. These can be avoided by having fully patched and legal operating systems.

=============================

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

 

[willdh45qd]

Yes when I did a Recovery it went back to its 2002 situation,ie IE6 SP1,it was at IE7 SP3.
I still have the same problem but now I cannot use wireless connection and have to use my Speed Touch module provided by my Internet provider.


ComboFix 10-07-27.04 - Bill Gillett 28/07/2010 14:08:15.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.44.1033.18.1279.897 [GMT 1:00]
Running from: c:\documents and settings\Bill Gillett\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Debug\dcpromo.log

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-27 19:37 . 2010-07-27 19:42 -------- d-----w- c:\program files\Canon
2010-07-19 15:46 . 2010-07-19 15:46 -------- d-----w- c:\documents and settings\Bill Gillett\Local Settings\Application Data\Mozilla
2010-07-19 13:30 . 2010-07-19 13:33 -------- d-----w- c:\documents and settings\Bill Gillett\Local Settings\Application Data\Google
2010-07-16 15:51 . 2010-07-16 15:51 -------- d-----w- c:\documents and settings\Bill Gillett\Application Data\Trusteer
2010-07-16 15:50 . 2010-07-16 15:50 -------- d-----w- c:\program files\Trusteer
2010-07-16 15:48 . 2010-07-16 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-07-14 15:22 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-14 15:22 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-14 15:22 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-14 15:22 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-14 15:22 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-14 15:22 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-14 15:22 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 15:22 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-14 15:22 . 2010-07-14 15:22 -------- d-----w- c:\program files\Alwil Software
2010-07-14 15:22 . 2010-07-14 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-14 11:54 . 2010-07-14 11:54 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 07:30 . 2010-07-14 07:30 -------- d-----w- c:\documents and settings\Bill Gillett\Application Data\Common Toolkit Suite
2010-07-14 07:30 . 2010-07-14 11:37 -------- d-----w- c:\program files\Common Files\Common Toolkit Suite
2010-07-14 07:30 . 2010-07-14 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Common Toolkit Suite
2010-07-14 07:30 . 2010-07-14 07:30 -------- d-----w- c:\program files\Fighters
2010-07-14 07:19 . 2010-07-14 11:37 -------- dc----w- c:\documents and settings\All Users\Application Data\{77D41C6F-BBE9-496A-87A9-AC324BDA2BCF}
2010-07-14 07:18 . 2010-07-14 07:30 -------- d-----w- c:\documents and settings\Bill Gillett\Application Data\Fighters
2010-07-06 23:33 . 2010-07-06 23:33 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\18481\RapportMS.dll
2010-07-05 13:30 . 2010-07-27 19:36 -------- d-----w- C:\ShareScope
2010-07-04 10:45 . 2010-07-04 10:45 -------- d-----w- c:\documents and settings\Joyce Gillett\Local Settings\Application Data\Identities
2010-07-01 12:08 . 2002-08-29 02:41 150528 ----a-w- c:\windows\system32\ptpusd.dll
2010-07-01 12:08 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-30 18:47 . 2009-10-12 14:57 516920 ----a-w- c:\temp\tidyup.exe
2010-06-30 18:45 . 2010-06-30 18:47 -------- d-----w- C:\temp
2010-06-30 13:06 . 2010-06-30 13:06 -------- d-----w- c:\program files\hp deskjet 3420 series
2010-06-30 13:06 . 2002-06-21 10:01 184386 ----a-w- c:\windows\system32\hpzsnt05.dll
2010-06-30 13:05 . 2010-06-30 13:05 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-30 12:31 . 2002-08-29 00:50 24960 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-30 12:31 . 2002-08-29 00:50 24960 ----a-w- c:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 12:11 . 2010-07-28 12:11 -------- d-----w- c:\documents and settings\Joyce Gillett.BILL\Application Data\Trusteer
2010-07-27 19:42 . 2003-10-29 18:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-19 13:32 . 2004-03-24 16:09 -------- d-----w- c:\program files\AOL 8.0
2010-07-14 16:16 . 2010-07-16 20:07 130884 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2010-07-14 12:11 . 2004-03-24 16:17 -------- d-----w- c:\program files\CA
2010-06-27 17:05 . 2010-06-27 17:05 -------- d-----w- c:\program files\Thomson
2010-06-27 17:02 . 2010-06-27 17:02 -------- d-----w- c:\program files\Common Files\SupportSoft
2002-08-29 12:00 . 2003-10-29 13:23 167324 --sha-r- c:\windows\system32\pxxjabbe.dll
.

------- Sigcheck -------



[-] 2002-11-27 03:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll

[-] 2003-05-30 17:00 . 7BA80564F369A96AF84E3AA27E75E90B . 1634304 . . [5.3.0000001.902 built by: DIRECTX] . . c:\windows\system32\d3d9.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="mHotkey.exe" [2002-07-23 477184]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-17 3022848]
"nwiz"="nwiz.exe" [2003-11-17 753664]
"AntivirusRegistration"="c:\program files\Excid.com Aps\eTrust Antivirus Registration\EzAntivirusRegistrationCheck.exe" [2003-09-03 45056]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-06-21 188416]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14/07/2010 16:22 165456]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [07/07/2010 00:33 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/07/2010 00:33 166632]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [20/09/2002 17:29 53248]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/07/2010 00:33 840936]
S2 jvklwutav;Manager Universal;c:\windows\system32\svchost.exe -k netsvcs [29/10/2003 14:23 12800]
S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [20/09/2002 17:27 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [20/09/2002 17:41 77824]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jvklwutav
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tdwaterhouse.co.uk/
mStart Page = hxxp://www.mytalktalk.co.uk
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bill Gillett\Application Data\Mozilla\Firefox\Profiles\bkt4f7j3.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 14:18
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jvklwutav]
"ServiceDll"="c:\windows\System32\pxxjabbe.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(588)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(4496)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\nvsvc32.exe
c:\windows\wanmpsvc.exe
c:\windows\mHotkey.exe
c:\windows\System32\RunDll32.exe
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2010-07-28 14:21:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-28 13:21

Pre-Run: 10,317,647,872 bytes free
Post-Run: 10,723,971,072 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 372B1D1A7AC4553F91D3421B7A08A6DC

 

[willdh45qd]

Sorry re. the last post, I can connect via wireless, Istill have problem cannot connect to Microsoft.
Will

 

[tetonbob]

You should see improvement after this next fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   

   http://www.techsupportforum.com/f284/cannot-connect-to-microsoft-500488.html#post2825379
   
   Reglock::
   [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
   [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
   Collect::
   c:\windows\System32\pxxjabbe.dll
   Driver::
   jvklwutav
   NetSvc::
   jvklwutav
   Comment::
   End Copy Here

   
   
   
   
   Save this as CFScript.txt
   
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
3. ComboFix may request an update; please allow it.
   
4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
5. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   **Note**
   
   When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
   • Ensure you are connected to the internet and click OK on the message box.
   
   Please let me know if the file was successfully submitted . Thanks.
   
   ------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------
   

 

[willdh45qd]

Brilliant! Thankyou very much, I`m up and running properly now and getting my updates from Microsoft.
Thanks again
Will

 

[tetonbob]

Great, Will. I'm glad to hear that. Conficker can be transmitted via network or USB device. A fully patched machine should not be as succeptible to this infection, so ensuring the machine is fully up to date with all Windows updates, and IE8 is the next best thing to do. Once that's all done, please post new logs from DDS.

Also, in the interim, I don't see that a file was uploaded by ComboFix.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

 

[willdh45qd]

I have attached ComboFix-quarantined-files as you asked.
Will

 

[tetonbob]

Great, thanks.

• Please visit this site:
  
  
  http://www.bleepingcomputer.com/submit-malware.php?channel=4
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  
  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/500488-cannot-connect-microsoft.html#post2826874
  
  
• Click on the Browse button.
  
• In the File Upload window which opens, copy and paste this into the File Name box, then click OK.
  
  
  C:\Qoobox\Quarantine\[4]-Submit_2010-07-29_14.20.48.zip
  
  
• Then click Send File.
  
• Once it shows:
  
  

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and let me know

Also post new logs from DDS once the updates are completed.

 

[willdh45qd]

I have submitted the file to bleeping computers.Thankyou
Will

 

[tetonbob]

Hi Will. Can you please try again? This is the path to enter for File to upload:

C:\Qoobox\Quarantine\[4]-Submit_2010-07-29_14.20.48.zip

 

[willdh45qd]

Bleeping computers tell me that the file has been successfully submitted.
Will

 

[tetonbob]

I'm still not seeing it at Bleeping Computer

Can you attach that file here, please?

 

[willdh45qd]

I hope this helps.
Will

 

[tetonbob]

Hi Will....that's not the file I seek :smile:

Let's try one more time, and then we'll just move on.

This is the file I"m looking for

C:\Qoobox\Quarantine\[4]-Submit_2010-07-29_14.20.48.zip

 

[willdh45qd]

I put in a search for that file,I get no result? Will

 

[tetonbob]

Ok, no worries. It's possible your antivirus has quarantined it. I wanted to submit the file to ComboFix's author to help improve detections.

Have you finished all the Windows Updates? Can you now post new logs from DDS?

 

[tetonbob]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/f50...-posting-for-malware-removal-help-305963.html